identifing packets in wireshark [ ethereal ]

[xpeh]

How to install this?

nitroxs, if this plugin is incomplete, there is an option to make it opensource and post it eg on google code or sf.net.

As for decoding TCP stream, i think it is impossible, and it is one of main drawbacks of sniffers. Decoding only 1 frame at once brings a problem if bnet packet is fragmented between frames.

Imho you should not use magic in packet codes - better use it as separate field and alert if it is not FF.

To use it, Lua has to be enabled by editting init.lua which can be found at wireshark directory (one of the first lines has to be commented) and bnetp.lua has to be loaded by a dofile at the end of init.lua.

What does it mean? Can you give strings that should be edited?

I managed to load it on the other way, but it always gives me an error

Code Select Expand

Lua Error: [string "bnetp.lua"]:34: attempt to index field 'columns' (a nil value)

Better upload it somewhere as file, i lost 1st line by selecting it with opera

[nitroxs]

How to install this?

It's like:

1. Install Wireshark at some directory. Let say InstallPath.
2. Open IntallPath/init.lua and replace (~ lines 28 and 29)

Code Select Expand


-- Lua is disabled by default, comment out the following line to enable Lua support.
disable_lua = true; do return end;


with

Code Select Expand


-- Lua is disabled by default, comment out the following line to enable Lua support.
-- disable_lua = true; do return end;


And insert

Code Select Expand


dofile("bnetp.lua")


at the end of the file.

3. Create InstallPath/bnetp.lua and put the code.

nitroxs, if this plugin is incomplete, there is an option to make it opensource and post it eg on google code or sf.net.

It's already open source (even though it looks unlicensed  ).

As for decoding TCP stream, i think it is impossible, and it is one of main drawbacks of sniffers. Decoding only 1 frame at once brings a problem if bnet packet is fragmented between frames.

It is possible actually. You have to ask wireshark for the next segment by returning the amount of bytes needed from the dissection function. Then  Wireshark calls you again with the rest of the packet.

However, the current code... basically cannot record from where to start disecting when Wireshark calls again.

Imho you should not use magic in packet codes - better use it as separate field and alert if it is not FF.

It should do that already (or I didn't undertood your sentence :p) .

I managed to load it on the other way,

Could you explain "the other way"?

but it always gives me an error

Code Select Expand

Lua Error: [string "bnetp.lua"]:34: attempt to index field 'columns' (a nil value)

Better upload it somewhere as file, i lost 1st line by selecting it with opera

That sounds bad Ok, i will upload it to [1] untill some project is created. (Google code is ok?)

[1] http://nitroxs.netii.net/noncool/packet-bnetp/bnetp.lua

[xpeh]

Imho you should not use magic in packet codes - better use it as separate field and alert if it is not FF.

It should do that already (or I didn't undertood your sentence :p) .

As far i understood your code, you print message "unknown packet" even if magic is not FF. I propose you to print separate message for wrong magic because it always points to protocol error.

I managed to load it on the other way,

Could you explain "the other way"?

wireshark.exe -X lua_script:bnetp.lua

Btw, http://wiki.wireshark.org/Lua - as far i understand, official site for Lua in Wireshark

However, some things remain unclear:
How to install/use lua?

Is it typical for opensource?

(Google code is ok?)

Why not? It doesn't really matter.

I meant it were nice put it in a place where people who dont look here can found this plugin among with installation notes.

but it always gives me an error

Code Select Expand

Lua Error: [string "bnetp.lua"]:34: attempt to index field 'columns' (a nil value)

Still have this error, can you fix this?

Code Select Expand

-- Lua is disabled by default, comment out the following line to enable Lua support.
disable_lua = true; do return end;


My wireshark (Version 0.99.3 (SVN Rev 19011), 24.08.06) has this line already commented out.

Another error: if i open capture file with right click -> open with -> wireshark, i get this error

Code Select Expand

Lua: Error during loading:
cannot open bnetp.lua: No such file or directory
seems like current directory issue.

[Jailout2000]

To answer your question in your opening post: Don Cullen (author of BnetDocs: Redux) was going to make an XML-generator for people who wish to use the BnetDocs as a database in their programs, like your describing. The problem is, he hasn't found a standardized version of the XML format he wishes to use, and I haven't spent time on it (he's given me Administrative-privileges). So currently there is no way for that to really work. I think he may have an old thread laying around that discusses the XML format he wanted to use, which had pros and cons about it from him and others. I'd most likely do a Google search, or a forum search.

So I gave this little lua script/plugin a try. I downloaded and saved to bnetp.lua, and edited init.lua to add a dofile and enable lua in wireshark. I told Wireshark to filter to "bnetp && bnetp.pid = 0x0F", which gave me only SID_CHATEVENT's just as I wanted (good work!).

