InEnglish

Lua post dissector for Wireshark

Wednesday, 27 November 2013
|
Écrit par
Grégory Soutadé

Logo Wireshark

Wireshark (previously Ethereal) is the best open source protocol dissector/analyzer. You can analyze an incredible amount of protocols, not only Internet ones, but every stream based protocols. Moreover you can add your own filters/dissectors written either in C or in Lua. Nevertheless, the documentation on the net concerning Lua dissectors is light and sparse. It's been hard for me to make something that works even if it's, at the end, not really complicated. I'll try to explain the basis of Lua dissectors.

1) Installation

You need to have a wireshark that supports Lua support (wireshark -v). After that, create or edit ~/.wireshark/init.lua. To load a new plugin, just type

dofile("mydissector.lua")

Create the new file ~/.wireshark/mydissector.lua

2) Post Dissector

There are three types of dissectors :

  • Dissector : you add your own protocol
  • Chained dissector : you add new fields to an existing protocol
  • Post dissector : you interact after all packets has been parsed

An example for each of one can be found here. I'll describe a post dissector, but other types of dissectors has pretty the same format.

Tip 1
If you want to display someting on the console, just do

print(something)


Tip 2
If the base array is not defined, add this to ~/.wireshark/init.lua

-- Display Bases base = { ["NONE"] = 0, ["DEC"] = 1, ["HEX"] = 2, ["OCT"] = 3, ["DEC_HEX"] = 4, ["HEX_DEC"] = 5, }

First, you need to define your protocol : Proto(<internal name>, <displayed name>)

p_dummyproto = Proto("dummyproto","DummyProto")


Then, define your fields : ProtoField.TYPE(<internal name>, <displayed name>, [base], [values], [mask])
TYPE are defined here

-- Simple field without value local f_X = ProtoField.uint16("dummyproto.f_X","Field X") -- Simple field displayed in hex format local f_Y = ProtoField.uint8("dummyproto.f_Y","Field Y", base.HEX) -- Field with precomputed values and bitfield local VALS_ZZ = {[0] = "Single", [1] = "Dual"} local f_Z = ProtoField.uint8("dummyproto.f_Z","Field Z", base.HEX, VALS_ZZ, 0x3)

Third step is to register each field

p_dummyproto.fields = {f_X, f_Y, f_Z}


After that, the big part : protocol dissection. Fields are organized as a tree. You have to parse each byte (or range of bytes) in the given buffer and append your fields. Be careful : objects returned by :add function has userdata type and cannot be directly manipulated.

function p_dummyproto.dissector(buffer,pinfo,tree) -- Access to another field local f_udp_port = Field.new("udp.port") -- If it exists and has the right value if f_udp_port and tostring(f_udp_port) == tostring(5555) then -- Add our protocol dissection with data in buffer[17, 17+14] local subtree = tree:add(p_dummyproto, buffer(17,14)) -- Add a subtree to our root for the first two bytes local t = subtree:add(f_X, buffer(17, 2)) -- Add a sub subtree local t2 = t:add(f_Y, buffer(17, 1)) -- Parse sub data parse_data(t, buffer, 18) end end function parse_data(tree, buffer, start) -- Wireshark integrate bitop from luajit http://bitop.luajit.org/ field_1 = buffer(start, 1):uint() field_1 = bit.band(field_1, 0x3) -- You can also append free text information to current field if field_1 < 16 then tree:append_text(" field information") end end

Finally register your post dissector

register_postdissector(p_dummyproto)


A complete example can be found here. It's a full reimplementation of ARP protocol dissector in Lua.

From Nokia to Android

Thursday, 19 September 2013
|
Écrit par
Grégory Soutadé

Nokia 7373

After 6 years of wonderful services I decided to change my superb Nokia 7373 by a Nexus 4 (thanks to the last price down). Welcome to the 21th century with a big smartphone running Android. One problem : how to transfer my contacts from Nokia to Android ? After reading some articles on the net I didn't find any simple solution. So I developped a perl script that will convert contacts extracted from Nokia Suite to vCad format (.vcf). The procedure is bellow :

  • Extract your contacts with Nokia Suite into a CSV file
  • Run this script (you can see help with -h switch)
  • Copy vcf files to your phone (you can copy them in DCIM directory if you have a Nexus 4, it works)
  • Go to "contact" application and import all vcf files

Now you can use your mobile phone as before. Personally I deactivated contact synchronisation because I do not want to give phone numbers of my friends to Google (even if I suppose it already has). *Beware* this script has been developped for French people : default call prefix is +33 (you can change it) and a cell phone numbers starts with 6 in France (you can change it). If you're in another country you may have to tweak it. Currently it can extract first name, last name, phone numbers and email. Have fun !

