Wireshark-users: Re: [Wireshark-users] DBus dissector in lua
Date Prev · Date Next · Thread Prev · Thread Next
From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Sat, 23 May 2020 00:37:39 +0200
Hi Maik,

On Mon, May 18, 2020 at 03:20:14PM +0200, Maik Scholz wrote:
> Hi,
> 
> i like to implement a dissector for DBus messages read from pcap file.
> Is this possible?

A DBus dissector already exists. If your libpcap library is built with
DBus support, you can capture such traffic. This is the case on Arch
Linux, but not Ubuntu 20.04 for example.

> If yes, do you have got a short example?
> 
> I like to filter for some specific interface id.

You can try a display filter such as:

    dbus.value.str == "org.freedesktop.DBus"

Unfortunately the dissector does not have separate field for matching an
interface specifically, but this should hopefully be good enough.
Alternatively, you can select the "Header Field: INTERFACE" field,
open a context menu and use "Prepare as Filter". Then change the begin
"frame[..:..] ==" to something like:

    dbus contains 02:01:73:00:14:00:00:00:6f:72:67:2e:...

This will match the literal byte pattern representing this interface
match. For more details about this filter, see
https://www.wireshark.org/docs/man-pages/wireshark-filter.html
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl