First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Is there a way to change the Packet Info Field based on criteria?

  • retag add tags

Looking to see if there is a possibility to change the text in the Info field based on a packet criteria. For example, if ssl.handshake.type == 1 then then change the packet info field to <custom text>, or even the comment field.

I have tried the following with Lua, but no soup:

function changeInfo(name)
    if pinfo.cols.info == "Client Hello" then
        pinfo.cols.info:set("<message>")
    end
    if ssl.handshake.type == 1 then
        pinfo.cols['info'] = "<message>"
    end
    if ssl.handshake.type == 2 then
        pinfo.cols.info = "<message>"
    end
end

Have also tried

pinfo.cols.info:set('stuff')
pinfo.cols.info:fence()
brianrpsgt1's avatar
1
brianrpsgt1
asked 2019-02-21 01:09:28 +0000
cmaynard's avatar
11.1k
cmaynard
updated 2019-02-21 14:36:17 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

There can be more than one ssl.handshake.type field within a single packet, so you need to account for this. The following is a simple Lua post-dissector that appends the SSL handshake type(s) to the Info column. It ought to serve as a basic starting point for any further work:

sslpost = Proto("SSLpost", "SSL post-dissector")
ssl_handshake_type_f = Field.new("ssl.handshake.type")

function sslpost.dissector(tvb, pinfo, tree)

    local ssl_hst = {ssl_handshake_type_f()}
    if ssl_hst then
        pinfo.cols.info:append(": Handshake Type" .. ((#ssl_hst > 1) and "s: " or ": "))
        for i in pairs(ssl_hst) do
            pinfo.cols.info:append(ssl_hst[i]() .. " ")
        end

    end
end

register_postdissector(sslpost)

Testing this against the ssl.pcap file in the Wireshark menagerie produces this tshark result:

$ tshark -r ssl.pcap -Y "ssl.handshake.type"
  2009-02-13 11:55:59.814985   0.045490 0.000000 9.155.133.167 → unlabelled-50-61-58-81.versatel.net SSLv2 196 Client Hello: Handshake Type: 1
  2009-02-13 11:55:59.910024   0.140529 0.095039 unlabelled-50-61-58-81.versatel.net → 9.155.133.167 SSLv3 989 Server Hello, Certificate, Server Hello Done: Handshake Types: 2 11 14
  2009-02-13 11:55:59.912738   0.143243 0.002714 9.155.133.167 → unlabelled-50-61-58-81.versatel.net SSLv3 258 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message: Handshake Type: 16
cmaynard's avatar
11.1k
cmaynard
answered 2019-02-21 17:16:12 +0000
edit flag offensive 0 remove flag delete link
more

Comments

@cmaynard Thank YOU! That will definitely get me going.

Is there a way to put the <message> in the Packet Comments field instead of 'Info'?

brianrpsgt1's avatar brianrpsgt1 (2019-03-02 00:45:11 +0000) edit
more
  • delete

I don't think it's possible to add or change the packet comment tree item (or any other existing tree item for that matter). But, I could be wrong.

cmaynard's avatar cmaynard (2019-03-02 22:36:30 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer