KISS

Keep It Simple Stupid

Wireshark: setting up dissector for USB AOA packets

| comments

I’ve had some experience recently writing a protocol dissector for Wireshark. The easy and faster way is to write in Lua, whereas for faster dissection you need to write in C. There are bits and pieces of information of how to write a dissector in Lua on the internet. However, there is much less information regarding USB support.

Most examples show how to install a protocol dissector on a certain TCP port:

1
2
3
4
-- register a chained dissector for certain port
local tcp_port = 8080
local tcp_dissector_table = DissectorTable.get("tcp.port")
tcp_dissector_table:add(tcp_port, p_awesomeproto)

With USB it’s not that obvious. Wireshark before version 1.10 (e.g., in Ubuntu 12.04 LTS) didn’t allow to install a dissector on USB device with specific Vendor ID and Product ID, so the only way was to install on USB device class, and filter somehow afterwards. Luckily, now you can attach a dissector on specific USB device. Here’s the code I come up with to support both the older and newer versions of wireshark:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
-- attempt to register the dissector for the standard USB AOA vendor&product
-- this may fail if wireshark doesn't get device descriptors
local success, data = pcall(function() return DissectorTable.get("usb.product") end)
if success then
  local usb_product_dissector_table = data
  usb_product_dissector_table:add(0x18d12d01, p_awesomeproto)
else
  -- register the dissector for USB device class

  -- from packet-usb.h
  local IF_CLASS_DEVICE = 0x00
  local IF_CLASS_VENDOR_SPECIFIC = 0xFF
  local IF_CLASS_UNKNOWN = 0xFFFF

  local usb_bulk_dissector_table = DissectorTable.get("usb.bulk")
  usb_bulk_dissector_table:add(IF_CLASS_DEVICE, p_awesomeproto)
  usb_bulk_dissector_table:add(IF_CLASS_VENDOR_SPECIFIC, p_awesomeproto)
  usb_bulk_dissector_table:add(IF_CLASS_UNKNOWN, p_awesomeproto)
end

Note that the product ID approach may fail if Wireshark doesn’t get the device descriptors. However, it never happened in my several tests. The 0x18d12d01 value is the Vendor and Product ID for USB Android Open Accessory devices.

FYI: The method call with pcall() is how you can catch exceptions from functions in Lua.

Sources:

Comments