Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2024-10-28 07:09:43 +0000

Alexis2134 gravatar image

Wireshark plugin not working after update

I made a plugin for Wireshark and now with the new version 4.4.2 it is not working anymore. It seems like something with Lua has changed, but I can't find the problem.

Problem Description With the old version 4.2, everything worked and it showed the hex stream correctly. However, in version 4.4.2, the plugin no longer parses the data as expected. Specifically, the JSON data parsing seems to fail, and the custom fields are not being populated.

Changes in Wireshark 4.4.2 I noticed that Wireshark 4.4.2 has updated its Lua API, which might be causing the issue. Unfortunately, I couldn't find detailed documentation on these changes.

Relevant Code Here is the part of the code where the issue seems to occur. Does anyone have an idea what might be causing this issue with the new version?

Thanks in advance!

local json = require "json"
local ws = Proto("ws", "WS")
local identifier = "03"

-- Function to recursively parse and display JSON data
local function parse_json(json_data, tree)
    for key, value in pairs(json_data) do
        if type(value) == "table" then
            local subtree = tree:add(ws, string.format("%s: ", key))
            parse_json(value, subtree)
        else
            tree:add(ws, string.format("%s: %s", key, tostring(value)))
        end
    end
end

function ws.dissector(buffer, pinfo, tree)
    local id = buffer(0, 12):bytes():tohex()
    if id:sub(-2) == identifier then
        pinfo.cols.protocol = "ws"
        local subtree = tree:add(ws, buffer(), "ws Data")
        subtree:add(buffer(0, 12), "Identification: " .. id)
        subtree:add("----------------------------------------")
        local data = buffer(12, buffer:len() - 12)
        local data_string = tostring(data:string())
        -- Clean up the data string by removing unwanted characters
        data_string = data_string:gsub("\r\n", ""):gsub("\n", ""):gsub("\t", ""):gsub("[\128-\255]", ""):gsub("UUUU$", "")
        print("Debug: Extracted Data String = " .. data_string)
        -- Parse JSON data using the json.decode function from json.lua
        local status, json_data = pcall(json.decode, data_string)
        if not status or type(json_data) ~= "table" then
            subtree:add_expert_info(PI_MALFORMED, PI_ERROR, "Malformed JSON Data")
            return
        end
        -- Add custom fields to the dissection tree
        if json_data["action"] then
            subtree:add(ws_action, json_data["action"])
        end
        if json_data["domain"] then
            subtree:add(ws_domain, json_data["domain"])
        end
        if json_data["message"] then
            subtree:add(ws_message, json_data["message"])
            pinfo.cols.info:set(tostring(json_data["message"]))
        end
        if json_data["session_id"] then
            subtree:add(ws_session_id, json_data["session_id"])
        end
        if json_data["request_id"] then
            subtree:add(ws_request_id, json_data["request_id"])
        end
        if json_data["status"] then
            subtree:add(ws_status, json_data["status"])
        end
        if json_data["payload"] then
            local payload_subtree = subtree:add(ws, "Payload")
            parse_json(json_data["payload"], payload_subtree)
        end
    end
end

Wireshark plugin not working after update

I made a plugin for Wireshark and now with the new version 4.4.2 it is not working anymore. It seems like something with Lua has changed, but I can't find the problem.

Problem Description With the old version 4.2, everything worked and it showed the hex stream correctly. However, in version 4.4.2, the plugin no longer parses the data as expected. Specifically, the JSON data parsing seems to fail, and the custom fields are not being populated.

Changes in Wireshark 4.4.2 I noticed that Wireshark 4.4.2 has updated its Lua API, which might be causing the issue. Unfortunately, I couldn't find detailed documentation on these changes.

Relevant Code Here is the part of the code where the issue seems to occur. Does anyone have an idea what might be causing this issue with the new version?

Thanks in advance!

local json = require "json"
local ws = Proto("ws", "WS")
local identifier = "03"

