Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2024-06-28 19:51:19 +0000

zvonler gravatar image

Difference between Wireshark and tshark on InfiniBand dissection

Hello,

I wrote a heuristic LUA dissector for a protocol that uses UDP port 4791 and it works as expected in Wireshark. However, when I try to use the same dissector with tshark, the InfiniBand dissector tries and fails to decode the packet, preventing my heuristic dissector from operating, unless I disable it explicitly.

In the Wireshark prefs for IB there is a preference that is default true called “Try heuristic sub-dissectors first”. The same preference appears to be known to tshark:

tshark_ib % /Applications/Wireshark.app/Contents/MacOS/tshark -G currentprefs | grep -B 2 infiniband.try_heuristic_first
# Try to decode a packet using an heuristic sub-dissector before using Decode As
# TRUE or FALSE (case-insensitive)
#infiniband.try_heuristic_first: TRUE

but it doesn’t appear to have an effect, even if forced to TRUE with the -o command-line option. Attached is a script that demonstrates the tshark behavior with a minimal packet and dissector -- the LUA dissector is invoked only by the third way of calling tshark. The heuristic_dissector.lua file produced by the script can be loaded into Wireshark to confirm that it dissects the udp_packet.pcap file as PROP with default prefs.

Is it a bug for tshark not to invoke the heuristic dissector before the InfiniBand one?

#!/bin/bash

TEXT2PCAP=/Applications/Wireshark.app/Contents/MacOS/text2pcap
TSHARK=/Applications/Wireshark.app/Contents/MacOS/tshark
UDP_SRC_PORT=65432
UDP_DST_PORT=4791
PCAP_FN=udp_packet.pcap

cat <<EOF | ${TEXT2PCAP} -qu "${UDP_SRC_PORT},${UDP_DST_PORT}" - ${PCAP_FN}
0000    01 23 45 67 89 ab cd ef
EOF

cat >heuristic_dissector.lua <<EOF
-- This heuristic dissector works in Wireshark with the default preference of
-- infiniband.try_heuristic_first: TRUE
-- but it does not work in tshark without disabling the InfiniBand protocol.

local proto = Proto("prop", "PROP")

function proto.dissector(buffer, pinfo, root)
    print("prop dissector invoked")
    root:add(proto, buffer())
    pinfo.cols.protocol = proto.name
    return buffer:len()
end

local udp_dstport = Field.new("udp.dstport")
proto:register_heuristic("udp", function (buffer, pinfo, root)
    if udp_dstport()() == ${UDP_DST_PORT} then
        proto.dissector(buffer, pinfo, root)
        return true
    end
    return false
end)
EOF

echo "Heuristic dissector:"
${TSHARK} -X lua_script:heuristic_dissector.lua -r ${PCAP_FN}

echo "Heuristic dissector, overriding infiniband.try_heuristic_first to true:"
${TSHARK} -X lua_script:heuristic_dissector.lua -o infiniband.try_heuristic_first:TRUE -r ${PCAP_FN}

echo "Heuristic dissector, InfiniBand disabled:"
${TSHARK} -X lua_script:heuristic_dissector.lua --disable-protocol infiniband -r ${PCAP_FN}