summaryrefslogtreecommitdiff
path: root/lua/doh-get.lua
diff options
context:
space:
mode:
authorPeter Wu <peter@lekensteyn.nl>2020-02-07 16:47:44 +0000
committerPeter Wu <peter@lekensteyn.nl>2020-02-07 16:47:44 +0000
commitf7d2c4e7bdc77e34de5795872d8cb2397e4c9033 (patch)
tree22ed79c994310297db2620700a297c2174ebc94d /lua/doh-get.lua
parenta8143e50357d796b4f59b58a6add97e2b0c319b1 (diff)
downloadwireshark-notes-f7d2c4e7bdc77e34de5795872d8cb2397e4c9033.tar.gz
lua: add DoH GET dissector
Quick hack that allows me to debug DoH GET requests. See also https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14433
Diffstat (limited to 'lua/doh-get.lua')
-rw-r--r--lua/doh-get.lua39
1 files changed, 39 insertions, 0 deletions
diff --git a/lua/doh-get.lua b/lua/doh-get.lua
new file mode 100644
index 0000000..e36ca1c
--- /dev/null
+++ b/lua/doh-get.lua
@@ -0,0 +1,39 @@
+--
+-- Support for DoH GET dissection in Wireshark. Wireshark already supports
+-- dissection of the application/dns-message POST request and response bodies,
+-- but it does not yet support the GET request parameter. This Lua plugin
+-- provides a workaround for that.
+-- https://tools.ietf.org/html/rfc8484#section-4.1
+--
+
+local doh_get = Proto.new("doh-get", "DNS over HTTPS (GET)")
+local media_type = DissectorTable.get("media_type")
+local http_path = Field.new("http.request.uri")
+local http2_path = Field.new("http2.headers.path")
+
+function doh_get.dissector(tvb, pinfo, tree)
+ local path = http2_path() or http_path()
+ if not path then
+ return
+ end
+
+ local dns_b64, sep = string.match(path.value, "[%?&]dns=([A-Za-z0-9_=-]+)(.?)")
+ if not dns_b64 then
+ return
+ end
+ -- Check for forbidden values in query string.
+ if sep ~= "" and sep ~= "&" then
+ return
+ end
+
+ local dns_tvb = ByteArray.new(dns_b64, true):base64_decode():tvb("Base64-decoded DNS")
+
+ -- Allow HTTP GET line to be replaced with the DNS one in the Info column.
+ pinfo.columns.info:clear_fence()
+
+ -- Call media_type table instead of dns directly, this ensures that the
+ -- protocol is properly displayed as "DoH".
+ media_type:try("application/dns-message", dns_tvb, pinfo, tree)
+end
+
+register_postdissector(doh_get)