First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Is it possible to attach a dissector to custom options in pcapng

  • retag add tags

We have a custom protocol for which we have developed a lua based dissector. But at the time of packet capture, we also need to capture some OOB data and were considering using the custom options capability in pcapng. However, it is not clear to me if we can attach a custom dissector to an option block of the Enhanced Packet Block. Specifically, would this be possible using lua dissectors. Any pointers would be appreciated.

abhishekes's avatar
1
abhishekes
asked 2023-08-02 03:32:04 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

I don't believe that is currently possible and I would not want that functionality in the pcapng file format. It opens up a large attack surface for nefarious purposes (just like macros in office documents). IMHO it should always be a manual deliberate action for someone to execute code from a third party.

So the best option would be to supply the Lua dissector separately, which might of course not be the most convenient solution.

SYN-bit's avatar
18.5k
SYN-bit
answered 2023-08-03 06:56:06 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Supplying the lua dissector separately is fine with us but so far from what we say, we are only able to attach the dissector to the packet info and not to the other blocks of data in pcapng. Wanted some examples of how we could get a hook to attach the custom dissector to the options block of epb.

abhishekes's avatar abhishekes (2023-08-03 07:11:05 +0000) edit
more
  • delete

Ah, I misread your question then. I now see you need a mechanism to supply non-packet data somehow to your custom dissector. Accessing custom EPBs from Lua would require Wireshark to read those blocks in the first place and AFAIK, that is not done (yet?). You could file an enhancement request for such a feature on Gitlab, but it might take a while (or not be implemented at all).

Another way of doing this is creating packets for the OOB data. In the past I have collected some SNMP values of a Loadbalancer, encoded it in the data part of ping packets that were sent to a host for which the traffic was captured.

As you seem to be able to write the custom EPG, you should also be able to add synthetic packets to the PCAPNG file (perhaps with a different interface ID) and have your Lua dissector pick ... (more)

SYN-bit's avatar SYN-bit (2023-08-03 07:45:24 +0000) edit
more
  • delete

@SYN-bit Ha! SNMP over ICMP - you should write an RFC for that. :-)

Chuckc's avatar Chuckc (2023-08-03 11:08:22 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer