filterluawireshark-dissectorprotofield

Lua - Display field ASCII Dissector


I am currently working on my first ever Protocol Dissector. I am facing a problem that I can't solve. Basically I have a field which is 8 bytes long (but is defined over 9 bytes), so I created a bitfield to define this protofield.

Here are the deffinitions of the field I have tested so far:

a) local harer_id = ProtoField.string   ("myProto.harer_id","Harer ID", base.ASCII)
b) local harer_id =  ProtoField.uint64   ("myProto.harer_id", "Harer ID", base.HEX )

Then I add it to the dissection Tree on the following way:

  local harer_id_long = tvbuf:range(16,9)
  body:add(harer_id, harer_id_long:bitfield(4,64))

Which ends up giving the following errors:

a) Gives no error but it doesnt return the value on ASCII format
    What I get: 0x0000000000313030
    What I want: 0x0000000000313030 (100)
b) calling 'add' on bad self (string expected, got userdata)

If any of you have any suggestions I would appreciate your help.

Thank you in advance,

Martin

EDIT 1:

I wrote this code which will get the ASCII table values from each byte on the field's value:

I don't know how to make it work so that it displays the ASCII value on the packet view.

 function getASCII (str)
    resultStr = ""
    asciiValue="" 
    for i = 3, string.len(tostring(str))-1, 2 do
        asciiValue = string.char(tonumber(tostring(string.sub(tostring(str),i,i+1)), 16))
        if asciiValue~=nil then 
            resultStr = resultStr .. tostring(tonumber(asciiValue))
        end
    end
    resultStr = string.gsub(resultStr, "nil", "") 
    return resultStr
 end

Solution

  • Here is an alternate method that also works for me. I'm not sure which you prefer, but you now have 2 to choose from (assuming you can get my original method to work):

    local harer_id = ProtoField.uint64("myProto.harer_id", "Harer ID", base.HEX)
    
    harer_item = body:add(harer_id, tvbuf(16, 9):bitfield(4, 64))
    harer_item:set_len(9)
    
    vals = {}
    for i = 0, 7 do
        vals[i] = bit.bor(buf(16 + i, 2):bitfield(4, 8), 0x30)
    end
    harer_item:append_text(" (" ..
        tonumber(string.format("%c%c%c%c%c%c%c%c", vals[0], vals[1], vals[2], vals[3], vals[4], vals[5], vals[6], vals[7])) ..
        ")")
    

    EDIT: Here is a simple Lua dissector and sample packet you can use to test this solution:

    -- Protocol
    local p_foo = Proto("foo", "FOO Protocol")
    
    -- Fields
    local f_foo_res1 = ProtoField.uint8("foo.res1", "Reserved 1", base.DEC, nil, 0xf0)
    local f_foo_str = ProtoField.uint64("foo.str", "String", base.HEX)
    local f_foo_res2 = ProtoField.uint8("foo.res2", "Reserved 2 ", base.DEC, nil, 0x0f)
    local f_foo_res3 = ProtoField.uint8("foo.res3", "Reserved 3", base.HEX)
    local f_foo_ipv6 = ProtoField.ipv6("foo.ipv6", "IPv6 Address")
    
    p_foo.fields = { f_foo_res1, f_foo_str, f_foo_res2, f_foo_res3, f_foo_ipv6 }
    
    -- Dissection
    function p_foo.dissector(buf, pinfo, tree)
        local foo_tree = tree:add(p_foo, buf(0,-1))
    
        pinfo.cols.protocol:set("FOO")
        foo_tree:add(f_foo_res1, buf(0, 1))
    
        str_item = foo_tree:add(f_foo_str, buf(0, 9):bitfield(4, 64))
        str_item:set_len(9)
    
        vals = {}
        for i = 0, 7 do
            vals[i] = bit.bor(buf(i, 2):bitfield(4, 8), 0x30)
        end
        str_item:append_text(" (" ..
            tonumber(string.format("%c%c%c%c%c%c%c%c", vals[0], vals[1], vals[2], vals[3], vals[4], vals[5], vals[6], vals[7])) ..
            ")")
    
        foo_tree:add(f_foo_res2, buf(9, 1))
        foo_tree:add(f_foo_res3, buf(10, 1))
        foo_tree:add(f_foo_ipv6, buf(11, 16))
    end
    
    -- Registration
    local udp_table = DissectorTable.get("udp.port")
    udp_table:add(33333, p_foo)
    

    Use text2pcap to convert this data into a packet that Wireshark can read or use Wireshark's "File -> Import From Hex Dump..." feature:

    0000  00 0e b6 00 00 02 00 0e b6 00 00 01 08 00 45 00
    0010  00 37 00 00 40 00 40 11 b5 ea c0 00 02 65 c0 00
    0020  02 66 82 35 82 35 00 23 00 00 03 03 13 23 33 43
    0030  53 63 70 80 64 20 01 0d b8 00 00 00 00 00 00 00
    0040  00 00 00 00 01
    

    My Wireshark details:
    Compiled (64-bit) with Qt 5.6.2, with WinPcap (4_1_3), with GLib 2.42.0, with zlib 1.2.8, with SMI 0.4.8, with c-ares 1.12.0, with Lua 5.2.4, with GnuTLS 3.4.11, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP, with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.4, with QtMultimedia, with AirPcap, with SBC, with SpanDSP.