-- Function to recursively parse and display JSON data
local function parse_json(json_data, tree)
    for key, value in pairs(json_data) do
        if type(value) == "table" then
            local subtree = tree:add(ws, string.format("%s: ", key))
            parse_json(value, subtree)
        else
            tree:add(ws, string.format("%s: %s", key, tostring(value)))
        end
    end
end

function ws.dissector(buffer, pinfo, tree)
    local id = buffer(0, 12):bytes():tohex()
    if id:sub(-2) == identifier then
        pinfo.cols.protocol = "ws"
        local subtree = tree:add(ws, buffer(), "ws Data")
        subtree:add(buffer(0, 12), "Identification: " .. id)
        subtree:add("----------------------------------------")
        local data = buffer(12, buffer:len() - 12)
        local data_string = tostring(data:string())
        -- Clean up the data string by removing unwanted characters
        data_string = data_string:gsub("\r\n", ""):gsub("\n", ""):gsub("\t", ""):gsub("[\128-\255]", ""):gsub("UUUU$", "")
        print("Debug: Extracted Data String = " .. data_string)
        -- Parse JSON data using the json.decode function from json.lua
        local status, json_data = pcall(json.decode, data_string)
        if not status or type(json_data) ~= "table" then
            subtree:add_expert_info(PI_MALFORMED, PI_ERROR, "Malformed JSON Data")
            return
        end
        -- Add custom fields to the dissection tree
        if json_data["action"] then
            subtree:add(ws_action, json_data["action"])
        end
        if json_data["domain"] then
            subtree:add(ws_domain, json_data["domain"])
        end
        if json_data["message"] then
            subtree:add(ws_message, json_data["message"])
            pinfo.cols.info:set(tostring(json_data["message"]))
        end
        if json_data["session_id"] then
            subtree:add(ws_session_id, json_data["session_id"])
        end
        if json_data["request_id"] then
            subtree:add(ws_request_id, json_data["request_id"])
        end
        if json_data["status"] then
            subtree:add(ws_status, json_data["status"])
        end
        if json_data["payload"] then
            local payload_subtree = subtree:add(ws, "Payload")
            parse_json(json_data["payload"], payload_subtree)
        end
    end
end
click to hide/show revision 3
None

updated 2024-10-29 07:33:57 +0000

Guy Harris gravatar image

Wireshark plugin not working after update

I made a plugin for Wireshark and now with the new version 4.4.2 it is not working anymore. It seems like something with Lua has changed, but I can't find the problem.

With the old version 4.2, everything worked and it showed the hex stream correctly. However, in version 4.4.2, the plugin no longer parses the data as expected. Specifically, the JSON data parsing seems to fail, and the custom fields are not being populated.

I noticed that Wireshark 4.4.2 has updated its Lua API, which might be causing the issue. Unfortunately, I couldn't find detailed documentation on these changes.

Here is the part of the code where the issue seems to occur. Does anyone have an idea what might be causing this issue with the new version?

Thanks in advance!

local json = require "json"
local ws = Proto("ws", "WS")
local identifier = "03"

-- Function to recursively parse and display JSON data
local function parse_json(json_data, tree)
    for key, value in pairs(json_data) do
        if type(value) == "table" then
            local subtree = tree:add(ws, string.format("%s: ", key))
            parse_json(value, subtree)
        else
            tree:add(ws, string.format("%s: %s", key, tostring(value)))
        end
    end
end

function ws.dissector(buffer, pinfo, tree)
    local id = buffer(0, 12):bytes():tohex()
    if id:sub(-2) == identifier then
        pinfo.cols.protocol = "ws"
        local subtree = tree:add(ws, buffer(), "ws Data")
        subtree:add(buffer(0, 12), "Identification: " .. id)
        subtree:add("----------------------------------------")
        local data = buffer(12, buffer:len() - 12)
        local data_string = tostring(data:string())
        -- Clean up the data string by removing unwanted characters
        data_string = data_string:gsub("\r\n", ""):gsub("\n", ""):gsub("\t", ""):gsub("[\128-\255]", ""):gsub("UUUU$", "")
        print("Debug: Extracted Data String = " .. data_string)
        -- Parse JSON data using the json.decode function from json.lua
        local status, json_data = pcall(json.decode, data_string)
        if not status or type(json_data) ~= "table" then
            subtree:add_expert_info(PI_MALFORMED, PI_ERROR, "Malformed JSON Data")
            return
        end
        -- Add custom fields to the dissection tree
        if json_data["action"] then
            subtree:add(ws_action, json_data["action"])
        end
        if json_data["domain"] then
            subtree:add(ws_domain, json_data["domain"])
        end
        if json_data["message"] then
            subtree:add(ws_message, json_data["message"])
            pinfo.cols.info:set(tostring(json_data["message"]))
        end
        if json_data["session_id"] then
            subtree:add(ws_session_id, json_data["session_id"])
        end
        if json_data["request_id"] then
            subtree:add(ws_request_id, json_data["request_id"])
        end
        if json_data["status"] then
            subtree:add(ws_status, json_data["status"])
        end
        if json_data["payload"] then
            local payload_subtree = subtree:add(ws, "Payload")
            parse_json(json_data["payload"], payload_subtree)
        end
    end
end