LUA dissector on raw file

lua
dissector
file
raw
retag add tags

In WS, you can open a raw file (for example ASN.1) by selecting file type "All files". This is very powerfull!. When selecting the packet I can select "Decode As" and the "field" column is "BER Syntax" and the "Current" column can be set. Now I have my own LUA dissector. If used on tcp or udp, I can add it to the "Decode as" list by registering on one of the tcp / udp ports. I cannot seem to find how to add it to the "BER Syntax" current column. I understand that there are other ways for ASN.1 and creating pcap files by adding a header with user DLT, but it would be so much more convinient if I could just open the binary file and use decode as to select my LUA dissector.

Sjoerd van D

asked 2024-01-15 07:27:47 +0000

edit flag offensive 0 remove flag close merge delete

Comments

Is there an example ASN.1 file for testing?

Chuckc (2024-01-15 19:48:34 +0000) edit

Sure, ASN.1 is really simple, however I don't know how to attach files. if you hexedit a file and add :

0xa1 0x07 0x01 0x01 0x01 0x02 0x02 0x02 0x02

name the file "asn.1" then ws open "All files" and select asn.1 It will show:

[CONTEXT 1]
  BOOLEAN: 0x01
  INTEGER: 514

Sjoerd van D (2024-01-15 20:08:41 +0000) edit

CyberChef recipe to create file:
https://gchq.github.io/CyberChef/#rec...

Chuckc (2024-01-15 20:26:20 +0000) edit

add a comment see more comments

1 Answer

Sort by

oldest

newest

most voted

BER seems to be a special case:
New "decode as ..." feature for BER-encoded files (WTAP_FILE_BER).

A BER-encoded file can be dissected as one of a number of registered syntaxes (registered using register_ber_syntax_dissector()).

Syntaxes may also be associated with OIDs (or other strings) using register_ber_oid_syntax().

epan/dissectors/packet-ber.c:

ber_syntax_dissector_table = register_dissector_table("ber.syntax", "BER syntax", proto_ber, FT_STRING, STRING_CASE_SENSITIVE);

It look like a regular dissector table but I'm not yet sure why the Lua dissectortable:add_for_decode_as(proto) does not work on it.

Chuckc

answered 2024-01-15 21:11:54 +0000

edit flag offensive 0 remove flag delete link

Comments

Remove BER and have your protocol do full decode?

dtable = DissectorTable.get("wtap_encap")
print(dtable)

dissect = Dissector.get("ber")
print(dissect)

dtable:remove(90, dissect)

Chuckc (2024-01-16 02:56:27 +0000) edit

Adding this to the code will let the "decode as" show for TCP port, however selecting my dissector will not dissect the packet.

I can make it work by doing :

  local dtable = DissectorTable.get("wtap_encap") 
    dtable:add(90,p_my_dissector)

Not sure why 90, this is probably some value for BER. It is too bad that I won't be able to register some different ASN.1 dissectors and use with "Decode as", but it is definately helpfull.

Thank you for the help.

Sjoerd van D (2024-01-16 06:27:41 +0000) edit

https://gitlab.com/wireshark/wireshar...
There's no charge for opening an Enhancement Request.

frame.encap_type = 90

Frame 1: 9 bytes on wire (72 bits), 9 bytes captured (72 bits)
    Encapsulation type: ASN.1 Basic Encoding Rules (90)
    Frame Number: 1

epan/dissectors/packet-ber.c:

dissector_add_uint("wtap_encap", WTAP_ENCAP_BER, ber_file_handle);

wiretap/wtap.h:

#define WTAP_ENCAP_BER                           90

Chuckc (2024-01-16 17:50:13 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer

LUA dissector on raw file edit

Comments

1 Answer

Comments