First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Coloring Rules based on Preference

Hi, is there a way to use preferences that a lua disector created to modify the coloring rules.

Example: Set the port number in a preferences because the port number can change and doing this will not require to change the lua script.

myprotocol = Proto("myproto", "MyProtocol")

local pref = myprotocol.prefs pref.port = Pref.uint ("Port", 3000, "Port for this protocal")

so in the coloring rules I just have to the folowing:

(tcp.dstport == myproto.port) || (tcp.srcport == myproto.port)

so only the preferences needs to change and not the coloring rules or the lua script when the port number changes.

Thanks

kdwalkeraz's avatar
1
kdwalkeraz
asked 2023-03-31 23:08:01 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

Coloring rules use the syntax of display filters which don't currently support checking a preference value. That would make a pretty good Enhancement Request on the Wireshark Gitlab issues.

Until/if/when this is added, could you add another field to your protocol, copy the preference value to it and use that in the coloring rule?

The field could be hidden or maybe should be displayed in the tree and marked with treeitem:set_generated([bool]).

Chuckc's avatar
3k
Chuckc
answered 2023-04-01 00:30:45 +0000, updated 2023-04-01 00:31:40 +0000
edit flag offensive 0 remove flag delete link
more

Comments

I have tried doing something like that but it did not make a difference.

myproto_protocol = Proto(MyProto", "MyProtocol Protocol")
local pref = myproto_protocol .prefs pref.port = Pref.uint ("Port", 3000, "Port for this protocal")
msgLen = ProtoField.int32("myproto.msglength", "Msg Length", base.DEC) myprotoData = ProtoField.bytes("myproto.Data", "MyProtocol Data") myprotoPort = ProtoField.uint32("myproto.ProtPort", "MyProtocol Proto Port",base.DEC)
myproto_protocol .fields = { msgLen, myprotoData , myprotoPort }
myprotoPort =pref.port
function myproto_protocol .dissector(buffer, pinfo, tree)
length = buffer:len()
idacvmePort=pref.port
pinfo.cols.protocol = myproto_protocol .name
if length == 0 then return end --do disector work here end
local tcp_port = DissectorTable.get("tcp.port") 
tcp_port:add(pref.port, myproto_protocol )
kdwalkeraz's avatar kdwalkeraz (2023-04-01 15:36:54 +0000) edit
more
  • delete

When the preference for port number is changed, you would like it redissect the packets and update the coloring?
Will there be different profiles (with different port numbers) or will it always start with the default port?

Chuckc's avatar Chuckc (2023-04-01 17:38:49 +0000) edit
more
  • delete

The preference for port number will only change based on what pcap file we are using so restarting wireshark would not be a issue but redissecting would be ok also. Not sure about the profiles

kdwalkeraz's avatar kdwalkeraz (2023-04-03 14:08:25 +0000) edit
more
  • delete
add a comment see more comments
0

This is heavily plagiarized (stolen?) from the work of @cmaynard in Guacamole Dissector.

Coloring rule: tcp.port == myproto.ProtPort

-- 230401: Ask 31160 - Coloring Rules based on Preference
local myproto_p = Proto("myproto", "MyProtocol Protocol")

-- Default settings
local MYPROTO_TCP_PORT = 3000

-- Preferences
local myproto_settings = {
    tcp_port = MYPROTO_TCP_PORT
}

myproto_p.prefs.tcp_port = Pref.uint("TCP port", myproto_settings.tcp_port,
    "The MyProtocol TCP port number (default=" .. MYPROTO_TCP_PORT .. ")")

-------------------------------------------------------------------------
function myproto_p.prefs_changed()

    if myproto_settings.tcp_port ~= myproto_p.prefs.tcp_port then
        -- remove old one, if not 0
        if myproto_p.prefs.tcp_port ~= 0 then
            DissectorTable.get("tcp.port"):remove(myproto_settings.tcp_port, myproto_p)
        end

        -- set our new default
        myproto_settings.tcp_port = myproto_p.prefs.tcp_port

        -- add new one, if not 0
        if myproto_settings.tcp_port ~= 0 then
            DissectorTable.get("tcp.port"):add(myproto_settings.tcp_port, myproto_p)
        end
    end

end -- myproto_p.prefs_changed()

local pf = {
    msgLen = ProtoField.int32("myproto.msglength", "Msg Length", base.DEC),
    myprotoData = ProtoField.bytes("myproto.Data", "MyProtocol Data"),
    myprotoPort = ProtoField.uint32("myproto.ProtPort", "MyProtocol Proto Port",base.DEC)
}

myproto_p.fields = pf

function myproto_p.dissector(buffer, pinfo, tree)
    length = buffer:len()
    pinfo.cols.protocol = myproto_p.name
    subtree = tree:add(myproto_p)
    subtree:add(pf.myprotoPort, myproto_settings.tcp_port)
    subtree:add(pf.msgLen, length)
    if length == 0 then return end
    --do disector work here
end

local tcp_port = DissectorTable.get("tcp.port") 
tcp_port:add(myproto_settings.tcp_port, myproto_p)
Chuckc's avatar
3k
Chuckc
answered 2023-04-05 15:29:24 +0000, updated 2023-04-05 15:30:03 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Yes that look to work. I liked the pref changed function, did not know that was there. I guess I need to read the docs better. thanks

kdwalkeraz's avatar kdwalkeraz (2023-04-05 19:05:36 +0000) edit
more
  • delete

Wireshark's Lua API
Yes, trying to find functions in the WSDG can be tough. I put together an index last year.
220711_wslua_Index_DRAFT.pdf

Chuckc's avatar Chuckc (2023-04-05 19:18:39 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer