How to parse protobuf packets in Wireshark

python lua wireshark lua-table tshark
B. Nir picture B. Nir · Feb 22, 2017 · Viewed 9.6k times · Source

My goal is to have a plugin/dissector that can parse a protocol based on protobuf (UDP).
I found on the web an Auto-generate Wireshark/Ethereal dissector plugins for Protocol Buffer messages: https://code.google.com/archive/p/protobuf-wireshark/
when i follow the ReadMe file i skipped "STEP 1: Install Wireshark from source" since i have it installed (version 1.12.3).

Step 2: Prepare Protocol Buffers -

this step i dont understend, how do i install libprotobuf and where?

Step 3: Updating wireshark configuration file -

I'm not sure what is "wireshark_src_dir"

I created a wireshark.conf file with:
wireshark_src_dir : C:\Program Files (x86)\Wireshark
wireshark_install_dir : C:\Program Files (x86)\Wireshark
wireshark_version : 1.12.3

Step 4: Run make_wireshark_plugin.py - for that step i downloaded and installed python-3.6.0-amd64.exe.

When i run this i get an error that: Traceback (most recent call last): File "C:\ProtoBuff\protobuff\make_wireshark_plugin.py", line 91, in f=open("configure.in","r") FileNotFoundError: [Errno 2] No such file or directory: 'configure.in'.

This file realy doesn't exists in the package i downloaded from github. Where do i get this file? do i need to create such? What is this make_wireshark_plugin.py generates?

Step 5: Create proto configuration files - All proto configuration files need to be in /usr/share/wireshark/protobuf or $HOME/.wireshark/protobuf.

i dont have a share folder and protobuf folder in wireshark installation path. Can i simply put the proto configuration files in the plugins folder?

Answer

Skison picture Skison · Mar 14, 2020

New features about Protobuf and gRPC dissectors have been added into Wireshark since version 3.2.0:

  • Protobuf files (*.proto) can now be configured to enable more precise parsing of serialized Protobuf data (such as gRPC).
  • The message of stream gRPC method can now be parsed with supporting of HTTP2 streaming mode reassembly feature.
  • User can specify protobuf search paths (where has *.proto files), and the UDP ports to protobuf message type maps at the Protobuf protocol preferences.
  • If your own dissectors need invoke protobuf dissector, you can pass the message type to Protobuf dissector by data parameter (in C) or pinfo->private_table["pb_msg_type"] (pinfo.private["pb_msg_type"] in lua).

Another two new features will be released in 3.3.0 or 3.4.0:

  • Protobuf fields can be dissected as wireshark (header) fields that allows user input the full names of Protobuf fields or messages in Filter toolbar for searching.
  • Dissector based on Protobuf can register itself to a new 'protobuf_field' dissector table, which is keyed with the full names of fields, for further parsing fields of BYETS or STRING type.

References:

Related questions

Python or Ruby Interpreter on iOS

I found this application on the app store: iLuaBox and I wondered if there was anything else like this for the iPhone without jailbreaking but instead for Python or Ruby? Lua is probably similar for me to play around with …

Read More
Loading Torch7 trained models (.t7) in PyTorch

I am using Torch7 library for implementing neural networks. Mostly, I rely on pre-trained models. In Lua I use torch.load function to load a model saved as torch .t7 file. I am curious about switching to PyTorch( http://pytorch.…

Read More
How to embed Lua inside Python?

This sounds like a weird question, so I'll explain circumstances surrounding first. Basically, I have a 3D game development kit, written in Python, that works excellently by itself. However, most of my users will be used to using Lua as …

Read More