Jmirror

From neil.tappsville.com
Jump to navigationJump to search

add to $appdata%\Roaming\Wireshark\plugins\3.0 Replaces the Jmirror dissector with some crude logic so that it will dissect Jmirror frames containing vlan tags. Supports: VLAN Session = Vlan Tagged Ethernet frames DHCP Session = IP frames 


-- Wireshark jmirror dissector doesnt decode jmirror packets containing vlan headers
---This does the additional check.
--- neil 20190712
p_jmirror2 = Proto ("JMIRROR2","Jmirror Packet Mirror,")


-- myproto dissector function
function p_jmirror2.dissector (buf, pkt, root)
  -- validate packet length is adequate, otherwise quit
  if buf:len() == 0 then return end
  pkt.cols.protocol = p_jmirror2.name
  subtree = root:add(p_jmirror2, buf(0,8))
  curpos = 0
  chunk = buf(curpos,4)
  subtree:append_text(" MID: 0x" .. chunk .." (".. chunk:uint() .."),")
  subtree:add(chunk, " JMirror Identifier: 0x" .. chunk .." (".. chunk:uint() ..")")
  curpos = curpos +4
  chunk = buf(curpos,4)
  subtree:append_text(" SID: 0x" .. chunk .." (".. chunk:uint() .."),")
  subtree:add(chunk, " Session Identifier: 0x" .. chunk .." (".. chunk:uint() ..")")
  curpos = curpos +4

  -- check to see if the next byte represents a v4 or v6 address
  -- if it doesnt need to skip 22 bytes (2x MAC + SVID, CVID) and try again
  local dis = {}
  chunk = buf(curpos,1):uint()
  if chunk == 0x45 or (chunk >= 0x60 and chunk < 0x70) then
    dis = Dissector.get("ip")
    dis:call(buf(curpos, buf:len() - curpos):tvb(), pkt, root)
  elseif buf:len() > 30 then
    chunk = buf(curpos+22,1):uint()
      if chunk == 0x45 or (chunk >= 0x60 and chunk < 0x70) then
        subtree:append_text(" contains VLAN tags")
        dis = DissectorTable.get("wtap_encap"):get_dissector(0x0001)
        dis:call(buf(curpos, buf:len() - curpos):tvb(), pkt, root)
       end
  end


end
-- Initialization routine
function p_jmirror2.init()
end

local udp_dissector_table = DissectorTable.get("udp.port")
dissector = udp_dissector_table:get_dissector(30742)
  -- you can call dissector from function p_myproto.dissector above
  -- so that the previous dissector gets called
udp_dissector_table:add(30742, p_jmirror2)

An even more crude method

  • DHCP Session
"c:\Program Files\Wireshark\editcap.exe" -C 50 -T rawip dhcp.pcap chopped.pcap
  • VLAN Session
"c:\Program Files\Wireshark\editcap.exe" -C 50 -T ether vlan.pcap chopped.pcap
Retrieved from "https://neil.tappsville.com/index.php?title=Jmirror&oldid=13"