Ask Your Question
0

Update parent tree node

asked 2025-08-09 16:19:18 +0000

Omi gravatar image

updated 2025-08-09 18:14:16 +0000

We are looking to update the model for source generating common electronic exchanges protocols.

Currently a message may look like this:

-- Calculate size of: Trade Report Message
n24x_equities_memoirlastsale_sbe_v1_3_size_of.trade_report_message = function(buffer, offset)
  local index = 0

  index = index + n24x_equities_memoirlastsale_sbe_v1_3_size_of.timestamp

  index = index + n24x_equities_memoirlastsale_sbe_v1_3_size_of.security_id

  index = index + n24x_equities_memoirlastsale_sbe_v1_3_size_of.trade_id

  index = index + n24x_equities_memoirlastsale_sbe_v1_3_size_of.trade_qty

  index = index + n24x_equities_memoirlastsale_sbe_v1_3_size_of.trade_price

  return index
end

-- Display: Trade Report Message
n24x_equities_memoirlastsale_sbe_v1_3_display.trade_report_message = function(buffer, offset, size, packet, parent)
  return ""
end

-- Dissect Fields: Trade Report Message
n24x_equities_memoirlastsale_sbe_v1_3_dissect.trade_report_message_fields = function(buffer, offset, packet, parent)
  local index = offset

  -- Timestamp: 8 Byte Unsigned Fixed Width Integer
  index, timestamp = n24x_equities_memoirlastsale_sbe_v1_3_dissect.timestamp(buffer, index, packet, parent)

  -- Security Id: 2 Byte Unsigned Fixed Width Integer
  index, security_id = n24x_equities_memoirlastsale_sbe_v1_3_dissect.security_id(buffer, index, packet, parent)

  -- Trade Id: 8 Byte Unsigned Fixed Width Integer
  index, trade_id = n24x_equities_memoirlastsale_sbe_v1_3_dissect.trade_id(buffer, index, packet, parent)

  -- Trade Qty: 4 Byte Unsigned Fixed Width Integer
  index, trade_qty = n24x_equities_memoirlastsale_sbe_v1_3_dissect.trade_qty(buffer, index, packet, parent)

  -- Trade Price: 8 Byte Signed Fixed Width Integer
  index, trade_price = n24x_equities_memoirlastsale_sbe_v1_3_dissect.trade_price(buffer, index, packet, parent)

  return index
end

-- Dissect: Trade Report Message
n24x_equities_memoirlastsale_sbe_v1_3_dissect.trade_report_message = function(buffer, offset, packet, parent)
  -- Optionally add struct element to protocol tree
  if show.trade_report_message then
    local length = n24x_equities_memoirlastsale_sbe_v1_3_size_of.trade_report_message(buffer, offset)
    local range = buffer(offset, length)
    local display = n24x_equities_memoirlastsale_sbe_v1_3_display.trade_report_message(buffer, packet, parent)
    parent = parent:add(n24x_equities_memoirlastsale_sbe_v1_3.fields.trade_report_message, range, display)
  end

  return n24x_equities_memoirlastsale_sbe_v1_3_dissect.trade_report_message_fields(buffer, offset, packet, parent)
end

In the cases where the source generated inputs do not match the packet capture, the above code errors out on the line: 

local range = buffer(offset, length)

This is a fundamental flaw when testing source generated dissectors because Wireshark errors out at the message level. It would be preferred to dissect as many message fields as possible first to see how close the binary data model is to the actual data.

Can I give the add a dummy buffer and set it after? Or is there another preferred solution?

Thanks in advance

edit retag flag offensive close merge delete

Comments

How are you generating the dissector?

Chuckc gravatar imageChuckc ( 2025-08-09 17:13:01 +0000 )edit

In the future I will give a talk at Sharkfest, but not important to this question. Just assume I have 100% of the information needed to make any version of the code.

https://github.com/Open-Markets-Initi...

Omi gravatar imageOmi ( 2025-08-09 17:55:14 +0000 )edit

buffer is a tvb so you're using: (WSDG: 11.6.2. Tvb)

11.6.2.8. tvb:__call()
Equivalent to tvb:range(…​)

11.6.2.9. tvb:range([offset], [length])
Creates a TvbRange from this Tvb.

to generate a TvbRange which errors out here: epan/wslua/wslua_tvb.c:

    } else if ( (len + offset) > tvbr->len) {
        luaL_error(L,"Range is out of bounds");
        return 0;
    }

Could you not create a function to wrap around this which validates the parameters?

Chuckc gravatar imageChuckc ( 2025-08-09 18:58:21 +0000 )edit

The problem is that when testing or hacking a binary protocol you don't know if the expected length of a section is actually available. In some cases, they give a length, in other cases you read ahead.

I can think of a couple of solutions. The ideal solution is a dummy message/parent tree item. If that were possible, we could add the fields and update the length at the end. Another solution is checking the available length before each field. This is doable but not as useful as making an attempt to decode the binary fields as expected.

Omi gravatar imageOmi ( 2025-08-09 19:16:07 +0000 )edit

Sounds like issue 15655, if your problem is that a packet does not contain the reported length.

If that behavior is a showstopper for you, please either fix the Lua handling in Wireshark or don't use Lua and instead generate your dissectors in C.

johnthacker gravatar imagejohnthacker ( 2025-08-09 20:27:35 +0000 )edit
see more comments

1 Answer

Sort by » oldest newest most voted
0

answered 2025-08-10 14:43:17 +0000

Omi gravatar image

I am having success with treeitem:set_len()

Thanks

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2025-08-09 16:19:18 +0000

Seen: 36 times

Last updated: 2 days ago

Related questions

how to invert two bytes in lua script dissector ?

Adjusting Bit order and Endianess in LUA between Dissectors

Error while creating a Lua listener in 2.4.2 with filter

Lua Dumper to variable

http2 decrypted data in tshark lua script

Decode as LUA - how do I do that?

LUA: dissector wide global table

Reuse (part of) a Wireshark Dissector

Any way to use cmd tshark for a gns3 wire?

how to change COL_PROTOCOL with lua code