Nexus 4

Colored make output

Thursday, 18 April 2013
|
Écrit par
Grégory Soutadé

If I often compile under emacs, I use a lot the terminal. Most of people ignore how it's fast and practical to work, not for every tasks but it's perfect for programing. I already talks about Autojump2, today I will present colout. It's true that the terminal miss some colors. For better displays I personaly use black over white, but when you compile some projects, it's hard to see if errors happens.

I tweak colout (written by nojhan) to fit my needs. It's a simple Python software that will color terminal output if it found specific words. The list of words is fix and embedded into the script (unlike the original one that takes them in parameter). My script is available here.

You only need to add colout file into a bin directory (referenced in your $PATH) and edit your .bashrc with (don't forget to make it executable) :

function make() { /usr/bin/make "$@" 2>&1 | colout ;}

So, when you type "make", it will transparently use colout. The only bad thing is that you loss make's returns value.

Example with :

int main() { int a, b; b = a+1; c = a; return 0; }

colout result

It's better, isn't it ?

Command line loader for "Read for PIC" Board

Sunday, 24 March 2013
|
Écrit par
Grégory Soutadé

Ready for PIC board

Some weeks ago I bought a "Ready for PIC" board from MikroElektronika. These board comes with a PIC18F25K22 flashed with a bootloader that receives a program from UART and load it in memory without flashing. The prototype area is very nice for peoples that do not want to weld, it also contains a FTDI chip and can be powered by USB. Plus MikroElektronika supply a GUI software to interact with the bootloader. These GUI is available for Windows and Linux, that's great ! Contrary to microchip, MikroElektronika wants to sell their expensive C/BASIC/Pascal compiler and provide cool boards at a good price. The only thing I regret is that you cannot reset the PIC with the FTDI, you need to press the reset button before and after code is downloaded (so boring...).

Maybe the GUI is useful for electronics peoples, but I found it (on Linux) heavy and sometimes buggy. Moreover you cannot access to serial output just after code is downloaded. So, I wrote a simple console Python program that will download an HEX file with command line and optionally displays the output of UART. This allows to do quicker and simpler tests. You can find the file here, it's licensed under GPL v3.

Fast software DES implementation

Wednesday, 31 October 2012
|
Écrit par
Grégory Soutadé

This is a fast software DES implementation for 64 bits machines thats supports intel SSE instructions (SSE, SSE2, SSE3 and SSSE3). The x86_64 architecture lacks support for bit manipulation and the ones introduced by AMD are not used here. The main SSE instruction used is "pmovmskb" that will extract the most significant bit of each byte inside an XMM register. That allows to do linear permutations with few instructions, but for random permutations a simple mask-shift is used. The next generation of processors with AVX2 should includes some bit manipulation instructions that will even more speed up DES computation.

Currently, my implementation is about 10 times faster than the one in OpenSSL 1.0.1c, assembly optimized but 32 bits centered. The package includes a basic implementation in full C (des.c) for algorithm comprehension and the fast implementation in fast_des.c. fast_des.c is linked with the libcrypto.a of OpenSSL (configured with linux-x86_64) to do benchmarks. The benchmark is to do 1 000 000 full DES computation. I obtained these values :

fast_des.c Init value 123456789abcdef Fast des Time 0 29333426 85e813540f0ab405 Des Time 0 362639005 85e813540f0ab405 des.c : Init value 123456789abcdef Time 0 236431885 85e813540f0ab405

My configuration is compounded by an intel core i5 m450 @ 2.4Ghz, 4Gb of RAM, Linux 64, gcc 4.7.1. One funny thing is that if I compile fast_des.c with -O3 flag, performances dramatically falls just under OpenSSL implementation. On an core 2 duo E7500 @ 2.93GHz :

Init value 123456789abcdef Fast des Time 0 110037322 85e813540f0ab405 Des Time 0 352010444 85e813540f0ab405

Source file can be found here.