Merge pull request #1088 from daleglass-overte/fix-wireshark-dissector

Fix wireshark dissector
2025-04-05 20:28:25 +02:00 · 2024-07-18 22:07:39 +02:00 · 2024-07-18 22:07:39 +02:00 · 2be3011d28
commit 2be3011d28
parent e771bd1706 56ab058543
6 changed files with 122 additions and 19 deletions
--- a/tools/dissectors/1-hfudt.lua
+++ b/tools/dissectors/1-hfudt.lua
@ -1,4 +1,5 @@
 print("Loading hfudt")
+bit32 = require("bit32")

 -- create the HFUDT protocol
 p_hfudt = Proto("hfudt", "HFUDT Protocol")
@ -154,19 +155,55 @@ local packet_types = {
  [99] = "EntityQueryInitialResultsComplete",
  [100] = "BulkAvatarTraits",
  [101] = "AudioSoloRequest",
-  [102] = "BulkAvatarTraitsAck"
+  [102] = "BulkAvatarTraitsAck",
+  [103] = "StopInjector",
+  [104] = "AvatarZonePresence",
+  [105] = "WebRTCSignaling"
 }

+-- PacketHeaders.h, getNonSourcedPackets()
 local unsourced_packet_types = {
-  ["DomainList"] = true,
+  ["DomainConnectRequestPending"] = true,
+  ["CreateAssignment"] = true,
+  ["RequestAssignment"] = true,
+  ["DomainServerRequireDTLS"] = true,
  ["DomainConnectRequest"] = true,
-  ["ICEPing"] = true,
-  ["ICEPingReply"] = true,
+  ["DomainList"] = true,
+  ["DomainConnectionDenied"] = true,
+  ["DomainServerPathQuery"] = true,
+  ["DomainServerPathResponse"] = true,
+  ["DomainServerAddedNode"] = true,
  ["DomainServerConnectionToken"] = true,
  ["DomainSettingsRequest"] = true,
-  ["ICEServerHeartbeatACK"] = true
+  ["OctreeDataFileRequest"] = true,
+  ["OctreeDataFileReply"] = true,
+  ["OctreeDataPersist"] = true,
+  ["DomainContentReplacementFromUrl"] = true,
+  ["DomainSettings"] = true,
+  ["ICEServerPeerInformation"] = true,
+  ["ICEServerQuery"] = true,
+  ["ICEServerHeartbeat"] = true,
+  ["ICEServerHeartbeatACK"] = true,
+  ["ICEPing"] = true,
+  ["ICEPingReply"] = true,
+  ["ICEServerHeartbeatDenied"] = true,
+  ["AssignmentClientStatus"] = true,
+  ["StopNode"] = true,
+  ["DomainServerRemovedNode"] = true,
+  ["UsernameFromIDReply"] = true,
+  ["OctreeFileReplacement"] = true,
+  ["ReplicatedMicrophoneAudioNoEcho"] = true,
+  ["ReplicatedMicrophoneAudioWithEcho"] = true,
+  ["ReplicatedInjectAudio"] = true,
+  ["ReplicatedSilentAudioFrame"] = true,
+  ["ReplicatedAvatarIdentity"] = true,
+  ["ReplicatedKillAvatar"] = true,
+  ["ReplicatedBulkAvatarData"] = true,
+  ["AvatarZonePresence"] = true,
+  ["WebRTCSignaling"] = true
 }

+-- PacketHeaders.h, getNonVerifiedPackets()
 local nonverified_packet_types = {
    ["NodeJsonStats"] = true,
    ["EntityQuery"] = true,
@ -222,6 +259,7 @@ function p_hfudt.dissector(buf, pinfo, tree)
      type:append_text(" (".. control_types[shifted_type][1] .. ")")

      subtree:add(f_control_type_text, control_types[shifted_type][1])
+      pinfo.cols.info:append(" [" .. control_types[shifted_type][1] .. "]")
    end

    if shifted_type == 0 then
@ -257,7 +295,7 @@ function p_hfudt.dissector(buf, pinfo, tree)
    -- read the obfuscation level
    local obfuscation_bits = bit32.band(0x03, bit32.rshift(first_word, 27))
    subtree:add(f_obfuscation_level, obfuscation_bits)
-    
+
    -- read the sequence number
    subtree:add(f_sequence_number, bit32.band(first_word, SEQUENCE_NUMBER_MASK))

@ -300,10 +338,12 @@ function p_hfudt.dissector(buf, pinfo, tree)
    local packet_type = buf(payload_offset, 1):le_uint()
    local ptype = subtree:add_le(f_type, buf(payload_offset, 1))
    local packet_type_text = packet_types[packet_type]
+
    if packet_type_text ~= nil then
      subtree:add(f_type_text, packet_type_text)
      -- if we know this packet type then add the name
      ptype:append_text(" (".. packet_type_text .. ")")
+      pinfo.cols.info:append(" [" .. packet_type_text .. "]")
    end

