First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

lua plugin calling built-in dissector, does not pass pkt data to it

  • retag add tags

Hello, I have a use case where the data I need to dissect can be wrapped in couple different ways. The data can arrive in an ethernet packet with special ether-type (say, my-ethernet-type) or it can arrive in an IP packet with a special ip-protocol (say, my-ip-protocol). The payloads in both cases is exactly same.

I have written a built-in dissector for my-ip-protocol, and it works fine when data arrives in ip packets. The built-in dissector function looks like: dissect_my_ip_protocol(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)

To dissect data that arrives in an ethernet frame with ether-type = my-ether-type, I have written the below lua script.

My problem is: - The lua script calls the built-in dissector dissect_my_ip_protocol() However, the last argument to that function 'void *data', is always NULL So, my built-in dissector cannot dissect the packet.

  • if I print tvb in the lua script, it shows it has sufficient data.

  • The translation of my_ip_proto_dissector:call(buffer():tvb(), pinfo, tree) to dissect_my_ip_protocol(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) is messed up somehow.

  • What am I doing wrong?

Thank you for your help.

my_mac_encap_protocol = Proto("My_Mac_Data", "MAC Data")
my_ip_proto_dissector = Dissector.get("my-ip-protocol")

function my_mac_encap_protocol.dissector(buffer, pinfo, tree)
        local length = buffer:len()
        if length == 0 then return end

        pinfo.cols.protocol = my_mac_encap_protocol.name

        my_ip_proto_dissector:call(buffer():tvb(), pinfo, tree)
end

-- Register the my-ethernet-type dissector
local eth_type = DissectorTable.get("ethertype")
eth_type:add(my-ethernet-type, my_mac_encap_protocol)
ajitb's avatar
1
ajitb
asked 2020-04-07 13:15:27 +0000
cmaynard's avatar
11.1k
cmaynard
updated 2020-04-07 13:58:31 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

Are you actually passing data to dissect_my_ip_protocol() in the data argument? Because the tvb has all the packet bytes, so you should be able to grab what you need from it. I don't think Lua currently supports passing data by way of the data argument.

cmaynard's avatar
11.1k
cmaynard
answered 2020-04-07 14:08:18 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank you @cmaynard for your quick response. You are right, Lua script does not pass the data argument to built-in dissector. I believe it is suggested to use private_table in pinfo. I will change my logic and proceed. Thank you.

ajitb's avatar ajitb (2020-04-08 03:39:40 +0000) edit
more
  • delete
add a comment see more comments
0

Hello, I have a use case where the data I need to dissect can be wrapped in couple different ways. The data can arrive in an ethernet packet with special ether-type (say, my-ethernet-type) or it can arrive in an IP packet with a special ip-protocol (say, my-ip-protocol). The payloads in both cases is exactly same.

I have written a built-in dissector for my-ip-protocol, and it works fine when data arrives in ip packets. ...

To dissect data that arrives in an ethernet frame with ether-type = my-ether-type, I have written the below lua script.

Is there some reason why you don't register your dissector in the "ethertype" dissector table, with the special EtherType as the key, and in the "ip.proto" dissector table, with the special IP protocol number as the key? That should work, if the payload is exactly the same.

I.e., your dissector would just be dissect_my_protocol(), and would be registered for both IP and EtherType-based protocols.

Guy Harris's avatar
19.9k
Guy Harris
answered 2020-04-08 05:15:54 +0000
edit flag offensive 0 remove flag delete link
more

Comments

@Guy Harris: Yes, it's possible to do that. I will try it and should work. Thanks for the good suggestion.

ajitb's avatar ajitb (2020-04-08 10:09:31 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer