Ask Your Question
0

Lua: Stateful dissection and reassembly of fragmented packets

asked 2025-02-26 08:43:21 +0000

rgov gravatar image

updated 2025-02-26 19:53:39 +0000

Consider a UDP-based protocol of length-prefixed Pascal strings (<length: i8><content: i8[]>). The strings might get fragmented across multiple packets, and require reassembly. E.g.,:

0A68656C6C6F  // length: 10, partial content: "hello", remaining bytes: 5
776F726C64    // partial content: "world" => full message: "helloworld"

How could you write a dissector in Lua that can extract reassembled strings? (Assume the first frame in our capture is the start of a new string.)

Unlike dissect_tcp_pdus(), I don't think dissect_udp_pdus() is exposed to Lua. The documentation on pinfo.desegment_len is very sparse, but I don't think it applies here.

There is documentation on reassembling split UDP packets but for the C API. I don't know if any of reassemble.h is available to Lua.

In my testing, it did not work to accumulate incomplete content in a global buffer because the reassembly state is affected by multiple dissection passes.

Previous discussion from 2016, though the solution comes with some caveats.

edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by ยป oldest newest most voted
0

answered 2025-02-28 00:22:07 +0000

rgov gravatar image

I published an example of one way of doing this on my rgov/wireshark-udp-reassembly repository. I'm thinking about writing a blog post; if so I'll post a link here.

Screenshot of Wireshark demonstrating a reassembled PDU

In brief, there is a fragments table that forms a linked list of incomplete fragments. When a packet comes in, we reassemble the previous, incomplete PDU fragments into a buffer, and attempt to parse out a complete PDU.

I tried to implement it such that there's only one function, read_complete_pdu(), which needs to be reimplemented for other protocols.

Note that this does not use the built-in "desegmentation service" by setting pinfo.desegment_len, etc. For one, this is not well documented. Secondly, my reassembly algorithm does not require that you know the length of the complete PDU ahead of time.

edit flag offensive delete link more
add a comment
0

answered 2025-02-26 21:14:45 +0000

Michael S. gravatar image

Hi, having a similar issue like you brought me to this wiki page: https://wiki.wireshark.org/Lua/Exampl...

It seems like in lua you have to work with the pinfo.desegment_len field.

Was that what you were looking for?

edit flag offensive delete link more

Comments

See my newly posted answer for my solution so far. I didn't find pinfo.desegment_len etc. very well-documented, so I didn't use them, but perhaps there is a simpler way.

rgov gravatar imagergov ( 2025-02-28 00:24:47 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2025-02-26 08:43:21 +0000

Seen: 51 times

Last updated: yesterday

Related questions

how to invert two bytes in lua script dissector ?

How do I get and display packet data information at a specific byte from the first byte?

why protocol is not showing as HTTP even though we sent http request ?

Adjusting Bit order and Endianess in LUA between Dissectors

How do I add "child item" to an item in the subtree?

PRP Dissector and FCS

Use a UDP payload dissector depending on ip addresses

Reuse (part of) a Wireshark Dissector

Heuristic dissector not called

How do I dissect multiple packets?