diff --git a/tools/dissectors/1-hfudt.lua b/tools/dissectors/1-hfudt.lua index 5a03331fc6d..0a7937e9804 100644 --- a/tools/dissectors/1-hfudt.lua +++ b/tools/dissectors/1-hfudt.lua @@ -1,4 +1,5 @@ print("Loading hfudt") +bit32 = require("bit32") -- create the HFUDT protocol p_hfudt = Proto("hfudt", "HFUDT Protocol") @@ -154,19 +155,55 @@ local packet_types = { [99] = "EntityQueryInitialResultsComplete", [100] = "BulkAvatarTraits", [101] = "AudioSoloRequest", - [102] = "BulkAvatarTraitsAck" + [102] = "BulkAvatarTraitsAck", + [103] = "StopInjector", + [104] = "AvatarZonePresence", + [105] = "WebRTCSignaling" } +-- PacketHeaders.h, getNonSourcedPackets() local unsourced_packet_types = { - ["DomainList"] = true, + ["DomainConnectRequestPending"] = true, + ["CreateAssignment"] = true, + ["RequestAssignment"] = true, + ["DomainServerRequireDTLS"] = true, ["DomainConnectRequest"] = true, - ["ICEPing"] = true, - ["ICEPingReply"] = true, + ["DomainList"] = true, + ["DomainConnectionDenied"] = true, + ["DomainServerPathQuery"] = true, + ["DomainServerPathResponse"] = true, + ["DomainServerAddedNode"] = true, ["DomainServerConnectionToken"] = true, ["DomainSettingsRequest"] = true, - ["ICEServerHeartbeatACK"] = true + ["OctreeDataFileRequest"] = true, + ["OctreeDataFileReply"] = true, + ["OctreeDataPersist"] = true, + ["DomainContentReplacementFromUrl"] = true, + ["DomainSettings"] = true, + ["ICEServerPeerInformation"] = true, + ["ICEServerQuery"] = true, + ["ICEServerHeartbeat"] = true, + ["ICEServerHeartbeatACK"] = true, + ["ICEPing"] = true, + ["ICEPingReply"] = true, + ["ICEServerHeartbeatDenied"] = true, + ["AssignmentClientStatus"] = true, + ["StopNode"] = true, + ["DomainServerRemovedNode"] = true, + ["UsernameFromIDReply"] = true, + ["OctreeFileReplacement"] = true, + ["ReplicatedMicrophoneAudioNoEcho"] = true, + ["ReplicatedMicrophoneAudioWithEcho"] = true, + ["ReplicatedInjectAudio"] = true, + ["ReplicatedSilentAudioFrame"] = true, + ["ReplicatedAvatarIdentity"] = true, + ["ReplicatedKillAvatar"] = true, + ["ReplicatedBulkAvatarData"] = true, + ["AvatarZonePresence"] = true, + ["WebRTCSignaling"] = true } +-- PacketHeaders.h, getNonVerifiedPackets() local nonverified_packet_types = { ["NodeJsonStats"] = true, ["EntityQuery"] = true, @@ -222,6 +259,7 @@ function p_hfudt.dissector(buf, pinfo, tree) type:append_text(" (".. control_types[shifted_type][1] .. ")") subtree:add(f_control_type_text, control_types[shifted_type][1]) + pinfo.cols.info:append(" [" .. control_types[shifted_type][1] .. "]") end if shifted_type == 0 then @@ -257,7 +295,7 @@ function p_hfudt.dissector(buf, pinfo, tree) -- read the obfuscation level local obfuscation_bits = bit32.band(0x03, bit32.rshift(first_word, 27)) subtree:add(f_obfuscation_level, obfuscation_bits) - + -- read the sequence number subtree:add(f_sequence_number, bit32.band(first_word, SEQUENCE_NUMBER_MASK)) @@ -300,10 +338,12 @@ function p_hfudt.dissector(buf, pinfo, tree) local packet_type = buf(payload_offset, 1):le_uint() local ptype = subtree:add_le(f_type, buf(payload_offset, 1)) local packet_type_text = packet_types[packet_type] + if packet_type_text ~= nil then subtree:add(f_type_text, packet_type_text) -- if we know this packet type then add the name ptype:append_text(" (".. packet_type_text .. ")") + pinfo.cols.info:append(" [" .. packet_type_text .. "]") end -- read the version @@ -431,12 +471,12 @@ function deobfuscate(message_bit, buf, level) else return end - + local start = 4 if message_bit == 1 then local start = 12 end - + local p = 0 for i = start, buf:len() - 1 do out:set_index(i, bit.bxor(buf(i, 1):le_uint(), key:get_index(7 - (p % 8))) ) diff --git a/tools/dissectors/2-hf-audio.lua b/tools/dissectors/2-hf-audio.lua index fa4d50fab1e..1e6b0b64314 100644 --- a/tools/dissectors/2-hf-audio.lua +++ b/tools/dissectors/2-hf-audio.lua @@ -1,5 +1,5 @@ print("Loading hf-audio") - +bit32 = require("bit32") -- create the audio protocol