From c06a60eaea1b42acb3683d4a1cf1b57f0d077782 Mon Sep 17 00:00:00 2001 From: Dale Glass Date: Thu, 18 Jul 2024 16:39:37 +0200 Subject: [PATCH] Fix wireshark dissector, update with new packet types. Probably still incomplete, but getting closer. --- tools/dissectors/1-hfudt.lua | 53 +++++++++++++++++++++++++----- tools/dissectors/2-hf-audio.lua | 2 +- tools/dissectors/3-hf-avatar.lua | 1 + tools/dissectors/4-hf-entity.lua | 1 + tools/dissectors/5-hf-domain.lua | 2 ++ tools/dissectors/README.md | 56 ++++++++++++++++++++++++++------ 6 files changed, 96 insertions(+), 19 deletions(-) diff --git a/tools/dissectors/1-hfudt.lua b/tools/dissectors/1-hfudt.lua index 5a03331fc6..2be889c8c9 100644 --- a/tools/dissectors/1-hfudt.lua +++ b/tools/dissectors/1-hfudt.lua @@ -1,4 +1,5 @@ print("Loading hfudt") +bit32 = require("bit32") -- create the HFUDT protocol p_hfudt = Proto("hfudt", "HFUDT Protocol") @@ -154,19 +155,55 @@ local packet_types = { [99] = "EntityQueryInitialResultsComplete", [100] = "BulkAvatarTraits", [101] = "AudioSoloRequest", - [102] = "BulkAvatarTraitsAck" + [102] = "BulkAvatarTraitsAck", + [103] = "StopInjector", + [104] = "AvatarZonePresence", + [105] = "WebRTCSignaling" } +-- PacketHeaders.h, getNonSourcedPackets() local unsourced_packet_types = { - ["DomainList"] = true, + ["DomainConnectRequestPending"] = true, + ["CreateAssignment"] = true, + ["RequestAssignment"] = true, + ["DomainServerRequireDTLS"] = true, ["DomainConnectRequest"] = true, - ["ICEPing"] = true, - ["ICEPingReply"] = true, + ["DomainList"] = true, + ["DomainConnectionDenied"] = true, + ["DomainServerPathQuery"] = true, + ["DomainServerPathResponse"] = true, + ["DomainServerAddedNode"] = true, ["DomainServerConnectionToken"] = true, ["DomainSettingsRequest"] = true, - ["ICEServerHeartbeatACK"] = true + ["OctreeDataFileRequest"] = true, + ["OctreeDataFileReply"] = true, + ["OctreeDataPersist"] = true, + ["DomainContentReplacementFromUrl"] = true, + ["DomainSettings"] = true, + ["ICEServerPeerInformation"] = true, + ["ICEServerQuery"] = true, + ["ICEServerHeartbeat"] = true, + ["ICEServerHeartbeatACK"] = true, + ["ICEPing"] = true, + ["ICEPingReply"] = true, + ["ICEServerHeartbeatDenied"] = true, + ["AssignmentClientStatus"] = true, + ["StopNode"] = true, + ["DomainServerRemovedNode"] = true, + ["UsernameFromIDReply"] = true, + ["OctreeFileReplacement"] = true, + ["ReplicatedMicrophoneAudioNoEcho"] = true, + ["ReplicatedMicrophoneAudioWithEcho"] = true, + ["ReplicatedInjectAudio"] = true, + ["ReplicatedSilentAudioFrame"] = true, + ["ReplicatedAvatarIdentity"] = true, + ["ReplicatedKillAvatar"] = true, + ["ReplicatedBulkAvatarData"] = true, + ["AvatarZonePresence"] = true, + ["WebRTCSignaling"] = true } +-- PacketHeaders.h, getNonVerifiedPackets() local nonverified_packet_types = { ["NodeJsonStats"] = true, ["EntityQuery"] = true, @@ -257,7 +294,7 @@ function p_hfudt.dissector(buf, pinfo, tree) -- read the obfuscation level local obfuscation_bits = bit32.band(0x03, bit32.rshift(first_word, 27)) subtree:add(f_obfuscation_level, obfuscation_bits) - + -- read the sequence number subtree:add(f_sequence_number, bit32.band(first_word, SEQUENCE_NUMBER_MASK)) @@ -431,12 +468,12 @@ function deobfuscate(message_bit, buf, level) else return end - + local start = 4 if message_bit == 1 then local start = 12 end - + local p = 0 for i = start, buf:len() - 1 do out:set_index(i, bit.bxor(buf(i, 1):le_uint(), key:get_index(7 - (p % 8))) ) diff --git a/tools/dissectors/2-hf-audio.lua