I made a small change to the code however. It appeared that the SID_CHATEVENT packet did not have the Event ID names added to it, so I went ahead and added them.

Code Select Expand

WProtoField.uint32("","Event ID",base.HEX, {
[0x01] = "EID_USERSHOW",
[0x02] = "EID_USERJOIN",
[0x03] = "EID_USERLEAVE",
[0x04] = "EID_WHISPERRECEIVED",
[0x06] = "EID_BROADCAST",
[0x05] = "EID_USERTALK",
[0x07] = "EID_CHANNEL",
[0x09] = "EID_USERUPDATE",
[0x0A] = "EID_WHISPERSENT",
[0x0D] = "EID_CHANNELFULL",
[0x0E] = "EID_CHANNELDOESNOTEXIST",
[0x0F] = "EID_CHANNELRESTRICTED",
[0x12] = "EID_INFO",
[0x13] = "EID_ERROR",
[0x17] = "EID_EMOTE",
}),

You may also want to have the defunct fields be base.HEX, instead of just nothing (or base.DEC as it appears). This would help people see what Battle.net is actually throwing, because for the account number and registration authority, Battle.net throws 0xbaadf00d which would be a large decimal number instead without base.HEX.

Another suggestion, try to make flags like for SID_CHATEVENT and other packets, actually be defined. This would help distinguish between a normal user, an administrator, etc. or in the case of SID_JOINCHANNEL, a forceful join, or a first join. Yes, I admit, most would not need this, especially if they have the knowledge to even use this script, but it would still be useful to those who don't feel like calculating bitwise flags.

Good work, -Jailout2000

[nitroxs]

As far i understood your code, you print message "unknown packet" even if magic is not FF. I propose you to print separate message for wrong magic because it always points to protocol error.

Yes thats right. I did that because some packets don't carry a magic of FF.

wireshark.exe -X lua_script:bnetp.lua

Ok, I will check if it works for me that way.

Btw, http://wiki.wireshark.org/Lua - as far i understand, official site for Lua in Wireshark

However, some things remain unclear:
How to install/use lua?

Is it typical for opensource?

The missing documentation I guess it is . As for Lua, I don't know. It's mainly used for scripting tasks inside games for its compact interpreter.

Looking at Ohloh, they say the earliest usage of Lua was on 1998. And there are only 905 projects created since then. So, I guess its not very popular.

(Google code is ok?)

Why not? It doesn't really matter.

When I was creating the project I thought "private protocol, EULA, ...hmm I better ask first"

but it always gives me an error

Code Select Expand

Lua Error: [string "bnetp.lua"]:34: attempt to index field 'columns' (a nil value)

Still have this error, can you fix this?

Another error: if i open capture file with right click -> open with -> wireshark, i get this error

Code Select Expand

Lua: Error during loading:
cannot open bnetp.lua: No such file or directory
seems like current directory issue.

I will download your version of wireshark and try to fix them. Btw, I have version 1.2.1 (SVN Rev 29141). May be they fixed those issues.

Code Select Expand

-- Lua is disabled by default, comment out the following line to enable Lua support.
disable_lua = true; do return end;


My wireshark (Version 0.99.3 (SVN Rev 19011), 24.08.06) has this line already commented out.

Is that code what you found at init.lua? If it is then you have to add "--" in front of the second line:

Code Select Expand


disable_lua = true; do return end; <-- this one


EDIT: nevermind. its enabled by default on that wireshark version but lua plugin needs to be selected during setup.
The columns error should be gone now.
The path issue is still there. It may be avoided by giving the full path to the dofile instruction.(with backslashes escaped: \\)
         

[nitroxs]

I made a small change to the code however. It appeared that the SID_CHATEVENT packet did not have the Event ID names added to it, so I went ahead and added them.

Code Select Expand

WProtoField.uint32("","Event ID",base.HEX, {
[0x01] = "EID_USERSHOW",
[0x02] = "EID_USERJOIN",
[0x03] = "EID_USERLEAVE",
[0x04] = "EID_WHISPERRECEIVED",
[0x06] = "EID_BROADCAST",
[0x05] = "EID_USERTALK",
[0x07] = "EID_CHANNEL",
[0x09] = "EID_USERUPDATE",
[0x0A] = "EID_WHISPERSENT",
[0x0D] = "EID_CHANNELFULL",
[0x0E] = "EID_CHANNELDOESNOTEXIST",
[0x0F] = "EID_CHANNELRESTRICTED",
[0x12] = "EID_INFO",
[0x13] = "EID_ERROR",
[0x17] = "EID_EMOTE",
}),

Thanks I will add that.

