0

I have an binary file with shows glibberish infos if i open it in Notepad. I am working on an plugin to use with wireshark.

So my problem is that I need help. I am reading in an File and need to find 'V' '0' '0' '1' (0x56 0x30 0x30 0x31) in the File, because its the start of an Header, with means there is an packet inside. And I need to do this for the whole file, like parsing. Also should start the Frame with V 0 0 1 and not end with it. I currently have an Code where I am searching for 0x7E and parse it. What I need is the length of the frame. For example V 0 0 1 is found, so the Length from V to the Position before the next V 0 0 1 in the File. So that I can work with the length and add it to an captured length to get the positions, that wireshark can work with.

For example my unperfect Code for working with 0x7E:

local line = file:read()
local len = 0

for c in (line or ''):gmatch ('.') do
    len = len + 1
    if c:byte() == 0x7E then
        break
    end
    
end

if not line then 
    return false 
end

frame.captured_length = len

Here is also the Problem that the Frame ends with 7E which is wrong. I need something that works perfectly for 'V' '0' '0' '1'. Maybe I need to use string.find? Please help me!

Thats an example how my file looks like if i use the HEX-Editor in Visual Studio Code. enter image description here

Glupschi
  • 215
  • 1
  • 9
  • 1
    Seems closer related to https://stackoverflow.com/questions/66656540/lua-parsing-after-more-than-one-byte – lhf Mar 19 '21 at 16:04

1 Answers1

1

Lua has some neat pattern tools. Here's a summary:

  • (...) Exports all captured text within () and gives it to us.
  • -, +, *, ?, "Optional match as little as possible", "Mandatory match as much as possible", "optional match as much as possible", "Optional match only once", respectively.
  • ^ and $: Root to start or end of file, respectively.

We'll be using this universal input and output to test with:

local output = {}
local input = "V001Packet1V001Packet2oooV001aaandweredonehere"

The easiest way to do this is probably to recursively split the string, with one ending at the character before "V", and the other starting at the character after "1". We'll use a pattern which exports the part before and after V001:

local this, next = string.match(input, "(.-)V001(.*)")
print(this,next)    --> "", "Packet1V001Packet2..."

Simple enough. Now we need to do it again, and we also need to eliminate the first empty packet, because it's a quirk of the pattern. We can probably just say that any empty this string should not be added:

if this ~= "" then
    table.insert(output, this)
end

Now, the last packet will return nil for both this and next, because there will not be another V001 at the end. We can prepare for that by simply adding the last part of the string when the pattern does not match.

All put together:

local function doStep(str)
    local this, next = string.match(str, "(.-)V001(.*)")
    print(this,next)

    if this then 
        --  There is still more packets left
        if this ~= "" then
            --  This is an empty packet
            table.insert(output, this)
        end

        if next ~= "" then
            --  There is more out there!
            doStep(next)
        end
    else
        --  We are the last survivor.
        table.insert(output, str)
    end
end

Of course, this can be improved, but it should be a good starting point. To prove it works, this script:

doStep(input)
print(table.concat(output, "; "))

prints this:

Packet1; Packet2ooo; aaandweredonehere
Mooshua
  • 526
  • 2
  • 16