    -- read the version
@ -431,12 +471,12 @@ function deobfuscate(message_bit, buf, level)
  else
    return
  end
-  
+
  local start = 4
  if message_bit == 1 then
    local start = 12
  end
-  
+
  local p = 0
  for i = start, buf:len() - 1 do
    out:set_index(i, bit.bxor(buf(i, 1):le_uint(), key:get_index(7 - (p % 8))) )
--- a/tools/dissectors/2-hf-audio.lua
+++ b/tools/dissectors/2-hf-audio.lua
@ -1,5 +1,5 @@
 print("Loading hf-audio")
-
+bit32 = require("bit32")
 -- create the audio protocol
 p_hf_audio = Proto("hf-audio", "HF Audio Protocol")

--- a/tools/dissectors/3-hf-avatar.lua
+++ b/tools/dissectors/3-hf-avatar.lua
@ -1,4 +1,5 @@
 print("Loading hf-avatar")
+bit32 = require("bit32")

 -- create the avatar protocol
 p_hf_avatar = Proto("hf-avatar", "HF Avatar Protocol")
--- a/tools/dissectors/4-hf-entity.lua
+++ b/tools/dissectors/4-hf-entity.lua
@ -1,4 +1,5 @@
 print("Loading hf-entity")
+bit32 = require("bit32")

 -- create the entity protocol
 p_hf_entity = Proto("hf-entity", "HF Entity Protocol")
--- a/tools/dissectors/5-hf-domain.lua
+++ b/tools/dissectors/5-hf-domain.lua
@ -1,4 +1,6 @@
 -- create the domain protocol
+print("Loading hf-domain")
+bit32 = require("bit32")
 p_hf_domain = Proto("hf-domain", "HF Domain Protocol")

 -- domain packet fields
--- a/tools/dissectors/README.md
+++ b/tools/dissectors/README.md
@ -1,14 +1,73 @@
-High Fidelity Wireshark Plugins
---------------------------------
+# High Fidelity Wireshark Plugins

-Install wireshark 2.4.6 or higher.

-Copy these lua files into c:\Users\username\AppData\Roaming\Wireshark\Plugins
+## Installation

-After a capture any detected High Fidelity Packets should be easily identifiable by one of the following protocols

-* HF-AUDIO - Streaming audio packets
-* HF-AVATAR - Streaming avatar mixer packets
-* HF-ENTITY - Entity server traffic
-* HF-DOMAIN - Domain server traffic
-* HFUDT - All other UDP traffic
+* Install wireshark 2.4.6 or higher.
+* Copy these lua files into `c:\Users\username\AppData\Roaming\Wireshark\Plugins` on Windows, or `$HOME/.local/lib/wireshark/plugins` on Linux.
+
+## Lua version
+
+This is a Lua plugin, which requires the bit32 module to be installed. You can find the Lua version wireshark uses in the About dialog, eg:
+
+    Version 4.2.5 (Git commit 798e06a0f7be).
+
+    Compiled (64-bit) using GCC 14.1.1 20240507 (Red Hat 14.1.1-1), with GLib
+    2.80.2, with Qt 6.7.0, with libpcap, with POSIX capabilities (Linux), with libnl
+    3, with zlib 1.3.0.zlib-ng, with PCRE2, with Lua 5.1.5, with GnuTLS 3.8.5 and
+
+This indicates Lua 5.1 is used (see on the last line)
+
+
+## Requirements
+
+On Fedora 40:
+
+* wireshark-devel
+* lua5.1-bit32
+
+
+## Usage
+
+After a capture any detected Overte Packets should be easily identifiable by one of the following protocols
+
+* `HF-AUDIO` - Streaming audio packets
+* `HF-AVATAR` - Streaming avatar mixer packets
+* `HF-ENTITY` - Entity server traffic
+* `HF-DOMAIN` - Domain server traffic
+* `HFUDT` - All other UDP traffic
+
+
+
+
+## Troubleshooting
+
+### attempt to index global 'bit32' (a nil value)
+
+`[Expert Info (Error/Undecoded): Lua Error: /home/dale/.local/lib/wireshark/plugins/1-hfudt.lua:207: attempt to index global 'bit32' (a nil value)]`
+
+See the installation requirements, you need to install the bit32 Lua module for the right Lua version.
+
+## Development hints
+
+
+* Symlink files from the development tree to  `$HOME/.local/lib/wireshark/plugins`, to have Wireshark work on the latest dissector code.
+* Capture packets for later analysis in a PCAPNG file.
+* Only save needed packets in the dump
+
+Decode on the commandline with:
+
+    tshark -r packets.pcapng.gz -V
+
+Decode only the first packet:
+
+    tshark -r packets.pcapng.gz -V -c 1
+
+### Useful tshark arguments
+
+* `-x` hex dump
+* `-c N` Only decode first N packets
+* `-O hfudt,hf-domain,hf-entity,hf-avatar,hf-audio` Only dump Overte protocol data, skip dumping UDP/etc parts.
+* `-V` decode protocols
+*