Some background to understand stuff
- Wireshark reads PCAP file format for captured files.
- Wireshark can be extended using C code or, for fast development you can use LUA code (I'll explain later...).
PCAP File Format
- Know your Wireshark
- Download and install Wireshark.
- Create LUA dissector (let's save it as 'trivial.lua')
-- trivial protocol example
-- declare our protocol
trivial_proto = Proto("trivial","Trivial Protocol")
-- create a function to dissect it
function trivial_proto.dissector(buffer,pinfo,tree)
pinfo.cols.protocol = "TRIVIAL"
local subtree = tree:add(trivial_proto,buffer(),"Trivial Protocol Data")
subtree:add(buffer(0,2),"The first two bytes: " .. buffer(0,2):uint())
subtree = subtree:add(buffer(2,2),"The next two bytes")
subtree:add(buffer(2,1),"The 3rd byte: " .. buffer(2,1):uint())
subtree:add(buffer(3,1),"The 4th byte: " .. buffer(3,1):uint())
end
-- load the udp.port table
udp_table = DissectorTable.get("udp.port")
-- register our protocol to handle udp port 7777
udp_table:add(7777,trivial_proto)- Edit ...\Wireshark\init.lua file as follows
- disable_lua = false
- At the end of the file: dofile("trivial.lua")
- You can read more here - http://simplestcodings.com/2011/01/09/how-to-use-lua-to-create-wireshark-dissector/
- Open Wireshark
- Menu >> Edit >> Preferences >> Protocols >> DLT_USER >> Edit >> New:
- DLT: User 0 (147)
- Payload protocol: MyProtocolName
- Header size 0
- Trailer size: 0
- Press OK
- Create PCAP dumps for analyze.
- Using HEX-Editor (see below for nice hex-editor recomendations).
- If you can - ask the protocol team to provide their dumps.
- Open the PCAP dump for editing (binary mode).
- Change the dump's 'Global Header' section / 'data link type' (network) to 147 (LINKTYPE_USER0)
- Read more here - http://www.tcpdump.org/linktypes.html
- save it.
- Load the dump to Wireshark for analyses.
- Start changing the trivial.lua code to parse your protocol.
Hope this will bring you to a working point fast. In the process read related stuff to understand more, you can upgrade this solution to create better and better protocol sniffer using Wireshark.
- Related reference stuff
- http://simplestcodings.com/2011/01/09/how-to-use-lua-to-create-wireshark-dissector/
- http://delog.wordpress.com/2010/09/27/create-a-wireshark-dissector-in-lua/
- http://lua-users.org/wiki/TutorialDirectory
- http://wiki.wireshark.org/Lua
- http://wiki.wireshark.org/Lua/Dissectors
- http://wiki.wireshark.org/Lua/Examples
More nice stuff that can help
- You can use 'Hex Workshop' to simulate your protocol binary streams more easily (using it's feature Structure Editing).
- Wireshark tools
- bit-twist: Network Traffic Generator
Here's how to create a binary pcap file suitable for input to Wireshark or tshark *without* the
ReplyDeleteaid of a hex editor.
The payload is 4 bytes long (matches the Trivial protocol dissector given in this blog post)
$ echo -n abcd | od -Ax -tx1 -v | text2pcap -l 147 - trivial.pcap
Nice for doing smallish stuff :-)
I hardly ever write comments on blogs, but your article urged me to praise your blog.
ReplyDeleteThanks for the read, I will surely favorite your site and check in occasionally.Cheers
Get Wireshark
It's spelled "Lua" (it is not an acronym "LUA").
ReplyDeleteHi, great guide! btw, if you still need a custom dissector and don't want to make it yourself again, check out our website www.netwurke.com. We make custom dissectors. Regards!
ReplyDeleteAnother related tool:
ReplyDeletehttps://jagt.github.io/clumsy/