Didier Stevens

Monday 28 April 2014

TCP Flags for Wireshark

Filed under: My Software,Networking,Wireshark — Didier Stevens @ 20:03

This is a topic I’m teaching in my “Packet Class: Wireshark” training in Amsterdam next month.

20140404-112631

You can configure Wireshark to display TCP flags like Snort does. One way to do this, is to create a post-dissector and then add a column with its output (like in the screenshot above).

I developed a Wireshark Lua dissector generator. You provide it some definitions, like this:

[dissector]
file_prefix = tcp-flags
type = postdissector
description = Wireshark Lua tcp-flags postdissector example

[protocol]
proto = tcpflags
description = TCP Flags Postdissector

[protocolfields]
field_1 = flags
description_a_1 = TCP Flags
description_b_1 = The TCP Flags

[fields]
field_1 = tcp.flags

And then my Python program lua-dissector-generator.py takes this input and generates a Lua post-dissector with one new protocol + field, using an existing field.

--[[
	2014/02/21 - 2014/02/21
	tcp-flags-postdissector.lua V0.0.1
	Wireshark Lua tcp-flags postdissector example

	Source code by Didier Stevens, GPL according to Wireshark Foundation ToS
	https://DidierStevens.com
	Use at your own risk

	Shortcommings, or todo's 😉

	History:
		2014/02/21: start
--]]

local function DefineAndRegister_tcpflags_postdissector()
	local oProto_tcpflags = Proto('tcpflags', 'TCP Flags Postdissector')

	local oProtoFieldflags = ProtoField.string('tcpflags.flags', 'TCP Flags', 'The TCP Flags')

	oProto_tcpflags.fields = {oProtoFieldflags}

	local oField_tcp_flags = Field.new('tcp.flags')

	function oProto_tcpflags.dissector(buffer, pinfo, tree)
		local tcp_flags = oField_tcp_flags()

		if tcp_flags ~= nil then
			local oSubtree = tree:add(oProto_tcpflags, 'TCP Flags')
			oSubtree:add(oProtoFieldflags, tcp_flags.value)
		end
	end

	register_postdissector(oProto_tcpflags)
end

local function Main()
	DefineAndRegister_tcpflags_postdissector()
end

Main()

Finally, we add functions to represent the individual TCP flags:


local function DecodeFlag(flags, mask, character)
	if bit.band(flags, mask) == 0 then
		return '*'
	else
		return character
	end
end

local function TCPFlagIntegerToSnort(tcpflags)
	local s_tcp_flags = ''

	s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x80, 'C')
	s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x40, 'E')
	s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x20, 'U')
	s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x10, 'A')
	s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x08, 'P')
	s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x04, 'R')
	s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x02, 'S')
	s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x01, 'F')

	return s_tcp_flags
end

That’s it. You can download this post-dissector here:

wireshark-lua-dissectors_V0_0_3.zip (https)
MD5: 73F9BB860F2204DBDE7FF3A7E5CA413F
SHA256: 900A21C862973294AB25A8966299386BD058A352CEA21CA97BA546DA12964465

11 Comments »

  1. Thanks a lot! Works like a charme 😉

    Comment by M@xF@actor — Monday 20 April 2015 @ 13:30

  2. What should be done in Windows to use the downloaded file?

    Comment by Chris — Wednesday 29 April 2015 @ 8:23

  3. @Chris You installed Wireshark?

    Comment by Didier Stevens — Wednesday 29 April 2015 @ 8:24

  4. @Chris One way to install Lua dissectors is to copy them in the plugins folder. In the Wireshark menu, go to Help / About / Folders to locate your plugin folders.

    Comment by Didier Stevens — Wednesday 29 April 2015 @ 8:26

  5. Already did it, but I have no idea how to add it as a column. I can see TCP flags in “Packet details” pane, but can’t find an option to add it as custom column.

    Comment by Chris — Wednesday 6 May 2015 @ 10:23

  6. @Chris With the “Apply as Column” command, I made a video for you: https://www.youtube.com/watch?v=xK2MPhUL2XY

    Comment by Didier Stevens — Wednesday 6 May 2015 @ 20:56

  7. […] Download the TCP Flags dissector here. […]

    Pingback by TCP Flags for Wireshark | Didier Stevens Videos — Wednesday 6 May 2015 @ 21:08

  8. […] you want to use my Wireshark dissectors like TCP Flag dissector, but don’t know how to install a Wireshark dissector, then watch this video […]

    Pingback by Howto: Install Wireshark Dissectors | Didier Stevens — Monday 18 May 2015 @ 0:01

  9. What are considered as commands in network packets?

    Comment by Anonymous — Saturday 16 April 2016 @ 9:58

  10. TCP flags are not commands.

    Comment by Didier Stevens — Saturday 16 April 2016 @ 10:04

  11. […] wider community. One of my favourite add-ons is a post-dissector by @DidierStevens which shows the TCP flags in a Snort style format.  See the column named “TCP Flags”, it’s easy to see the 3-way […]

    Pingback by The Cyber Security Expert | Getting the Most Out of Wireshark — Wednesday 18 July 2018 @ 9:55


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.