Home

Awesome

Wireshark Protobuf Dissector

A Wireshark Lua plugin to decode/dissect Google Protobuf messages

This is a full Wireshark plugin to display Google Protobuf message packets, with the following features:

This plugin is similar in concept to the protobuf-wireshark project, except this one doesn't require any C++ compiling. (and the other one appears to be dead)

Usage:

Copy this entire directory of files into your Wireshark "Personal Plugins" folder. You can skip/ignore the "test" directory, but not the others. If you have one or more .proto files to use, put them in the "files" directory.

Tip: to find out where your Personal Plugins folder is, open Wireshark and go to Help->About Wireshark and it will be listed in the Folders tab. You may need to create the folder the first time.

Then start Wireshark, open a file with your Protobuf packets, select one of those packets, right-click and select "Decode as..." and scroll down to the name of your outer-most Message type. To make this happen all the time for a UDP port, go to "Edit->Preferences->Protocols", fnd your outer-most Message type, and put the UDP port number in the field shown (or a range of port numbers if it can be more than one port).

The "outer-most Message type" is the Protobuf 'message' identifier name in your .proto file, but in all capital letters. You'll see that every Protobuf 'message' idenfitier name creates a new protocol in Wireshark; you can use one or all of them a the outer-most Message type. (see details in the 'How it works' section below)

If you do not have a .proto file definition to decode with, then select the protocol "PROTOBUF", which is the generic dissector.

Note: this plugin cannot load new .proto files while Wireshark is running - if you want to modify, add, or delete .proto files you must restart Wireshark/tshark for the changes to take effect. (this is due to a Wireshark limitation, and might be fixed in Wireshark v2.0)

Example screenshot: TODO: add the screeenshot, once the repo is up on github ![*Screenshot of plugin in use](https://cloud.githubusercontent.com/assets/[fill me in])

Compatibility

Requires Wireshark version 1.12.0 or higher.

License

Copyright (c) 128 Technology, Inc. MIT license. See the LICENSE.md file for details.

Limitations:

How it works:

The plugin implements a "compiler" for .proto file syntax, which converts the .proto file contents into Wireshark Proto and ProtoField objects and run-time dissector functions. This takes quite a bit of code and goes through various stages of "compilation", but the details of that won't be described here.

Each protobuf 'message', whether at file level or within another 'message', is registered as a Wireshark Lua Proto protocol object using its fully scoped name. For example a .proto file definition of "message foo {...}" will create a "FOO" protocol. If that 'foo' message had another message defined inside of it, named "bar", then that internal one would become a "FOO.BAR" protocol. If that .proto file had a 'package' statement, such as "package qux;", then that is part of the scope, and the created protocol name would be "QUX.FOO" for the outer message, and "QUX.FOO.BAR" for the inner. Each of these message protocols get their own preferences, and can be used independently for dissecting packets. (As they can be used independently in Google's protobuf libraries.)

Each field inside a 'message' becomes a Wireshark Lua ProtoField object, registered in its encompassing message's Proto object. The ProtoField type is based on the protobuf types: a protobuf 'int32' becomes an int32 ProtoField type, as do 'sint32' and 'sfixed32'; a 'group' becomes a bytes ProtoField type, etc. Protobuf 'enum' statements generate value-string tables for the fields that use them, which are passed into the relevant ProtoField objects. If a field inside a message actually identifies another message, that linkage is resolved as well. And so on.

TODO: