Add Lua support for tracking conversations.
This issue was migrated from bug 15396 in our old bug tracker.
Original bug information:
Reporter: Christopher Maynard
Status: CONFIRMED
Product: Wireshark
Component: Dissection engine (libwireshark)
OS: All
Platform: All
Version: Git
Activity
Build Information:
Paste the COMPLETE build information from "Help->About Wireshark", "wireshark -v", or "tshark -v".
It would be useful if dissectors written in Lua could also have the ability to track conversations. Ref: https://ask.wireshark.org/question/3271/does-the-lua-dissector-api-support-conversation-analysis/added enhancement libwireshark versiondev labels
I'm currently writing a dissector myself and don't see another way to capture a fragmented response contained within well-formed packets, having a means to track requests and responses across PDUs would help out a lot with my situation.
For those that want to know, a server sends each packet with a fixed header size, that contains the message size, the payload size and fixed size footer. I've already had to reassemble fragmented packets with
if messageSize > buffer:len() then -- Tell wireshark this packet is fragmented, by providing expected additional length pinfo.desegment_len = messageSize - buffer:len() pinfo.desegment_offset = 0 return buffer:len() endThere is a sequence of packets that will begin with a small payload to inform, there is a large opaque blob to receive that will span several packets. Each packet response with a protocol independent Ack (i know, TCP does it too....). Still each intermediate PDU have the standard header, footer and payload size. I've had to calculate the final size of the several packets the opaque blob will span and set
pinfo.desegment_len, I'm able to briefly look at each packet within the now reassembled super-mega-pdu and pull out the complete binary.However, Wireshark will no longer show the individual PDUs as packets belonging to the protocol since they're now "segmented". which isn't ideal
Edited by Roman VAs a workaround, I've thrown together a proof of concept Lua C module that exposes conversation_add_proto_data and p_add_proto_data to Lua. It's still a bit rough (
runs fine from Wireshark on cold startup, causes a segfault if Lua scripts are reloaded [Ctrl+Shift+L]no-longer an issue), but should work fine for anyone that's looking for a quick solution in the mean time, before a final solution is added to Wireshark.Edited by Aloz1Now that I've had a deeper look at the wslua codebase within Wireshark, it may be a big chunk of work to fully implement the complete conversation api.
I might have a crack at moving from the proof-of-concept I did some years ago to minimum viable lua conversation API. As a first pass, it probably won't implement all functionality within epan/conversation.h, but it should be a good starting point for others to add later. I might avoid exposing conversation elements for now (including *_full functions).
I think I now have a rough first pass implementation of what I think a conversation API would look like in https://gitlab.com/Aloz1/wireshark/-/tree/add-lua-conversations?ref_type=heads
Will have to have a look through existing captures to see what could be a good candidate for writing a test / example.
Quick summary of what the new API currently looks like
-- Functions to fetch conversations local conv1 = Conversation.find_with_pinfo(pinfo, [options], [bool_create]) local conv2 = Conversation.find_by_id(frame_id, convtypes.<CONV_TYPE>, id, [bool_create]) local conv3 = Conversation.find(frame_id, convtypes.<CONV_TYPE>, addr1, port1, [addr2], [port2], [bool_create]) -- This last one is equivalent to calling Conversation.find_with_pinfo(pinfo) local conv4 = pinfo.conversation -- Set data conv1[proto] = "asdf" conv2[proto] = {"asdf": 123} -- Get data local data = conv3[proto] -- Clear data conv3[proto] = nil -- Set dissector (equivalent to pinfo.conversation = <dissector>) conv1.dissector = <dissector>Edited by Aloz1mentioned in merge request !18890 (merged)
closed with merge request !18890 (merged)
