How to change the info column in a protobuf dissector.

asked 2025-03-05 21:47:35 +0000

SteveW gravatar image

I've written a simple protobuf dissector that triggers on our custom ppi field in the protobuf. Traffic is over SCTP, and it's modeled on the UDP parts of the tutorial protobuf dissector. It works well enough, and correctly parses and resolves all the various nested structures.

I don't care for the default value of the info column in wireshark, though, and would like to set it to a custom value derived from field values in some of the nested structures. Various AI chats have suggested things like local pb_tree = pinfo.private["pb_tree"] and local submsg = subtree:field("field_name1") after pcall(Dissector.call, protobuf_dissector, tvb, pinfo, subtree) to get access to those nested structures, but I've been unable to make those work - they are either nil, or contain nothing of the protobuf message. Is the protobuf parser able to return a tree to me that I can peruse for the values I want?

As an example, if the dissected view in Wireshark looked like this:

IPM
    Protocol Buffers: cmn.msg.Msg (Message: cmn.msg.Msg)
        src: (65 bytes) (Message: cmn.Addr)
            job: ABC (1)
        dest: (65 bytes) (Message: cmn.Addr)
            job: XYZ (2)
        task: (2 bytes) (Message: cmn.ipm.task_ipm)
            event: SYS_EV_SEND_DATA (100)

I'd want to populate the info column with ABC -> XYZ: SYS_EV_SEND_DATA. (There are many other fields in those sections, but those are irrelevant to this problem.) It's further complicated because there could be multiples of the src and dest, but I think I have a handle on that, if I can get access to the protobuf tree.

edit retag flag offensive close merge delete

Comments

This is done as a post dissector (EASYPOST.lua) but try it with your dissector.
Here using a field from the UDP addressbook example.

easypost_payload_f = Field.new("pbf.tutorial.Person.PhoneNumber.number")

-- Step 5 - create the postdissector function that will run on each frame/packet
function easypost_p.dissector(tvb,pinfo,tree)
    local subtree = nil

    -- copy existing field(s) into table for processing
    finfo = { easypost_payload_f() }

    if (#finfo > 0) then
        if not subtree then
            subtree = tree:add(easypost_p)
        end
        for k, v in pairs(finfo) do
            -- process data and add results to the tree
            local field_data = string.format("%s", v):upper()
            subtree:add(pf.payload, field_data)
        pinfo.cols.info:append(" " .. tostring(v))
        end
    end
end

To get the formatted strings like ABC, XYZ and SYS_EV_SEND_DATA:

        local field_display = v.display
        field_display = string.gsub(field_display, "%(%d+%)$", "")
        pinfo.cols.info:append(" " .. field_display

Produces 63334 → 8127 Len=128 (PROTOBUF) people people HOME HOME WORK for ...(more)

Chuckc gravatar imageChuckc ( 2025-03-05 22:30:02 +0000 )edit
add a comment