AnsweredAssumed Answered

Writing a Packet Parser to Extract Title Meta

Question asked by David Waugh on May 25, 2018
Latest reply on May 29, 2018 by William Motley

Hello

 

Im stuck writing a packet parser that will extract some meta.

The session is an SMB print job.

In wireshark where I look at the packets I can see the %%Title: that equates to the line I want to capture.

 

When I look at the Hex i can see:

 

I dont seem to be able to get my packet parser to match though.

 

I have tried:

 

["%%%%Title:"] = SMBTitle.header,  --(% Needs to be escaped)

["Title:" ]= SMBTitle.header,

 

-- Hex: 25 25 54 69 74 6c 65 3a 20
-- Which is decimal
-- 37 37 84 105 116 108 101 58 32

 

So i have tried

["\37\37\84\105\116\108\101\58\32"] = SMBTitle.header

 

I have just tried

["SMB"]=SMBTitle.header then the parser works (eg the callback function fires)

 

 

Here is the actual parser

 

local parserName = "smbtitle"
local parserVersion = "2018-05-25"

local SMBTitle = nw.createParser(parserName, "smb title",139)

nw.logDebug(parserName .. " " .. parserVersion)

--[[
DESCRIPTION

Looks for lines such as
%%Title:
And then writes the remaining text into the filename meta key.
VERSION

1.0 First Version

DEPENDENCIES

none


CONFLICTS

STANDARD INDEX KEYS


CUSTOM INDEX KEYS

none


ALERT.ID

none


NOTES

none


OPTIONS

none


IMPLEMENTATION

Finds title meta from SMB Sessions


TOD

none

--]]

function SMBTitle:sessionBegin()
DebugFlag=True
myRandom=math.random(100000000)
nw.logInfo(myRandom .. " SMBTitle: Session Detected")
end

SMBTitle:setKeys({
nwlanguagekey.create("filename")
})

function SMBTitle:logger(mymessage, myvariable)
if True then
if mymessage and myvariable then
nw.logInfo(myRandom .. " SMBTitle: " .. mymessage .. myvariable)
elseif mymessage then
nw.logInfo(myRandom .. " SMBTitle: " .. mymessage .. "is nil")
else
nw.logInfo(myRandom .. " SMBTitle: Both Variables Nil")
end
end
end

function SMBTitle:header(token,first,last)
nw.logInfo(myRandom .. " SMBTitle: Title Matched")
local payload = nw.getPayload()

nw.logInfo("payload string:" .. "hello")
nw.logInfo("first" .. tostring(first))
nw.logInfo("last" .. tostring(last))

nw.createMeta(self.keys.filename,"found")
end

SMBTitle:setCallbacks({
[nwevents.OnSessionBegin] = SMBTitle.sessionBegin,
-- Look for SMBTitle in a session
-- We need to escape % with % so that % become %%
-- We are looking for %%Title:
-- Which is Hex: 25 25 54 69 74 6c 65 3a 20
-- Which is decimal
-- 37 37 84 105 116 108 101 58 3
 ["\37\37\84\105\116\108\101\58\32"] = SMBTitle.header,

})

Any Ideas what I am doing wrong here William Motley?

 

Once i know my call back is firing correctly I will extract the meta.

 

Ive attached my test pcap which contains the capture info.

Attachments

Outcomes