Search code examples
luawiresharkwireshark-dissector

How to access TLS Version/ Checksum of packet in Wireshark Lua dissector?

I am new to Wireshark and its Lua API. I need to write a dissector that can capture packets on port 443, modify some of the contents and then send them over to the destination. I found a script here which I have modified according to my needs:

-- create myproto protocol and its fields
p_myproto = Proto ("myproto","My Protocol")
local f_command = ProtoField.uint16("myproto.command", "Command", base.HEX)
local f_data = ProtoField.string("myproto.data", "Data", FT_STRING)
 
p_myproto.fields = {f_command}
 
-- myproto dissector function
function p_myproto.dissector (buf, pkt, root)
    print ('packet captured')
  -- validate packet length is adequate, otherwise quit
  if buf:len() == 0 then return end
  pkt.cols.protocol = p_myproto.name
  local colss = pkt.cols

--pkt.cols.info:append(" " .. tostring(pkt.dst).." -> "..tostring(pkt.src))

print ("" .. tostring(pkt.dst))
print ("" .. tostring(pkt.src_port))
print ("" .. tostring(pkt.dst_port))

end
 
-- Initialization routine
function p_myproto.init()
end
 
-- register a chained dissector for port 8002
local tcp_dissector_table = DissectorTable.get("tcp.port")
dissector = tcp_dissector_table:get_dissector(443)
  -- you can call dissector from function p_myproto.dissector above
  -- so that the previous dissector gets called
tcp_dissector_table:add(443, p_myproto)

I can access fields like dst, src, dst_port etc. The entire list is available here. But I cannot find any reference anywhere as to how I can access/modify the checksum of the packet, the selected cipher suites etc. I know they exist on the transport layer but I could not find any documentation that will allow me to access/modify these values.

What am I doing wrong? Any help in this regard will be appreciated!

Thanks!

Solution

  • You can access any field using a Field Extractor, and the entire list is not available on the LuaAPI/Pinfo wiki page as you referenced, but on the Wireshark Display Filter Reference page.

    For example, if you want the TCP checksum, you can use:

    fe_tcp_checksum = Field.new("tcp.checksum")

...

function p_myproto.dissector (buf, pkt, root)
    ...
    f_tcp_checksum = fe_tcp_checksum().value
    ...
end

    The Wireshark wiki provides more Lua/Examples.