Merge pull request #1088 from daleglass-overte/fix-wireshark-dissector

Fix wireshark dissector
overte-org · Jul 18, 2024 · 2be3011 · 2be3011
2 parents e771bd1 + 56ab058
commit 2be3011
Show file tree

Hide file tree

Showing 6 changed files with 122 additions and 19 deletions.
diff --git a/tools/dissectors/1-hfudt.lua b/tools/dissectors/1-hfudt.lua
@@ -1,4 +1,5 @@
 print("Loading hfudt")
+bit32 = require("bit32")
 
 -- create the HFUDT protocol
 p_hfudt = Proto("hfudt", "HFUDT Protocol")
@@ -154,19 +155,55 @@ local packet_types = {
   [99] = "EntityQueryInitialResultsComplete",
   [100] = "BulkAvatarTraits",
   [101] = "AudioSoloRequest",
-  [102] = "BulkAvatarTraitsAck"
+  [102] = "BulkAvatarTraitsAck",
+  [103] = "StopInjector",
+  [104] = "AvatarZonePresence",
+  [105] = "WebRTCSignaling"
 }
 
+-- PacketHeaders.h, getNonSourcedPackets()
 local unsourced_packet_types = {
-  ["DomainList"] = true,
+  ["DomainConnectRequestPending"] = true,
+  ["CreateAssignment"] = true,
+  ["RequestAssignment"] = true,
+  ["DomainServerRequireDTLS"] = true,
   ["DomainConnectRequest"] = true,
-  ["ICEPing"] = true,
-  ["ICEPingReply"] = true,
+  ["DomainList"] = true,
+  ["DomainConnectionDenied"] = true,
+  ["DomainServerPathQuery"] = true,
+  ["DomainServerPathResponse"] = true,
+  ["DomainServerAddedNode"] = true,
   ["DomainServerConnectionToken"] = true,
   ["DomainSettingsRequest"] = true,
-  ["ICEServerHeartbeatACK"] = true
+  ["OctreeDataFileRequest"] = true,
+  ["OctreeDataFileReply"] = true,
+  ["OctreeDataPersist"] = true,
+  ["DomainContentReplacementFromUrl"] = true,
+  ["DomainSettings"] = true,
+  ["ICEServerPeerInformation"] = true,
+  ["ICEServerQuery"] = true,
+  ["ICEServerHeartbeat"] = true,
+  ["ICEServerHeartbeatACK"] = true,
+  ["ICEPing"] = true,
+  ["ICEPingReply"] = true,
+  ["ICEServerHeartbeatDenied"] = true,
+  ["AssignmentClientStatus"] = true,
+  ["StopNode"] = true,
+  ["DomainServerRemovedNode"] = true,
+  ["UsernameFromIDReply"] = true,
+  ["OctreeFileReplacement"] = true,
+  ["ReplicatedMicrophoneAudioNoEcho"] = true,
+  ["ReplicatedMicrophoneAudioWithEcho"] = true,
+  ["ReplicatedInjectAudio"] = true,
+  ["ReplicatedSilentAudioFrame"] = true,
+  ["ReplicatedAvatarIdentity"] = true,
+  ["ReplicatedKillAvatar"] = true,
+  ["ReplicatedBulkAvatarData"] = true,
+  ["AvatarZonePresence"] = true,
+  ["WebRTCSignaling"] = true
 }
 
+-- PacketHeaders.h, getNonVerifiedPackets()
 local nonverified_packet_types = {
     ["NodeJsonStats"] = true,
     ["EntityQuery"] = true,
@@ -222,6 +259,7 @@ function p_hfudt.dissector(buf, pinfo, tree)
       type:append_text(" (".. control_types[shifted_type][1] .. ")")
 
       subtree:add(f_control_type_text, control_types[shifted_type][1])
+      pinfo.cols.info:append(" [" .. control_types[shifted_type][1] .. "]")
     end
 
     if shifted_type == 0 then
@@ -257,7 +295,7 @@ function p_hfudt.dissector(buf, pinfo, tree)
     -- read the obfuscation level
     local obfuscation_bits = bit32.band(0x03, bit32.rshift(first_word, 27))
     subtree:add(f_obfuscation_level, obfuscation_bits)
-    
+
     -- read the sequence number
     subtree:add(f_sequence_number, bit32.band(first_word, SEQUENCE_NUMBER_MASK))
 
@@ -300,10 +338,12 @@ function p_hfudt.dissector(buf, pinfo, tree)
     local packet_type = buf(payload_offset, 1):le_uint()
     local ptype = subtree:add_le(f_type, buf(payload_offset, 1))
     local packet_type_text = packet_types[packet_type]
+
     if packet_type_text ~= nil then
       subtree:add(f_type_text, packet_type_text)
       -- if we know this packet type then add the name
       ptype:append_text(" (".. packet_type_text .. ")")
+      pinfo.cols.info:append(" [" .. packet_type_text .. "]")
     end
 
