Ask Your Question
0

Lua - Get data from buffer when packet size varies

asked 2018-10-02 15:45:26 +0000

marty84 gravatar image

Hello,

Newbie to creating dissectors in Lua, looking for some advice on how to grab a section of data when the payload size varies.

I can grab data using the offset,length method for some items but others shift one or two bytes so i can't rely on it.

What is a suitable method to do this?

I'm using the following function currenty:

function myproto.dissector(buffer, pinfo, tree) length = buffer:len() if length == 0 then return end

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2018-10-02 17:42:11 +0000

cmaynard gravatar image

I can grab data using the offset,length method for some items but others shift one or two bytes so i can't rely on it. Can you clarify what you mean by this?

If you're trying to add fields to the tree, you can just use

tree:add(p_foo.some_field, buffer(offset, len))

… where the offset is just the offset to the field, which you may need to keep track of as you add fields, and where len is the number of bytes in the buffer comprising the field and could be a fixed value, but not necessarily.

Did you try looking at the various examples on the wiki, such as dissector.lua from the Lua/Examples wiki page?

edit flag offensive delete link more

Comments

Say i'm using the buffer(offset,len) method to view the 5th hex value (4,1)

first packet:

00 11 22 33 44 55

buffer would return '44'.

second packet:

00 11 AA 22 33 44 55

buffer would now return '33' where I actually wanted '44'.

Does this help to clarify? I would not be able to base the buffer off a previous field as the extra byte appears between fields.

marty84 gravatar imagemarty84 ( 2018-10-03 07:01:14 +0000 )edit

Well, you need to track the offset then. Somehow you have to know that the AA was inserted and if so, increment your offset accordingly. For example:

offset = 0
tree:add(p_foo.field_00_11, buffer(offset, 2))
offset = offset + 2
if <some test condition> then
    tree:add(p_foo.field_AA, buffer(offset, 1))
    offset = offset + 1
end

tree:add(p_foo.field_22_33, buffer(offset, 2))
offset = offset + 2
tree:add(p_foo.field_44, buffer(offset, 1))
offset = offset + 1
tree:add(p_foo.field_55, buffer(offset, 1))
offset = offset + 1
...

I have no idea what your test condition would be because I don't know anything about your protocol, so you'll have to make that determination.

cmaynard gravatar imagecmaynard ( 2018-10-03 12:45:28 +0000 )edit

Hi, I can't figure out the test condition. I've tried the below but the script doesn't apply the offset.

if buffer(offset,1) == 'AA' then 
offset = offset + 1
end

What am i doing wrong?

marty84 gravatar imagemarty84 ( 2018-10-10 14:14:25 +0000 )edit

If I interpret your code correctly, it would appear that you're trying to compare the value of 1 byte in the buffer at offset offset to the hexadecimal value of 0xAA or decimal value 170. If that's the case, then try this:

if buffer(offset,1):uint() == 170 then
    offset = offset + 1
end
cmaynard gravatar imagecmaynard ( 2018-10-12 00:27:19 +0000 )edit

thank you for your help!

marty84 gravatar imagemarty84 ( 2018-10-15 09:41:16 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-10-02 15:45:26 +0000

Seen: 43 times

Last updated: Oct 03