Hi,
Quick intro: I'm Jerry White, live in the SF Bay Area. I've been a
Wireshark user since the ethereal days. Also have pretty good experience
with Riverbed SteelCentral Transaction Analyzer (aka ATX.) I used to work
for OPNET/Riverbed. So Gerald Combs and I were co-workers. And Laura
Chappell is my hero. Okay, name dropping is done, here's my question:
My coding skills are rudimentary. Perhaps a 2 out of 10. I'm writing my
first lua dissector. The protocol runs under tcp on a certain port range.
I've gotten a lot of help by following Hadriel Kaplan's sample script and
youtube video. Everything was cool, I built a tree and put stuff into the
info column in the WS gui. Now I've just learned that the protocol repeats
itself inside of a packet. Let me give you an example:
Simple packet
<tcp header stuff><MyProto fixed length header><MyProto variable length
data>
I can pull stuff out of the MyProto header and data fields just fine. If
life were just these type of packets I wouldn't be here.
Advanced packet
<tcp header stuff><MyProto fixed length header><MyProto variable length
data><MyProto fixed length header><MyProto variable length data><MyProto
fixed length header><MyProto variable length data>
This packet has three application transactions in it. The first 8 bytes of
the MyProto header are always the same, and I can count from there into the
packet to parse out the fields I need. The problem is, since the data
section is variable length, I don't know where to look for the next header.
How do I do that in lua?
Here's my code:
function mgi.dissector(tvbuf, pktinfo, root)
pktinfo.cols.protocol:set("SomosMGI")
local pktlen = tvbuf:reported_length_remaining()
local tree = root:add(mgi, tvbuf:range(0,pktlen))
local info_mgi_header = tvbuf:range(0,4)
tree:add(pf_mgi_header, tvbuf:range(0,4))
local info_mgi_msg_id = tvbuf:range(9,10)
tree:add(pf_mgi_msg_id, tvbuf:range(9,10))
local info_mgi_flag = tvbuf:range(19,1)
tree:add(pf_mgi_flag, tvbuf:range(19,1))
local info_mgi_msg_type = tvbuf:range(99,7)
tree:add(pf_mgi_msg_type, tvbuf:range(99,7))
local info_mgi_msg_subtype = tvbuf:range(157,4)
tree:add(pf_mgi_msg_subtype, tvbuf:range(157,4))
--if info_mgi_flag == "c4" then
--pktinfo.cols.info:set("HEADER=")
--pktinfo.cols.info:append("".. info_mgi_header ..",") -- printed "7e7e7e7e"
pktinfo.cols.info:set("MSGID=")
pktinfo.cols.info:append("".. info_mgi_msg_id ..",")
pktinfo.cols.info:append("FLAG=")
pktinfo.cols.info:append("".. info_mgi_flag ..",")
pktinfo.cols.info:append("MSGTYPE=")
pktinfo.cols.info:append("".. info_mgi_msg_type ..",")
pktinfo.cols.info:append("SUBTYPE=")
pktinfo.cols.info:append("".. info_mgi_msg_subtype .."")
--end
return pktlen
Thanks for any help you can provide.
Jerry
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
