Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2024-08-30 07:53:15 +0000

Linxiao Yu gravatar image

How to provide subset TVB for the subsequent dissectors in Lua?

Hi everyone. I'm writing the Lua dissector for some custom proxy protocol, say FOO, which uses TCP for transport. I have completed the TCP reassembly. The protocol run on FOO is simply TLS. After TCP reassembly, the FOO segments look like this (I'll try my best for illustration, since I can't post images :):

<-- FOO Header --><------- FOO Payload -------><-- FOO Header --><------- FOO Payload -------><--- ... --->

<------------------- FOO Segment 1 ------------------><------------------- FOO Segment 2 ------------------><--- ... --->

The FOO Payload is actually a TLS segment. Therefore, I tried to call TLS dissector directly:

--- Suppose the FOO Header is of length L
local tls_dissector = Dissector.get("tls")
--- Some code
tls_dissector(tvb(L):tvb(), pktinfo, tree)

However, it seems that such method does not reassemble TLS segments well. If a TLS Application Data record spans to two (or more) FOO segments, these segments except for the first one could not be dissected correctly. As a result, except for the first record, the remaining records shows no column information or mark as "Continuation Data".

Therefore, I think I should hand the FOO Payload as some new Tvb to the TLS dissector, like how TCP hands its payload to FOO dissector. I looked at Section 1.7 of README.dissector. It seems that tvb_new_subset_remaining could achieve this. I wonder whether Lua APIs provides this mechanism (I didn't find it in the Lua API Reference)?

Any suggestions would be appreciated!

How to provide subset TVB for the subsequent dissectors in Lua?

Hi everyone. I'm writing the Lua dissector for some custom proxy protocol, say FOO, which uses TCP for transport. I have completed the TCP reassembly. The protocol run on FOO is simply TLS. After TCP reassembly, the FOO segments look like this (I'll try my best for illustration, since I can't post images :):

<-- FOO Header --><------- FOO Payload -------><-- FOO Header --><------- FOO Payload -------><--- ... --->

<------------------- FOO Segment 1 ------------------><------------------- FOO Segment 2 ------------------><--- ... --->

The FOO Payload is actually a TLS segment. Therefore, I tried to call TLS dissector directly:

--- Suppose the FOO Header is of length L
local tls_dissector = Dissector.get("tls")
--- Some code
tls_dissector(tvb(L):tvb(), pktinfo, tree)

However, it seems that such method does not reassemble TLS segments well. If a TLS Application Data record spans to two (or more) FOO segments, these segments except for the first one could not be dissected correctly. As a result, except for the first record, the remaining records shows no column information or mark as "Continuation Data".

Therefore, I think I should hand the FOO Payload as some new Tvb to the TLS dissector, like how TCP hands its payload to FOO dissector. I looked at Section 1.7 of README.dissector. It seems that tvb_new_subset_remaining could achieve this. I wonder whether Lua APIs provides this mechanism (I didn't find it in the Lua API Reference)?

Any suggestions would be appreciated!appreciated! Wireshark version is Version 4.3.0 (v4.3.0rc1-256-g49164027c622).

How to provide subset TVB for the subsequent dissectors in Lua?

Hi everyone. I'm writing the Lua dissector for some custom proxy protocol, say FOO, which uses TCP for transport. I have completed the TCP reassembly. The protocol run on FOO is simply TLS. After TCP reassembly, the FOO segments look like this (I'll try my best for illustration, since I can't post images :):

<-- FOO Header --><------- FOO Payload -------><-- FOO Header --><------- FOO Payload -------><--- ... --->

<------------------- FOO Segment 1 ------------------><------------------- FOO Segment 2 ------------------><--- ... --->

The FOO Payload is actually a TLS segment. Therefore, I tried to call TLS dissector directly:

--- Suppose the FOO Header is of length L
local tls_dissector = Dissector.get("tls")
--- Some code
tls_dissector(tvb(L):tvb(), pktinfo, tree)

However, it seems that such method does not reassemble TLS segments well. If a TLS Application Data record spans to two (or more) FOO segments, these segments except for the first one could not be dissected correctly. As a result, except for the first record, the remaining records shows no column information or mark as "Continuation Data".

Therefore, I think I should hand the FOO Payload as some new Tvb to the TLS dissector, like how TCP hands its payload to FOO dissector. I looked at Section 1.7 of README.dissector. It seems that tvb_new_subset_remaining could achieve this. I wonder whether Lua APIs provides this mechanism (I didn't find it in the Lua API Reference)?

UPDATE 1: I've upload the related Lua dissector code (you may also need to download the utils) and the testing capture to Github. Feel free to check them if you are interested.:)

Any suggestions would be appreciated! Wireshark version is Version 4.3.0 (v4.3.0rc1-256-g49164027c622).