 Hello, I want to give you an idea what we are going to look at during my packet class Wireshark training. So one of the things we will be covering are Wireshark Lua disectors. So I have a disector that is something that we will develop incrementally during the training, but I want to give you an idea here. So I developed a very small protocol to have something to analyze, and this is a protocol which has three bytes, so each packet has three bytes at least. And the first byte is a version number, the version number is always one. Second byte is the type which can be zero or one, zero is a request and one is a response. And then the third byte, that is a command which can be one, two, three or four, that's a ping, date command, reverse command, or a download command. And then depending on the type and the command, there can be some extra bytes. The ping command doesn't have any remaining bytes, but date command the response has, the request not, and the reverse and download, they both do. So let's have a look at a capture of such a protocol exchange like this here. So here we have one TCP connection. You can see the SIN, SINAC-AC, and here the termination, the SINAC-AC, SINAC-AC. And here we have our bottleneck protocol that is exchanging data. So you can here see the three bytes in this packet, so that's one, zero, one. So that is version one request and it is a ping command. Second has also three data bytes, version one, it's a response and it's a ping. That's a response to the ping command. Next command here, version one, it's a request, number two, that's a date command. And here we have one, one, two, so that's a response to the date, and here we have the date, you can see data, and so on. So we have several commands, but as you can see, this is not user-friendly at all to analyze this protocol. So to make this easier to understand, we are going to develop a Lua disector that will dissect this protocol and display the protocol fields and values in a much more user-friendly way. This is this disector here that we will incrementally develop. So here we have already working disector, let me show you. So in the protocols, okay, here we have protocol botnet 01, so let's enable this, okay, and now you can see that these packets here have been recognized as belonging to botnet 01 protocol. And here in the if or field, you can see that we have a request ping, response ping, date, response date, request reverse, response reverse, request download, response download. So that's already more user-friendly, it's more easier to do this analysis. If we go to the first one here and expand the botnet 01 protocol like this, okay. So here you can see that we have version 01, this byte here, then the message, these two bytes, first byte of the message 0, so that's a request, and one a ping. And we have this for all the packets that belong to this protocol. You can see here the date, that's today, here, the data that we sent to be reversed, six characters, 16 bytes, the response of the reverse, 16 bytes, and here you can see 16 extra missile dates in reverse order, a download request, URL is 29 characters, here is URL, and a response to the download result one, okay. So this disector allows us to visualize this data, to analyze this data much more easily. Now let's just show some simple changes that we can do to this protocol. Here we have result one, and there is no explanation next to it. So result one means success, and a result zero means failure. So let's change our disector so that it includes this data. So let's go here, so we are dealing with a download command, that's command number four. This is part of the disector disk code here that deals with command number four. And then we have the request here, and the code for the response. So this is the code that interests us. You can see here we request the result, we convert it from the data in the packet. It's at the fourth byte, just one byte, there you have the result and you see that we print out the result as a digit. So next to this we want to have also result represented as a string. So let's do that, a string, and we will define a table to convert the number into a string that is more meaningful like these two tables we have here for the type and the command. Let's add a table for the result. So the result, that's our table, if it is zero it's a fail, and if it is one it's a success. And now here when we pass on the string we can say in the table result I want the value for the index result. So let's save that and try that out. Let's close Wireshark and load it again so that the modified die sector gets loaded. Okay, we can apply a filter here, we'll net zero one so that we only have our packets and here a response download, so let it expand, and you can see now that we have not only a one it is a result but it is also explained and translated as a success. Now so we know here that the first download request here has to download this URL and that the bot net client replies that it successfully downloaded. It would be useful to have this information here in the info field and that's also a small change to be made to the protocol die sector. Let's look here, here we are looking at the PINFO object which represents the columns like the info column and we assign the info column a value, a string value of the type, a space and a command, so that is what we see in the info field. What we now want is that when there is a request here that is a download, here we have the URL, we also want to see the URL in the info field, so we will add this and let me copy this line from here, put it here in the code for a download request, and what I'm going to do, let's get rid of this, I'm going to work simply, okay, so I have the info field, okay, sorry about that, so I have the info field and I'm going to apply the append method, so I'm going to append to the string, I'm going to append a space character and then concatenate that space character, the URL, like this. So with this line here I'm just appending the URL to the info field, so let's save this and have a look, sorry, let me first close Wireshark, okay, load this again, modnet01, we don't see it here, let me check if I saved this correctly, okay, you can see I've made an error here, string URL, that's not the correct value, so when you are working with Lua and you use variables that don't exist, you don't get a syntax error or something like that, but you get here in the interpreter an error that it cannot find the value, you see nil value, nil, each variable that doesn't exist has actually a nil value when you evaluate it, so I made a mistake, it is not string URL, it is S URL, so let's fix this, close Wireshark and open it again, we still don't get what we want, S URL is also a nil value, so why is that, it's an uppercase, sorry, S URL like this, so third try, that's an example of incremental development, okay, and now you can see that we have a request download with the URL, so let's filter on modnet01, okay, like this, so we can clearly see what request is, but now we are missing here the response download, so let's that include the result for the response of a download command, let me close Wireshark, okay, so this is the request command and here you have the response command, so we just need to do the same thing here, but instead of the URL I want to see the response, okay, so this is a variable that doesn't exist, let me define it, local, response, and a response is actually the lookup we do in the table, so that's something I did here, let me cut this, put it here, that's what we did before in the first modification and here as result, so I'm just using a variable so I don't have to do this lookup twice and for some other reasons I will show you here, so the response here I have and sorry, it's not a response, it's a result, I save this here as a result and here to a result, okay, so this is the string value of 0 or 1, the result have a fail or a success, now one last thing, I also have a function that converts a nil into a question mark and I'm going to use this here, so this is the function nil to question mark that I'm going to apply on the result of the table lookup, why am I doing this, well if I'm looking up a value that is not 0 or 1, for example it's 2, it shouldn't appear, but it can always show up in our capture, so if the result is a 2, I don't know what that represents, so and t result will be nil and if we have a nil then we have an error here and here, now to avoid this error I'm going to convert the nil into a question mark, that's what this function does, this function tests if this value is nil and then it returns question mark, if it is not nil it just returns the value itself, okay, and then it is used here in the protocol tree and in the info field, okay, so let's come back here and open this with wireshark filter on botnet, okay and now you can see here that we have a request and a response, now another way to view this information without the dice sector but still have so, a better idea is to look what's happening in the stream, so do a follow stream and then let me move this, okay, and then you have this representation where you can see the traffic of data going from the client to the bot and back, let me show this as a hextump here, then you can see more easily the different messages, okay, but still here with all those hex fields that doesn't tell you a lot, while having this view here has a dice sector, let me come back to botnet zero, apply it, okay, and here in the info field we have a better idea what's going on and if you want the details you look into the protocol data, okay, so I hope that gives you an idea what we are going to do in the second day of my wireshark training course where we will look at different protocols that we are going to dissect with dice sectors we are going to develop in Lua for wireshark.