     -- read the version
@@ -431,12 +471,12 @@ function deobfuscate(message_bit, buf, level)
   else
     return
   end
-  
+
   local start = 4
   if message_bit == 1 then
     local start = 12
   end
-  
+
   local p = 0
   for i = start, buf:len() - 1 do
     out:set_index(i, bit.bxor(buf(i, 1):le_uint(), key:get_index(7 - (p % 8))) )

diff --git a/tools/dissectors/2-hf-audio.lua b/tools/dissectors/2-hf-audio.lua
@@ -1,5 +1,5 @@
 print("Loading hf-audio")
-
+bit32 = require("bit32")
 -- create the audio protocol
 p_hf_audio = Proto("hf-audio", "HF Audio Protocol")
 

diff --git a/tools/dissectors/3-hf-avatar.lua b/tools/dissectors/3-hf-avatar.lua
@@ -1,4 +1,5 @@
 print("Loading hf-avatar")
+bit32 = require("bit32")
 
 -- create the avatar protocol
 p_hf_avatar = Proto("hf-avatar", "HF Avatar Protocol")

diff --git a/tools/dissectors/4-hf-entity.lua b/tools/dissectors/4-hf-entity.lua
@@ -1,4 +1,5 @@
 print("Loading hf-entity")
+bit32 = require("bit32")
 
 -- create the entity protocol
 p_hf_entity = Proto("hf-entity", "HF Entity Protocol")

diff --git a/tools/dissectors/5-hf-domain.lua b/tools/dissectors/5-hf-domain.lua
@@ -1,4 +1,6 @@
 -- create the domain protocol
+print("Loading hf-domain")
+bit32 = require("bit32")
 p_hf_domain = Proto("hf-domain", "HF Domain Protocol")
 
 -- domain packet fields

diff --git a/tools/dissectors/README.md b/tools/dissectors/README.md
@@ -1,14 +1,73 @@
-High Fidelity Wireshark Plugins
----------------------------------
+# High Fidelity Wireshark Plugins
 
-Install wireshark 2.4.6 or higher.
 
-Copy these lua files into c:\Users\username\AppData\Roaming\Wireshark\Plugins
+## Installation
 
-After a capture any detected High Fidelity Packets should be easily identifiable by one of the following protocols
 
-* HF-AUDIO - Streaming audio packets
-* HF-AVATAR - Streaming avatar mixer packets
-* HF-ENTITY - Entity server traffic
-* HF-DOMAIN - Domain server traffic
-* HFUDT - All other UDP traffic
+* Install wireshark 2.4.6 or higher.
+* Copy these lua files into `c:\Users\username\AppData\Roaming\Wireshark\Plugins` on Windows, or `$HOME/.local/lib/wireshark/plugins` on Linux.
+
+## Lua version
+
+This is a Lua plugin, which requires the bit32 module to be installed. You can find the Lua version wireshark uses in the About dialog, eg:
+
+    Version 4.2.5 (Git commit 798e06a0f7be).
+
+    Compiled (64-bit) using GCC 14.1.1 20240507 (Red Hat 14.1.1-1), with GLib
+    2.80.2, with Qt 6.7.0, with libpcap, with POSIX capabilities (Linux), with libnl
+    3, with zlib 1.3.0.zlib-ng, with PCRE2, with Lua 5.1.5, with GnuTLS 3.8.5 and
+
+This indicates Lua 5.1 is used (see on the last line)
+
+
+## Requirements
+
+On Fedora 40:
+
+* wireshark-devel
+* lua5.1-bit32
+
+
+## Usage
+
+After a capture any detected Overte Packets should be easily identifiable by one of the following protocols
+
+* `HF-AUDIO` - Streaming audio packets
+* `HF-AVATAR` - Streaming avatar mixer packets
+* `HF-ENTITY` - Entity server traffic
+* `HF-DOMAIN` - Domain server traffic
+* `HFUDT` - All other UDP traffic
+
+
+
+
+## Troubleshooting
+
+### attempt to index global 'bit32' (a nil value)
+
+`[Expert Info (Error/Undecoded): Lua Error: /home/dale/.local/lib/wireshark/plugins/1-hfudt.lua:207: attempt to index global 'bit32' (a nil value)]`
+
+See the installation requirements, you need to install the bit32 Lua module for the right Lua version.
+
+## Development hints
+
+
+* Symlink files from the development tree to  `$HOME/.local/lib/wireshark/plugins`, to have Wireshark work on the latest dissector code.
+* Capture packets for later analysis in a PCAPNG file.
+* Only save needed packets in the dump
+
+Decode on the commandline with:
+
+    tshark -r packets.pcapng.gz -V
+
+Decode only the first packet:
+
+    tshark -r packets.pcapng.gz -V -c 1
+
+### Useful tshark arguments
+
+* `-x` hex dump
+* `-c N` Only decode first N packets
+* `-O hfudt,hf-domain,hf-entity,hf-avatar,hf-audio` Only dump Overte protocol data, skip dumping UDP/etc parts.
+* `-V` decode protocols
+*