p_hf_audio = Proto("hf-audio", "HF Audio Protocol") diff --git a/tools/dissectors/3-hf-avatar.lua b/tools/dissectors/3-hf-avatar.lua index 9b8567c55fb..8104649b0d7 100644 --- a/tools/dissectors/3-hf-avatar.lua +++ b/tools/dissectors/3-hf-avatar.lua @@ -1,4 +1,5 @@ print("Loading hf-avatar") +bit32 = require("bit32") -- create the avatar protocol p_hf_avatar = Proto("hf-avatar", "HF Avatar Protocol") diff --git a/tools/dissectors/4-hf-entity.lua b/tools/dissectors/4-hf-entity.lua index 568eb5baa3d..7de5eeee4dc 100644 --- a/tools/dissectors/4-hf-entity.lua +++ b/tools/dissectors/4-hf-entity.lua @@ -1,4 +1,5 @@ print("Loading hf-entity") +bit32 = require("bit32") -- create the entity protocol p_hf_entity = Proto("hf-entity", "HF Entity Protocol") diff --git a/tools/dissectors/5-hf-domain.lua b/tools/dissectors/5-hf-domain.lua index 093026bc92f..e2f9da4d9bc 100644 --- a/tools/dissectors/5-hf-domain.lua +++ b/tools/dissectors/5-hf-domain.lua @@ -1,4 +1,6 @@ -- create the domain protocol +print("Loading hf-domain") +bit32 = require("bit32") p_hf_domain = Proto("hf-domain", "HF Domain Protocol") -- domain packet fields diff --git a/tools/dissectors/README.md b/tools/dissectors/README.md index 1e618a7b4c2..3b391f60c0f 100644 --- a/tools/dissectors/README.md +++ b/tools/dissectors/README.md @@ -1,14 +1,73 @@ -High Fidelity Wireshark Plugins ---------------------------------- +# High Fidelity Wireshark Plugins -Install wireshark 2.4.6 or higher. -Copy these lua files into c:\Users\username\AppData\Roaming\Wireshark\Plugins +## Installation -After a capture any detected High Fidelity Packets should be easily identifiable by one of the following protocols -* HF-AUDIO - Streaming audio packets -* HF-AVATAR - Streaming avatar mixer packets -* HF-ENTITY - Entity server traffic -* HF-DOMAIN - Domain server traffic -* HFUDT - All other UDP traffic +* Install wireshark 2.4.6 or higher. +* Copy these lua files into `c:\Users\username\AppData\Roaming\Wireshark\Plugins` on Windows, or `$HOME/.local/lib/wireshark/plugins` on Linux. + +## Lua version + +This is a Lua plugin, which requires the bit32 module to be installed. You can find the Lua version wireshark uses in the About dialog, eg: + + Version 4.2.5 (Git commit 798e06a0f7be). + + Compiled (64-bit) using GCC 14.1.1 20240507 (Red Hat 14.1.1-1), with GLib + 2.80.2, with Qt 6.7.0, with libpcap, with POSIX capabilities (Linux), with libnl + 3, with zlib 1.3.0.zlib-ng, with PCRE2, with Lua 5.1.5, with GnuTLS 3.8.5 and + +This indicates Lua 5.1 is used (see on the last line) + + +## Requirements + +On Fedora 40: + +* wireshark-devel +* lua5.1-bit32 + + +## Usage + +After a capture any detected Overte Packets should be easily identifiable by one of the following protocols + +* `HF-AUDIO` - Streaming audio packets +* `HF-AVATAR` - Streaming avatar mixer packets +* `HF-ENTITY` - Entity server traffic +* `HF-DOMAIN` - Domain server traffic +* `HFUDT` - All other UDP traffic + + + + +## Troubleshooting + +### attempt to index global 'bit32' (a nil value) + +`[Expert Info (Error/Undecoded): Lua Error: /home/dale/.local/lib/wireshark/plugins/1-hfudt.lua:207: attempt to index global 'bit32' (a nil value)]` + +See the installation requirements, you need to install the bit32 Lua module for the right Lua version. + +## Development hints + + +* Symlink files from the development tree to `$HOME/.local/lib/wireshark/plugins`, to have Wireshark work on the latest dissector code. +* Capture packets for later analysis in a PCAPNG file. +* Only save needed packets in the dump + +Decode on the commandline with: + + tshark -r packets.pcapng.gz -V + +Decode only the first packet: + + tshark -r packets.pcapng.gz -V -c 1 + +### Useful tshark arguments + +* `-x` hex dump +* `-c N` Only decode first N packets +* `-O hfudt,hf-domain,hf-entity,hf-avatar,hf-audio` Only dump Overte protocol data, skip dumping UDP/etc parts. +* `-V` decode protocols +* \ No newline at end of file