On Mon, Jul 22, 2019 at 09:22:56PM +0900, Matt wrote:
> Hi,
>
> I've recently been spending some time working with netlink/wireshark.
> More precisely with a out-of-tree generic netlink protocol: the
> multipath TCP netlink path manager.
>
> I was surprised to see next to the generic netlink family id the name
> of the family "mptcp" in wireshark.I've had a look at the code yet I
> couldn't figure how it got the mapping from a number to the family
> name.
> I happen to unload/reload the linux kernel module in charge of this
> netlink family, thus its id keeps changing (visible via `genl ctrl
> list`). I have a lua script in charge of decoding this custom protocol
> which is attached like this
> ====
> netlink_table = DissectorTable.get("genl.family")
> local ret = netlink_table:add("mptcp", mptcp_proto)
> =====
>
> but once I reload the module, wireshark is unable to map the family
> name "mptcp" to the id, so my dissector is never used.
The mapping is stored here
https://github.com/wireshark/wireshark/blob/v3.1.0/epan/dissectors/packet-netlink-generic.c#L371-L378
and discovered dynamically while parsing the attributes in a single
packet. After reloading, if you capture these attributes, the mapping
should work.
> What would you recommand me to work around this ? Would there be
> interest in having a C/lua plugin to do the mapping (either via
> netlink or by scraping genl ctrl list) ?
If you can trigger a netlink message with the attributes (perhaps using
genl-ctr-list?), Wireshark should automatically pick this up.
By the way, with Lua dissector questions, perhaps wireshark-dev would be
a more suitable place. The Lua guide has also moved from the WSUG
(User's Guide) to the WSDG (Developer's Guide) at some point. :-)
--
Kind regards,
Peter Wu
https://lekensteyn.nl