Custom dissector, fields depend on packet order

1
votes

The Situation

I'm writing a custom lua dissector for a protocol. We capture the protocl with custom hardware which gives us PCAP files. The protocol consists of 64 bit packets.

The protocol has a "start transaction" bit, which indicates the start of an 8 packet transaction, and depending on where we are in that transaction parts of the packet has a different meaning, i.e. in the packet with the start transaction bit, the packet starts with a header, then the next packet contains the message code in that same spot. There are in total 8 different ways to interpret the same offset of the packet, depending on where we are in the transaction.

I want to dissect the protocol and have the field depend on where we are in the transaction.

What I've tried

I created a simple sequence counter variable outside the dissector function, which is reset if the transaction start bit is encountered. and it counts to 8. Depending on that counter I select which protofields I should add to the tree.

This kind of works, if I show all the different fields as columns, they have the correct values in the right places. However, when I click a packet the packet details show no or the wrong field names, depending on the order in which I click the packets. For example If I click a packet with the "transaction start" then the packet info correctly shows the data as "header". However, if I then click any other packet the field is shown as "message code".

It seems like the order for the disection in the packet info field is not fixed, it uses the order in which I click the packets, not the order in which they were captured.

Is wireshark even suited to base the way it dissects a certain packet solely on the order in which it was received?

2
luawiresharkwireshark-dissector
Your assumption that the dissector function is called once for each packet is wrong. That assumption is only true when you load the pcap file and the overview pane is filled.harper

2 Answers

2
votes

Is wireshark even suited to base the way it dissects a certain packet solely on the order in which it was received?

Wireshark will process packets in order only on the 1st pass, and you can tell if it's the 1st time the packet is being dissected using pinfo.visited. It'll be false the 1st time a packet is dissected and true for all other times.

But that alone won't be enough; you'll also need to save the counter (1-8) of the packet so that you'll know how to dissect that particular packet again the next time the packet is dissected, which could occur at any time. With C dissectors, this is typically done using conversation constructs like conversation_add_proto_data() and conversation_get_proto_data(), but in this case, I'm not entirely sure if that's the best approach or if it's even supported with Lua dissectors. Still, it might be a good place to start? Check out doc/README.request_response_tracking or the Wireshark Lua wiki pages or inquire over at the Wireshark Q&A site for possible ideas from others in the Wireshark community. (It's been awhile since I've written Lua dissectors, and I don't recall what, if anything, is available in Lua to meet your needs.)

1
votes

I've been a similar situation to this.

My solution was simply to store the information I needed - in your case the counter - in a table outside of the dissector function, using the current packet number (pinfo.number) as the index for the data.

As @Christopher Maynard said, Wireshark will pass over the packets in order on the first pass. Using this information, in conjunction with pinfo.visited, will allow you to store the counter information on the first pass through.

There is one small caveat. If there are any other protocols recorded in the .pcap file, these will show up as gaps in table, as your dissector will only be activated for the specified protocol. This is fixed by inserting a simple nil check when iterating through the table. (I'm not sure whether this will be an issue in your case, but I thought it worth bringing up)

P.S. I don't think Wireshark is suited to dissecting packets based on the order they are received, but we can make it work!