Ask Your Question
0

How to change the info column in a protobuf dissector.

asked 2025-03-05 21:47:35 +0000

SteveW gravatar image

I've written a simple protobuf dissector that triggers on our custom ppi field in the protobuf. Traffic is over SCTP, and it's modeled on the UDP parts of the tutorial protobuf dissector. It works well enough, and correctly parses and resolves all the various nested structures.

I don't care for the default value of the info column in wireshark, though, and would like to set it to a custom value derived from field values in some of the nested structures. Various AI chats have suggested things like local pb_tree = pinfo.private["pb_tree"] and local submsg = subtree:field("field_name1") after pcall(Dissector.call, protobuf_dissector, tvb, pinfo, subtree) to get access to those nested structures, but I've been unable to make those work - they are either nil, or contain nothing of the protobuf message. Is the protobuf parser able to return a tree to me that I can peruse for the values I want?

As an example, if the dissected view in Wireshark looked like this:

IPM
    Protocol Buffers: cmn.msg.Msg (Message: cmn.msg.Msg)
        src: (65 bytes) (Message: cmn.Addr)
            job: ABC (1)
        dest: (65 bytes) (Message: cmn.Addr)
            job: XYZ (2)
        task: (2 bytes) (Message: cmn.ipm.task_ipm)
            event: SYS_EV_SEND_DATA (100)

I'd want to populate the info column with ABC -> XYZ: SYS_EV_SEND_DATA. (There are many other fields in those sections, but those are irrelevant to this problem.) It's further complicated because there could be multiples of the src and dest, but I think I have a handle on that, if I can get access to the protobuf tree.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2025-03-05 22:30:02 +0000

Chuckc gravatar image

updated 2025-03-05 22:51:29 +0000

This is done as a post dissector (EASYPOST.lua) but try it with your dissector.
Here using a field from the UDP addressbook example.

easypost_payload_f = Field.new("pbf.tutorial.Person.PhoneNumber.number")

-- Step 5 - create the postdissector function that will run on each frame/packet
function easypost_p.dissector(tvb,pinfo,tree)
    local subtree = nil

    -- copy existing field(s) into table for processing
    finfo = { easypost_payload_f() }

    if (#finfo > 0) then
        if not subtree then
            subtree = tree:add(easypost_p)
        end
        for k, v in pairs(finfo) do
            -- process data and add results to the tree
            local field_data = string.format("%s", v):upper()
            subtree:add(pf.payload, field_data)
        pinfo.cols.info:append(" " .. tostring(v))
        end
    end
end

To get the formatted strings like ABC, XYZ and SYS_EV_SEND_DATA:

        local field_display = v.display
        field_display = string.gsub(field_display, "%(%d+%)$", "")
        pinfo.cols.info:append(" " .. field_display

Produces 63334 → 8127 Len=128 (PROTOBUF) people people HOME HOME WORK for field easypost_payload_f = Field.new("pbf.tutorial.Person.PhoneNumber.type"
Put pinfo.cols.info:clear() above the for loop to start with an empty Info column.
HOME HOME WORK

edit flag offensive delete link more

Comments

Hi Chuck, thanks much for your comments. I was able to extract the entire contents of the "src" and "dest" fields and add them to the info column, but there is much more in those fields than shown in my example, and I was unable to figure out how to treat the field value as the appropriate "cmn.Addr" shown in my example and show just the "job" field. This has already consumed far more time than I wanted to spend on it, so I'm not inclined to spend more time reading Wireshark docs or poking half-blind at code (I know a bit of lua, but practically nothing about the Wireshark extensions). Thank you for your suggestions though.

SteveW gravatar imageSteveW ( 2025-03-06 15:23:16 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2025-03-05 21:47:35 +0000

Seen: 166 times

Last updated: Mar 05

Related questions

how to invert two bytes in lua script dissector ?

Adjusting Bit order and Endianess in LUA between Dissectors

Reuse (part of) a Wireshark Dissector

Use UDS dissector inside DoIP dissector

How to register LUA dissectors without GUI

How to use two lua dissectors together ?

What's the difference between a dissector, post-dissector and tap?

advice on LUA dissector

how to register a new LUA based dissector only to udp src port

how to get SDP information from the Lua