2024.9.25

1
local python = require 'python'
2

3
-- Temporary for development
4
-- local sys = python.import 'sys'
5
-- sys.path.append('/home/jkemp/cs700/pydevp2p/')
6
-- End of Temporary for development
7

8
local rlpxBridge = python.import 'pydevp2p.bridge'
9

10
-- create a new dissector
11
local NAME = "rlpx"
12
local PORT = 30305
13
local rlpx = Proto(NAME, "Ethereum RLPx Protocol")
14

15
local fields = rlpx.fields
16
fields.auth_size = ProtoField.uint16(NAME .. ".auth_size", "Auth Size")
17
fields.ack_size = ProtoField.uint16(NAME .. ".ack_size", "Ack Size")
18
fields.body = ProtoField.bytes(NAME .. ".body", "Data")
19
fields.frame_header = ProtoField.bytes(NAME .. ".frame_header", "Frame Header")
20
fields.frame_body = ProtoField.bytes(NAME .. ".frame_body", "Frame Body")
21

22
local known_ports = { 30303, 30304, 30305, 30306, 30307, 30308 }
23

24
local function table_has_value(tab, val)
25
    for _, value in ipairs(tab) do
26
        if value == val then
27
            return true
28
        end
29
    end
30

31
    return false
32
end
33

34
local function array_iterator(array, len)
35
    -- This lets us iterate over a c object (like a python array)
36
    local index = 0
37
    local count = len
38

39
    -- The closure function is returned
40

41
    return function()
42
        index = index + 1
43

44
        if index <= count
45
        then
46
            -- return the current element of the iterator
47
            return array[index]
48
        end
49

50
    end
51
end
52

53
-- main dissect packet function
54
function rlpx.dissector(tvb, pinfo, tree)
55
    local subtree = tree:add(rlpx, tvb())
56
    local offset = 0
57

58
    -- show protocol name in protocol column
59
    pinfo.cols.protocol = rlpx.name
60

61
    local srcaddr = tostring(pinfo.src)
62
    local dstaddr = tostring(pinfo.dst)
63

64
    local payload = tostring(tvb:bytes())
65

66
    -- dissect field one by one, and add to protocol tree
67
    local auth_size = tvb(offset, 2)
68
    if (tvb:len() - auth_size:int() == 2) then
69
        if (table_has_value(known_ports, pinfo.src_port)) then
70
            -- This is most likely a handshake AUTH-ACK packet
71
            offset = offset + 2
72
            subtree:add(fields.ack_size, auth_size)
73
            pinfo.cols.info:set(pinfo.src_port .. " → " .. pinfo.dst_port .. " [HANDSHAKE] AUTH ACK")
74
            -- print(payload, dstNode)
75
            local dec_msg = rlpxBridge.handleRLPxHandshakeMsg(srcaddr, dstaddr, payload, pinfo.visited, pinfo.number)
76
            local payloadtree = subtree:add(fields.body, tvb(offset))
77
            payloadtree:set_text("Handshake AUTH ACK")
78
            for element in array_iterator(dec_msg, dec_msg[0]) do
79
                payloadtree:add(element)
80
            end
81
        elseif (table_has_value(known_ports, pinfo.dst_port)) then
82
            -- This is most likely a handshake AUTH packet
83
            offset = offset + 2
84
            subtree:add(fields.auth_size, auth_size)
85
            pinfo.cols.info:set(pinfo.src_port .. " → " .. pinfo.dst_port .. " [HANDSHAKE] AUTH INIT")
86
            -- print(payload, dstNode)
87
            local dec_msg = rlpxBridge.handleRLPxHandshakeMsg(srcaddr, dstaddr, payload, pinfo.visited, pinfo.number)
88
            local payloadtree = subtree:add(fields.body, tvb(offset))
89
            for element in array_iterator(dec_msg, dec_msg[0]) do
90
                payloadtree:add(element)
91
            end
92
        else
93
            subtree:add(fields.body, tvb(offset))
94
        end
95
    else
96
        local dec_msg = rlpxBridge.handleRLPxMsg(srcaddr, dstaddr, payload, pinfo.visited, pinfo.number)
97
        local frame_header = dec_msg[0]
98
        local frame_body = dec_msg[1]
99
        local frame_type = dec_msg[2]
100
        -- Set the column information to the Frame Type
101
        if frame_type ~= nil then
102
            pinfo.cols.info:set(pinfo.src_port .. " → " .. pinfo.dst_port .. " " .. frame_type)
103
        end
104
        -- Show the frame header information (if available) in Wireshark
105
        if frame_header ~= nil then
106
            local frame_header_tree = subtree:add(fields.frame_header, tvb(0, frame_header.headerSize))
107
            frame_header_tree:add("Decrypted Header Data:", frame_header.header)
108
            frame_header_tree:add("Header MAC:", frame_header.headerMac)
109
            frame_header_tree:add("Frame Body MAC:", frame_header.frameMac)
110
            frame_header_tree:add("Frame Size:", frame_header.frameSize)
111
            frame_header_tree:add("Read Size:", frame_header.readSize)
112
            frame_header_tree:add("Header Data:", frame_header.headerData)
113
            pinfo.cols.info:append(" Len=" .. frame_header.readSize)
114
        end
115
        -- Show the frame body information (if available) in Wireshark
116
        if frame_header ~= nil and frame_type ~= nil and frame_body ~= nil and frame_body[0] > 0 then
117
            local frame_body_tree = subtree:add(fields.frame_body, tvb(frame_header.headerSize))
118
            for element in array_iterator(frame_body, frame_body[0]) do
119
                frame_body_tree:add(element)
120
            end
121
        end
122
    end
123
end
124

125
-- register this dissector
126
DissectorTable.get("tcp.port"):add(PORT, rlpx)
127
DissectorTable.get("tcp.port"):add("30303", rlpx)
128
DissectorTable.get("tcp.port"):add("30304", rlpx)
129
DissectorTable.get("tcp.port"):add("30305", rlpx)
130
DissectorTable.get("tcp.port"):add("30306", rlpx)
131
DissectorTable.get("tcp.port"):add("30307", rlpx)
132
DissectorTable.get("tcp.port"):add("30308", rlpx)