How to write a listener/tap (in Lua) to follow streams inside of a dissected custom protocol?
Hi everyone!
First, I'll try to describe what I am trying to achieve, then what I've tried so far. I'll scatter some questions around, labeled Q[n] - because I'd already be happy if single questions were answered (there's the core problem and there are questions about tips and tricks). Thank you! :)
What I am trying to achieve
I am trying to analyze an application-specific custom protocol which is transported via USB CDC (virtual serial) between a USB host and a USB device. The communication can be recorded using tcpdump -i usbmon.... The USB bulk packets then contain multiple streams of the custom protocol. The following diagram tries to explain how that can look like (three different streams labeled a, b and c):
┌────────────────────┐ ┌───────────────┐ ┌────────────────────┐
│┌───┐┌───┐┌───┐┌───┐│ │┌───┐┌───┐┌───┐│ │┌───┐┌───┐┌───┐┌───┐│
││a ││b ││a ││b ││ ││a ││a ││c ││ ││a ││b ││a ││c ││
│└───┘└───┘└───┘└───┘│ │└───┘└───┘└───┘│ │└───┘└───┘└───┘└───┘│
└────────────────────┘ └───────────────┘ └────────────────────┘
USB bulk packet #1 USB bulk packet #2 USB bulk packet #3
My final goal is to extract the stream data of every stream (illustrated as a, b and c above), extract them from the USB packets and re-concatenate them for further inspection.
In reality, it's a little bit more complicated than in the illustration - but thankfully, I've got a Lua dissector of the encapsulated protocol. When I put the Lua script in my Wireshark plugins folder and open the .pcap file it gets dissected and I can inspect it manually - nice! That also means that
- the "Leftover Capture Data" column is empty,
- the custom protocol's name appears in the "Protocol" column and
- that I can see one or multiple frames of the streams which have been transported in the USB bulk packet.
In my understanding there's already a Wireshark feature called Following Protocol Streams. I've seen that demonstrated for other protocols such as HTTP - and I think that's exactly what I'd like to use. When right-clicking on a decoded packet of the custom protocol, there's no option to choose from in the Follow menu item - which I understand because how should Wireshark know about the semantics of the custom protocol's stream frames. Ideally, I could select "Custom protocol: Stream a", "Custom protocol: Stream b" and "Custom protocol: Stream c" there.
Q1: Is there a tutorial on what to do to extend the feature for custom protocols? Does this require extension/modification of the Lua dissector script?
What I've tried so far
I've stumbled across "Taps" and "Listeners".
Q2: Do these two terms mean the same and hence can be used interchangeably?
I've seen code snippets where "Listener instances" have been called "tap". (FYI: I am not a native speaker of English.)
(Edit2: How to tap protocols shows some C API code and uses the term "tap".)
There are some links which give an idea of what's possible and code snippets of how to write and use them. I'd like to know if I'd be mis-using them to "follow streams" or if this is the proper way ...