OSQA is unmaintained. Help us figure out where to go from here.

Dear experts,

I'm new to Wireshark and I wonder if it's possible to perform the following task.

I want to write a Lua dissector for viewing captured data in Wireshark.
The captured data (recorded with a terminal program) normally looks like this:

A:55 0D 00 00 1F 50 0A D0 2F 80 00 00 A2
B:55 0D 00 40 1F 50 DA 26 2F 80 00 00 A2
B:55 0B 40 00 1F 10 FD 5C 2F 81 00
B:55 0D 00 00 1F 4F EF 2B 2F 80 00 00 82


This means:
a) The captured data are lines of hex strings starting with "A:" or "B:" indicating the sender.
b) It's not a protocol embedded in TCP or something else for what I can find a lot of examples.

If for a) the solution would be that it had to be binary data instead of text, it would be easy enough to convert the data.
I have actually tried it with the data converted to binary, but I could not get anything working.

b) In most of the examples I've found so far, an existing DissectorTable is used.
What would I have to do, as there is not any similar table or protocol already implemented?

I do have a good description about the meaning of every byte.
But for the beginning it would suffice, if I just could read the data and display it, only using the length byte, which is the second hex byte in each line.
I think that decoding and displaying the remaining data would be more easy to accomplish.

I would have enough experience to write a program with C# that shows the meaning of the data.
But from using Wireshark I expect a better usability and it's something I really would like to learn.

asked 11 Oct, 15:19

Danton's gravatar image

Danton
61
accept rate: 0%


Wireshark can import hex dumps of protocol frames using File -> Import from Hex Dump in graphical Wireshark or using text2pcap command line utility, except that you'll have to pre-process them to fit the expected format. Running text2pcap gives you hints about the format which are missing here - note the information regarding direction information (A -> I, B -> O or vice versa) and maybe regarding timestamps if you can have them in the original data.

When deciding which dissector to use to analyse the next piece of frame data, Wireshark uses "dissector tables". These are mapping tables which translate some integer or text values found in lower protocol layers to links to dissectors. In some cases more complex methods are use but that is not relevant here. The root level of such mapping is the encapsulation type (Ethernet, 802.11 etc.) which cannot be found in the frame data itself but in its metadata stored in the capture file. In your case, I'd assume the best way to be to choose one of the USER1-USER15 encapsulations when importing the hex dump, and to register your Lua dissector for that encapsulation type using Edit -> Preferences -> Protocols -> DLT_USER -> Edit with your Lua dissector already registered. Or you can do the same in the initialization part of your code, see the answer of @Guy Harris to this question.

permanent link

answered 12 Oct, 07:04

sindy's gravatar image

sindy
6.0k3850
accept rate: 24%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×636
×429
×6
×3

question asked: 11 Oct, 15:19

question was seen: 49 times

last updated: 12 Oct, 07:04

p​o​w​e​r​e​d by O​S​Q​A