Export Wireshark dissectors¶
Wireshark is an open-source packet analyzer able to identify protocols and to highlight fields from the data stream. Its main drawback is that it is only usefull on documented/standard protocols. Within Netzob, which achieves semi-automatic reverse engineering of protocols, we have developed an exporter plugin that allows automatic generation of Wireshark dissectors from proprietary or undocumented protocols. Dissectors are built in LUA programming language.
Netzob provides a powerful datamodel in which fields are described with the following information:
- Regular expression (fixed or dynamic size)
- Name (textual representation)
All this information is gathered to generate a script including a dissector used by Wireshark.
Wireshark can be statically extended with C modules similar to core dissectors. Optionally, Wireshark can be configured to embed a Lua interpretor. For modularity purposes, the Lua engine has been choosed to extend Wireshark with Netzob generated dissectors.
You need Netzob in version 0.4.1 or above. The wireshark exporter functionality is provided as a netzob core plugin (which is included in the 0.4.1 version).
This tutorial assumes that the user have previously inferred the specification of the targeted protocol. An example of protocol inference is avaibale in the Getting started with Netzob tutorial.
Check that Wireshark supports Lua
Select a project
Given a partitioned symbol in a project you can generate a wireshark dissector using the Export project menu item, then by selecting Wireshark.
You should get a popup with the LUA script automatically generated:
Import into wireshark
Two methods are available:
Evaluate the Lua script in a Wireshark instance.
In wireshark, select
Tools > Lua > Evaluateand paste the generated code.
Start wireshark with a specific Lua script.
- Start wireshark with the following parameters:
wireshark -X lua_script:PATH_OF_LUA_SCRIPT
This will automatically import the Lua script on start.
- Dissect data packets
Within the lower panel of Wireshark, you should get the dissected
Variable size fields cannot be easily exported to the datamodel used by Wireshark when we don’t know the expected size. In this case, an error message will popup preventing Netzob from generating the dissector. If this happen, you have to complete the protocol model in order to find the expected size of the dynamic field.
These ideas could be use to enhance dissection:
- Use relations (field / size, repeat ...)
- Look at future bitfield core implementation
What next ?¶
After this tutorial, we’ll be glade to have feedbacks and to help you (see our mailing list firstname.lastname@example.org or our IRC channel #netzob on Freenode).
If you want to go further and start contributing to Netzob, that’s perfect. There are many simple or complex tasks everyone can do: translation, documentation, bug fix, feature proposal or implementation.