Wireshark-dev: Re: [Wireshark-dev] [Lua workaround] gRPC dissector does not start Protobuf sub-

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Alexander Petrossian <paf@xxxxxxxxx>
Date: Thu, 23 Dec 2021 21:43:22 +0300
Some hackish approach gave me expected result: message got force-decoded with proper type.
Not sure 
1. where to get correct gRPC payload start
2. Where to get correct gRPC message type

(currently hard-coded both)

--[[
    Copyright (C) 2021 Alexander Petrossian (PAF) <paf@xxxxxxxxx>, 2021

    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
--]]
-------------------------------------------------------------------------

local protobuf_post_info =
{
   version = "1.0",
   author = "Alexander Petrossian",
   description = "Protobuf Postdissector that fully expands payload",
}

set_plugin_info(protobuf_post_info)

local protobuf_post = Proto("ProtobufPost", "Protobuf Postdissector")

protobuf = Dissector.get("protobuf")

function protobuf_post.dissector(tvbuf, pinfo, tree)

   range = tvbuf:range(0x66, hdr_size)
   newtvb = range:tvb()
   pinfo.private.pb_msg_type = 'message,ru.beeline.services.Request'
   num_bytes = protobuf:call(newtvb, pinfo, tree)

end

register_postdissector(protobuf_post)




PAF


23 дек. 2021 г., в 20:40, Alexander Petrossian <paf@xxxxxxxxx> написал(а):

Friends, currently when gRPC plugin fails to get content-type header value it stops and does not invoke Protobuf dissector, which makes me sad:

  http2_content_type = http2_get_header_value(pinfo, HTTP2_HEADER_CONTENT_TYPE, FALSE);
  if (http2_content_type == NULL || http2_path == NULL) {
      return; /* not continue if there is not enough grpc information */
  }

Thing is, traces are more often recorded without start of communication.
And even when gRPC body is there, content-type field was compressed and can not be decompressed = http2_get_header_value returns NULL.

Could one do some workaround in Lua right now?
Somehow force gRPC hand to invoke Protobuf dissector even without content-type: application/grpc.

I’m thinking of wedging between dissectors and provide some default value of content-type or some such. But that approach seems vague. Any ideas on it or other?

Thanks in advance!
PAF

P.S. I’ve suggested a seemingly trivial untested workaround in C here
https://gitlab.com/wireshark/wireshark/-/issues/17793

Right now I’m interested in some Lua approach that we could employ without recompilings...