Ask Your Question
0

Is there a way to change the Packet Info Field based on criteria?

asked 2019-02-21 01:09:28 +0000

brianrpsgt1 gravatar image

updated 2019-02-21 14:36:17 +0000

cmaynard gravatar image

Looking to see if there is a possibility to change the text in the Info field based on a packet criteria. For example, if ssl.handshake.type == 1 then then change the packet info field to <custom text>, or even the comment field.

I have tried the following with Lua, but no soup:

function changeInfo(name)
    if pinfo.cols.info == "Client Hello" then
        pinfo.cols.info:set("<message>")
    end
    if ssl.handshake.type == 1 then
        pinfo.cols['info'] = "<message>"
    end
    if ssl.handshake.type == 2 then
        pinfo.cols.info = "<message>"
    end
end

Have also tried

pinfo.cols.info:set('stuff')
pinfo.cols.info:fence()
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-02-21 17:16:12 +0000

cmaynard gravatar image

There can be more than one ssl.handshake.type field within a single packet, so you need to account for this. The following is a simple Lua post-dissector that appends the SSL handshake type(s) to the Info column. It ought to serve as a basic starting point for any further work:

sslpost = Proto("SSLpost", "SSL post-dissector")
ssl_handshake_type_f = Field.new("ssl.handshake.type")

function sslpost.dissector(tvb, pinfo, tree)

    local ssl_hst = {ssl_handshake_type_f()}
    if ssl_hst then
        pinfo.cols.info:append(": Handshake Type" .. ((#ssl_hst > 1) and "s: " or ": "))
        for i in pairs(ssl_hst) do
            pinfo.cols.info:append(ssl_hst[i]() .. " ")
        end

    end
end

register_postdissector(sslpost)

Testing this against the ssl.pcap file in the Wireshark menagerie produces this tshark result:

$ tshark -r ssl.pcap -Y "ssl.handshake.type"
  2009-02-13 11:55:59.814985   0.045490 0.000000 9.155.133.167 โ†’ unlabelled-50-61-58-81.versatel.net SSLv2 196 Client Hello: Handshake Type: 1
  2009-02-13 11:55:59.910024   0.140529 0.095039 unlabelled-50-61-58-81.versatel.net โ†’ 9.155.133.167 SSLv3 989 Server Hello, Certificate, Server Hello Done: Handshake Types: 2 11 14
  2009-02-13 11:55:59.912738   0.143243 0.002714 9.155.133.167 โ†’ unlabelled-50-61-58-81.versatel.net SSLv3 258 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message: Handshake Type: 16
edit flag offensive delete link more

Comments

@cmaynard Thank YOU! That will definitely get me going.

Is there a way to put the <message> in the Packet Comments field instead of 'Info'?

brianrpsgt1 gravatar imagebrianrpsgt1 ( 2019-03-02 00:45:11 +0000 )edit

I don't think it's possible to add or change the packet comment tree item (or any other existing tree item for that matter). But, I could be wrong.

cmaynard gravatar imagecmaynard ( 2019-03-02 22:36:30 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-02-21 01:09:28 +0000

Seen: 2,150 times

Last updated: Feb 21 '19