I have the version 3.3.0 of wireshark, And I have a test.pcapng .How can be decode it. I just select one data,right click-> "Decode as" , I want change it protocol, but there not found ProtoBuf in current column. Is there have detail manul for decode the Protobuf.
You need to supply a .proto file that describes the protobuf format in use. See this page and the following one, from the User's Guide that describes how you can configure this.
Yes,I config it already, in "Edit"->"Prefences"->"Protocols"->"Protobuf" . Did I nedd selecte the Data Row, and right click-> Decode As ?
If your traffic is over UDP, then set the ports and message types in the dissector preference accordingly, else your traffic must be over HTTP using grpc.
Yes,it UDP. But how to set the dissector?
Yes,I Set the UDP ports :8002,and let the "Message" and "Type" blank.But there is no change on the table. If I need to select the data row and right click, -> Docode As ....
To support protobuf over tcp, you can write a Lua script and put it in your Lua plugins directory ("Help->About Wireshark->Folders->Personal Lua Plugins").
The file name might be "protobuf_tcp.lua", and the content likes:
do
local protobuf_tcp_proto = Proto("protobuf_tcp", "Protobuf over TCP")
local protobuf_dissector = Dissector.get("protobuf")
local f_length = ProtoField.uint32("protobuf_tcp.length", "Length", base.DEC)
protobuf_tcp_proto.fields = { f_length }
-- This must be the root message defined in your .proto file
local message_type = "tutorial.AddressBook"
function protobuf_tcp_proto.dissector(tvb, pinfo, tree)
local offset = 0
local remaining_len = tvb:len()
local subtree = tree:add(protobuf_tcp_proto, tvb())
pinfo.columns.protocol:set("PB_TCP")
while remaining_len > 0 do
if remaining_len < 4 then -- head not enough
pinfo.desegment_offset = offset
pinfo.desegment_len = DESEGMENT_ONE_MORE_SEGMENT
return -1
end
local data_len = tvb(offset, 4):uint()
if remaining_len - 4 < data_len then -- data not enough
pinfo.desegment_offset = offset
pinfo.desegment_len = data_len - (remaining_len - 4)
return -1
end
subtree:add(f_length, tvb(offset, 4))
pinfo.private["pb_msg_type"] = "message," .. message_type
pcall(Dissector.call, protobuf_dissector, tvb(offset + 4, data_len):tvb(), pinfo, subtree)
offset = offset + 4 + data_len
remaining_len = remaining_len - 4 - data_len
end
end
-- TCP port
DissectorTable.get("tcp.port"):add(18127, protobuf_tcp_proto)
end
Remember to replace "tutorial.AddressBook" with the fullname of the root message defined in your .proto file and tcp port 18127 with your tcp port of your capture file.
You should be sure your .proto file is in the "Protobuf search paths", and make sure "load all files" option checked.
You can use "decode as" now if your message types for all tcp ports are the same.
Certainly, you can make the message type for each tcp port different and configurable by adding something like: protobuf_tcp_proto.prefs.tcp_port_message_maps = Pref.string("TCP Ports and Message Maps", "18127:tutorial.AddressBook", "Format: port1:message.type1,port2:message.type2,...") But that need more code.
Now, you can refer to https://gitlab.com/wireshark/wireshar... for more details about wireshark protobuf dissector.
Comments