b/tools/dissectors/2-hf-audio.lua index fa4d50fab1..1e6b0b6431 100644 --- a/tools/dissectors/2-hf-audio.lua +++ b/tools/dissectors/2-hf-audio.lua @@ -1,5 +1,5 @@ print("Loading hf-audio") - +bit32 = require("bit32") -- create the audio protocol p_hf_audio = Proto("hf-audio", "HF Audio Protocol") diff --git a/tools/dissectors/3-hf-avatar.lua b/tools/dissectors/3-hf-avatar.lua index 9b8567c55f..8104649b0d 100644 --- a/tools/dissectors/3-hf-avatar.lua +++ b/tools/dissectors/3-hf-avatar.lua @@ -1,4 +1,5 @@ print("Loading hf-avatar") +bit32 = require("bit32") -- create the avatar protocol p_hf_avatar = Proto("hf-avatar", "HF Avatar Protocol") diff --git a/tools/dissectors/4-hf-entity.lua b/tools/dissectors/4-hf-entity.lua index 568eb5baa3..7de5eeee4d 100644 --- a/tools/dissectors/4-hf-entity.lua +++ b/tools/dissectors/4-hf-entity.lua @@ -1,4 +1,5 @@ print("Loading hf-entity") +bit32 = require("bit32") -- create the entity protocol p_hf_entity = Proto("hf-entity", "HF Entity Protocol") diff --git a/tools/dissectors/5-hf-domain.lua b/tools/dissectors/5-hf-domain.lua index 093026bc92..e2f9da4d9b 100644 --- a/tools/dissectors/5-hf-domain.lua +++ b/tools/dissectors/5-hf-domain.lua @@ -1,4 +1,6 @@ -- create the domain protocol +print("Loading hf-domain") +bit32 = require("bit32") p_hf_domain = Proto("hf-domain", "HF Domain Protocol") -- domain packet fields diff --git a/tools/dissectors/README.md b/tools/dissectors/README.md index 1e618a7b4c..b97e9e3b7a 100644 --- a/tools/dissectors/README.md +++ b/tools/dissectors/README.md @@ -1,14 +1,50 @@ -High Fidelity Wireshark Plugins ---------------------------------- +# High Fidelity Wireshark Plugins -Install wireshark 2.4.6 or higher. -Copy these lua files into c:\Users\username\AppData\Roaming\Wireshark\Plugins +## Installation -After a capture any detected High Fidelity Packets should be easily identifiable by one of the following protocols -* HF-AUDIO - Streaming audio packets -* HF-AVATAR - Streaming avatar mixer packets -* HF-ENTITY - Entity server traffic -* HF-DOMAIN - Domain server traffic -* HFUDT - All other UDP traffic +* Install wireshark 2.4.6 or higher. +* Copy these lua files into `c:\Users\username\AppData\Roaming\Wireshark\Plugins` on Windows, or `$HOME/.local/lib/wireshark/plugins` on Linux. + +## Lua version + +This is a Lua plugin, which requires the bit32 module to be installed. You can find the Lua version wireshark uses in the About dialog, eg: + + Version 4.2.5 (Git commit 798e06a0f7be). + + Compiled (64-bit) using GCC 14.1.1 20240507 (Red Hat 14.1.1-1), with GLib + 2.80.2, with Qt 6.7.0, with libpcap, with POSIX capabilities (Linux), with libnl + 3, with zlib 1.3.0.zlib-ng, with PCRE2, with Lua 5.1.5, with GnuTLS 3.8.5 and + +This indicates Lua 5.1 is used (see on the last line) + + +## Requirements + +On Fedora 40: + +* wireshark-devel +* lua5.1-bit32 + + +## Usage + +After a capture any detected Overte Packets should be easily identifiable by one of the following protocols + +* `HF-AUDIO` - Streaming audio packets +* `HF-AVATAR` - Streaming avatar mixer packets +* `HF-ENTITY` - Entity server traffic +* `HF-DOMAIN` - Domain server traffic +* `HFUDT` - All other UDP traffic + + + + +## Troubleshooting + +### attempt to index global 'bit32' (a nil value) + +`[Expert Info (Error/Undecoded): Lua Error: /home/dale/.local/lib/wireshark/plugins/1-hfudt.lua:207: attempt to index global 'bit32' (a nil value)]` + +See the installation requirements, you need to install the bit32 Lua module for the right Lua version.