Reputation: 391
Wireshark lua api: create new heuristic dissectors table
I found very useful example of heuristic tables usage in Lua. a link But it doesn't not cover my case.
I've written custom dissector in lua. Described custom protocol has many subprotos. So I create new subdissectors table DissectorTable.new() and register new subprotos. But some of subprotocols doesn't have identification sign and their types must be found out dynamically.
I hoped to register heuristic dissector with proto:register_heuristic() method, but there is no my new table in DissectorTable.heuristic_list() list.
Creating new dissector table does not create heuristic dissectors table. Is there a way to create new own heuristic dissectors table?
Upvotes: 1
Views: 2378
Answers (1)
Reputation: 651
There is no way to create a real heuristic dissector table for your protocol in the current Lua API, but I'm not sure it makes a lot of sense to have such a thing. The purpose of having a protocol create a heuristic dissector table for itself is so that other protocols can register their heuristic dissectors into it - for example the UDP protocol creates a heuristic dissector table named "udp", so that other protocols like RTP, STUN, Skype, etc., can all register their heuristic dissectors into it, and UDP can try them all without knowing about them before-hand.
But when you create a new protocol in a Lua plugin, no other code is going to know about your new protocol or any heuristic dissector table you create. Only your own Lua code will know about it. Obviously your new protocol might have subprotocols that need to be tried heuristically, as you appear to need, but you don't need a heuristic dissector table to do that - just call your subprotocols's heuristic dissector functions directly in Lua.
For example:
local myProto = Proto("myproto", "My Main Protocol")
local mySubproto1 = Proto("mysubproto1", "My First Sub-Protocol")
local mySubproto2 = Proto("mysubproto2", "My Second Sub-Protocol")
-- the sub-prpotocol's heuristic function
-- returns true if the packet is its protocol and it dissected it
-- otherwise returns false
function heur_dissect_mySubproto1(tvbuf, pktinfo, root)
-- see if the passed in tvb is Subproto1 protocol
-- and if so then add tree items and such or
-- call mySubproto1's normal dissector function to do that stuff
return is_Subproto1
end
function heur_dissect_mySubproto2(tvbuf, pktinfo, root)
-- see if the passed in tvb is Subproto2 protocol
return is_Subproto2
end
function myProto.dissector(tvbuf, pktinfo, root)
-- do stuff for my main protocol
-- create a new sub-tvb of what has not been processed by the main protocol
local newTvb = tvbuf(bytes_parsed_by_myproto):tvb()
-- call the heuristic dissector functions of my sub protocols
-- with the portion of the tvb that belongs to them
if heur_dissect_mySubproto1(newTvb, pktinfo, root) then
-- do here anything you need to afterwards
elseif heur_dissect_mySubproto2(newTvb, pktinfo, root) then
-- do here anything you need to afterwards
end
end
or if you want to be fancier, use a table of your own...
local myProto = Proto("myproto", "My Main Protocol")
local mySubproto1 = Proto("mysubproto1", "My First Sub-Protocol")
local mySubproto2 = Proto("mysubproto2", "My Second Sub-Protocol")
-- a heuristic dissector table for myProto
local myProto_heuristic_table = {}
-- a function to register into myProto's heuristic table
local function register_heuristic(func)
myProto_heuristic_table[#myProto_heuristic_table + 1] = func
end
function heur_dissect_mySubproto1(tvbuf, pktinfo, root)
-- do stuff
return is_Subproto1
end
-- "register" the above function
register_heuristic(heur_dissect_mySubproto1)
function heur_dissect_mySubproto2(tvbuf, pktinfo, root)
-- do stuff
return is_Subproto2
end
register_heuristic(heur_dissect_mySubproto2)
function myProto.dissector(tvbuf, pktinfo, root)
-- do stuff for my main protocol
local newTvb = tvbuf(bytes_parsed_by_myproto):tvb()
-- call the heuristic dissector functions of my sub protocols
-- with the portion of the tvb that belongs to them
for _, func in ipairs(myProto_heuristic_table) do
-- call the heuristic
if func(newTvb, pktinfo, root) then
-- do here anything you need to afterwards
return
end
end
end
Upvotes: 1
Related Questions
- Lua dissection functions definition
- Wireshark Lua Dissector Response Request
- Two Wireshark Dissectors with shared fields
- How to add to a Lua DissectorTable?
- How to create a Wireshark dissector for a custom protocol, without the need to recompile Wireshark
- Executing a function for dissection in a Lua Wireshark dissector?
- Wireshark dissector in Lua - userdata
- Wireshark Lua dissectors: both expand together
- Wireshark Dissector in Lua
- Writing a wireshark dissector in lua and setting it on a dynamic port