Decrypt packet in lua dissector

2.1k views Asked by At

I am working on a custom dissector for Wireshark in lua.

Certain PDUs in the protocol is encrypted using AES and I would like to decrypt these so that I can show the clear content in Wireshark. Is this possible with a lua dissector and what APIs can I use to make the decryption?

Or do I need to make a c/c++ dissector to make a dissector that decrypts data?

2

There are 2 answers

2
moteus On BEST ANSWER

Personally i use lua-crypto but it requires OpenSSL. You can check lua-wiki. Recently i create wrapper for this AES implementation called bgcrypto. It has no external dependencies but i really do not use it yet in real work.

0
Lekensteyn On

At the moment Wireshark (2.0) does not expose a crypto API to LUA dissectors, so you have to implement it in the Lua dissector.

For a pure Lua solution you can use lua-lockbox (as mentioned on the Lua wiki). This is not recommended if you need performance, but might be useful for prototyping.

Faster AES decryption implementations typically use a native library, for example:

  • LuaCrypto - uses OpenSSL, though it does not seem maintained
  • lcrypt - uses libtomcrypt, but there seems to be no development either

Since none of these libraries satisfied my needs, I developed a new one based on Libgcrypt for these reasons:

  • Wireshark already links to Libgcrypt for things like SSL decryption.
  • The Libgcrypt library supports sufficiently many ciphers and hashes.
  • Libgcrypt is widely available and has an active development team.
  • The Luagcrypt API is simple enough and documented.

The result is luagcrypt which works on the platforms supported by Wireshark (Linux, OS X, Windows). It is used in the KDNET dissector, this commit shows the transformation from lua-lockbox to luagcrypt.