First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Lua - Get data from buffer when packet size varies

Hello,

Newbie to creating dissectors in Lua, looking for some advice on how to grab a section of data when the payload size varies.

I can grab data using the offset,length method for some items but others shift one or two bytes so i can't rely on it.

What is a suitable method to do this?

I'm using the following function currenty:

function myproto.dissector(buffer, pinfo, tree) length = buffer:len() if length == 0 then return end

marty84's avatar
1
marty84
asked 2018-10-02 15:45:26 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

I can grab data using the offset,length method for some items but others shift one or two bytes so i can't rely on it. Can you clarify what you mean by this?

If you're trying to add fields to the tree, you can just use

tree:add(p_foo.some_field, buffer(offset, len))

… where the offset is just the offset to the field, which you may need to keep track of as you add fields, and where len is the number of bytes in the buffer comprising the field and could be a fixed value, but not necessarily.

Did you try looking at the various examples on the wiki, such as dissector.lua from the Lua/Examples wiki page?

cmaynard's avatar
11.1k
cmaynard
answered 2018-10-02 17:42:11 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Say i'm using the buffer(offset,len) method to view the 5th hex value (4,1)

first packet:

00 11 22 33 44 55

buffer would return '44'.

second packet:

00 11 AA 22 33 44 55

buffer would now return '33' where I actually wanted '44'.

Does this help to clarify? I would not be able to base the buffer off a previous field as the extra byte appears between fields.

marty84's avatar marty84 (2018-10-03 07:01:14 +0000) edit
more
  • delete

Well, you need to track the offset then. Somehow you have to know that the AA was inserted and if so, increment your offset accordingly. For example:

offset = 0
tree:add(p_foo.field_00_11, buffer(offset, 2))
offset = offset + 2
if <some test condition> then
    tree:add(p_foo.field_AA, buffer(offset, 1))
    offset = offset + 1
end

tree:add(p_foo.field_22_33, buffer(offset, 2))
offset = offset + 2
tree:add(p_foo.field_44, buffer(offset, 1))
offset = offset + 1
tree:add(p_foo.field_55, buffer(offset, 1))
offset = offset + 1
...

I have no idea what your test condition would be because I don't know anything about your protocol, so you'll have to make that determination.

cmaynard's avatar cmaynard (2018-10-03 12:45:28 +0000) edit
more
  • delete

Hi, I can't figure out the test condition. I've tried the below but the script doesn't apply the offset.

if buffer(offset,1) == 'AA' then 
offset = offset + 1
end

What am i doing wrong?

marty84's avatar marty84 (2018-10-10 14:14:25 +0000) edit
more
  • delete

If I interpret your code correctly, it would appear that you're trying to compare the value of 1 byte in the buffer at offset offset to the hexadecimal value of 0xAA or decimal value 170. If that's the case, then try this:

if buffer(offset,1):uint() == 170 then
    offset = offset + 1
end
cmaynard's avatar cmaynard (2018-10-12 00:27:19 +0000) edit
more
  • delete

thank you for your help!

marty84's avatar marty84 (2018-10-15 09:41:16 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer