luawiresharkwireshark-dissector

How to access a previously extracted field in a chained Lua dissector?


I'm new to Lua and I'm trying to write a dissector that would decrypt an encrypted MQTT payload. Wireshark already has an MQTT dissector that extracts the payload, which at the moment looks like gibberish because it's encrypted. I'd like to access that payload object in a chained dissector in order to run the decryption function on it. I'm unsure whether I should be using a field extractor to pull it from the packet or if, because the existing MQTT dissector has already done that, there's some other better way to access it.

I'm not really sure whether this is possible so I haven't tried anything yet. Thanks in advance!


Solution

  • Yes, to get the data, you'd use the Field Extractor, something like:

    my_msg = Field.new("mqtt.msg")
    

    To decrypt the message, you will need to supply the encryption key, perhaps through a preference for your chained/post dissector, and then you'll also need to add decryption support. Luckily, there does exist luagcrypt, written by Peter Wu (aka Lekensteyn), which may suit your needs. Peter has even written a Wireshark Lua dissector for the WireGuard tunnel protocol where he makes use of luagcrypt and which may serve as a helpful place to start.