Interpret DBus Messages

Question

I was trying to interpret the bytes in a DBus Message as specified in https://dbus.freedesktop.org/doc/dbus-specification.html. This is taken from a pcap while using the Frida tool.

The bytes are

0000   6c 01 00 01 08 00 00 00 01 00 00 00 70 00 00 00
0010   01 01 6f 00 15 00 00 00 2f 72 65 2f 66 72 69 64
0020   61 2f 48 6f 73 74 53 65 73 73 69 6f 6e 00 00 00
0030   02 01 73 00 16 00 00 00 72 65 2e 66 72 69 64 61
0040   2e 48 6f 73 74 53 65 73 73 69 6f 6e 31 35 00 00
0050   08 01 67 00 05 61 7b 73 76 7d 00 00 00 00 00 00
0060   03 01 73 00 17 00 00 00 47 65 74 46 72 6f 6e 74
0070   6d 6f 73 74 41 70 70 6c 69 63 61 74 69 6f 6e 00
0080   00 00 00 00 00 00 00 00

There are some fields which I am uncertain what they mean. Appreciate if anyone can provide some guidance on this.

• 0x6C: Refers to little endian
• 0x01: Message Type (Method Call)
• 0x00: Bitwise of OR flags
• 0x01: Major Protocol Version
• 0x08000000: Length of Message Body (Little Endian), starting from end of Header. This should be referring to the eight null bytes at the end?
• 0x01000000: Serial of this Message (Little Endian)
• 0x70000000: (Little Endian) Not sure what this represents? This value does correspond to the length of the array of struct, excluding trailing null bytes, that starts from 0x0010 and ends at 0x007F.
• 0x01: Decimal Code for Object Path
• 0x01: Not sure what this represents?
• 0x6F: DBus Type 'o' for Object Path
• 0x15: Length of the Object Path string

Answer 1

This is taken from a pcap

If it's a standard pcap (or pcapng) D-Bus capture file, using the LINKTYPE_DBUS link-layer type, then Wireshark should be able to read it and, at least to some degree, interpret the messages (i.e., it has code that understands the message format, as defined by the specification to which @rm5248 referred (and to which the LINKTYPE_DBUS entry in the list of link-layer header types refers), so you might not have to interpret all the bytes by yourself.

Answer 2

You want to look at the part of the specification that tells you what the message format is.

But to answer your questions:

0x08000000: Length of Message Body (Little Endian), starting from end of Header. This should be referring to the eight null bytes at the end?

Correct.

0x70000000: (Little Endian) Not sure what this represents? This value does correspond to the length of the array of struct, excluding trailing null bytes, that starts from 0x0010 and ends at 0x007F.

That's the length of the array in the header. The DBus header is of a variable size - after the first few bytes, it is an array of struct(byte,variant). As per the documentation, that looks like a(yv) if you were to express this as a DBus type signature.

0x01: Decimal Code for Object Path 0x01: Not sure what this represents?

This is where the parsing gets interesting: in our struct, the signature is yv, so the first 0x01 is telling us that this struct entry is the header field for Object Path, as you have seen. However, we now need to parse what the variant contains inside of it. To marshal a variant, you first marshal a signature, which in this case is 1 byte long: 01 6f 00. Note that signatures can be a max of 255 bytes long, so unlike other strings they only have a 1-byte length at the front. As a string, that is o, which tells us that this variant contains an object path inside of it. Since object paths are strings, we then decode the next bytes as a string(keeping note that the leading 4 bytes are the string length): 15 00 00 00 2f 72 65 2f 66 72 69 64 61 2f 48 6f 73 74 53 65 73 73 69 6f 6e 00

If I've done the conversion correctly, that says /re/frida/HostSession