You may also want to have the defunct fields be base.HEX, instead of just nothing (or base.DEC as it appears). This would help people see what Battle.net is actually throwing, because for the account number and registration authority, Battle.net throws 0xbaadf00d which would be a large decimal number instead without base.HEX.

Another suggestion, try to make flags like for SID_CHATEVENT and other packets, actually be defined. This would help distinguish between a normal user, an administrator, etc. or in the case of SID_JOINCHANNEL, a forceful join, or a first join. Yes, I admit, most would not need this, especially if they have the knowledge to even use this script, but it would still be useful to those who don't feel like calculating bitwise flags.

yeah, I still have to go throught the packets one by one checking for things the perl script couldn't extract from "bnetdocs.txt". That text file is really buggy   

[xpeh]

http://depositfiles.com/files/81apif0si this is my version.

[nitroxs]

Here is the project: http://code.google.com/p/packet-bnetp/ 

[xpeh]

I edited your version. There are 2 files in archive, use compare by content in TC or something like this to find the changes.

http://depositfiles.com/files/n23jgpksg

Can i upload to SVN? So you can see it and accept changes.

Btw it's not very handly to edit a 50 kb file with a text editor with only possibility to find errors when i run wireshark.

I have installed newest version of wireshark, now anything works ok. Another change, it became real fat, 120 mb RAM.

So i go to sleep. I write more later.

[nitroxs]

Can i upload to SVN? So you can see it and accept changes.

Sure, just send me the google account you use.

[Camel]

Platform/Product IDs are shown in hex; can you make it show 'IX86' or whatever?

Various fields of binary data are displayed as strings.

SID_CDKEY2/SID_LOGONRESPONSE2 only recognize the first DWORD for hashed data (there are 5!) - or display as 20 bytes of hex.

If two BNCS packets are sent in one TCP sequence, only the first packet is picked up. Presumably, a packet split over more than one sequence would break too?

[nitroxs]

SID_CDKEY2/SID_LOGONRESPONSE2 only recognize the first DWORD for hashed data (there are 5!) - or display as 20 bytes of hex.

Array fields or fixed length strings are not implemented right now. But they will be soon (I hope) available.

If two BNCS packets are sent in one TCP sequence, only the first packet is picked up. Presumably, a packet split over more than one sequence would break too?

Hmm.. that should work since the last update. Check the project page or use the file posted by xpeh on his last post.

If it is still broken, post any error message shown.

[xpeh]

Presumably, a packet split over more than one sequence would break too?

No, funny, but it works.
Btw, this "sequences" are called frames.

nitroxx

You should add following types:

- ip (network byte order, opposite to intel). For some reason lua's built-in ipv4 uses inter order (lol?)
- windows (?) file time, used in sid_getfiletime
- unips file time
- string-dword (swap dword and output as string)
- statstring decoder
- user flag decoder
- array of any basic type
- iterator (cdkey/gamelist)
- exe version decoder
- sid_checkad: extension: string[4]


Stop decoding UDP!
Even war3 uses udptest? lol

Wow, you did tcp frames merging?
If many packets in 1 frame, only 1 is decoded.

Dont try to decode packets with wrong magic (not 0x01-0x03 or 0xff). You  need to find another way to handle fragmented packets, dont search for first 0xff.

output strings in ""?

Is it possible to print short hex values (0x10 instead of 0x00000010)? Rounded to whole bytes.

If you want help, show me how to use lua in dissector. How can i display different data types?

Use info field. Like [C>S] 0x33, 0x33, 0x33. Or use packet names instead, or together.
The same for field in packet decoder window (near "Battle.net protocol")

0x14 sid_udppingresponce
udpcode: dwordstr

0x3a sid_logonresponce
reason: only by 0x06 code?

product id (maybe all ID's): DwordStr

s>0x09 sid_getadvlist
if number of games = 0, show status

I had a weird problem. Syntactically correct dissector hangs wireshark, it freezes and consumes memory until there was nothing left.

Please upload my edit so we dont have version conflicts.

Btw, what time zone do you have?

Is it generally possible to allow anyone to upload to SVN, but changes need to be commited by admin to appear?

[Camel]

You  need to find another way to handle fragmented packets, dont search for first 0xff.

That's what battle.snp does.

Is it possible to print short hex values (0x10 instead of 0x00000010)? Rounded to whole bytes.

I think that would go against convention; I'd say leave it wide.

[xpeh]

You  need to find another way to handle fragmented packets, dont search for first 0xff.

That's what battle.snp does.

The only correct behaviour is to search for magic after the end of previous packet.
I think, this behaviour cause processor and RAM consume on non-bnet data (bnftp etc).

Is it possible to print short hex values (0x10 instead of 0x00000010)? Rounded to whole bytes.

I think that would go against convention; I'd say leave it wide.

There are fields like game type or verbyte, which are using many bytes, but actually never exceede one.