From f7d2c4e7bdc77e34de5795872d8cb2397e4c9033 Mon Sep 17 00:00:00 2001
From: Peter Wu <peter@lekensteyn.nl>
Date: Fri, 7 Feb 2020 16:47:44 +0000
Subject: lua: add DoH GET dissector

Quick hack that allows me to debug DoH GET requests. See also
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14433
---
 lua/doh-get.lua | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 lua/doh-get.lua

diff --git a/lua/doh-get.lua b/lua/doh-get.lua
new file mode 100644
index 0000000..e36ca1c
--- /dev/null
+++ b/lua/doh-get.lua
@@ -0,0 +1,39 @@
+--
+-- Support for DoH GET dissection in Wireshark. Wireshark already supports
+-- dissection of the application/dns-message POST request and response bodies,
+-- but it does not yet support the GET request parameter. This Lua plugin
+-- provides a workaround for that.
+-- https://tools.ietf.org/html/rfc8484#section-4.1
+--
+
+local doh_get = Proto.new("doh-get", "DNS over HTTPS (GET)")
+local media_type = DissectorTable.get("media_type")
+local http_path = Field.new("http.request.uri")
+local http2_path = Field.new("http2.headers.path")
+
+function doh_get.dissector(tvb, pinfo, tree)
+    local path = http2_path() or http_path()
+    if not path then
+        return
+    end
+
+    local dns_b64, sep = string.match(path.value, "[%?&]dns=([A-Za-z0-9_=-]+)(.?)")
+    if not dns_b64 then
+        return
+    end
+    -- Check for forbidden values in query string.
+    if sep ~= "" and sep ~= "&" then
+        return
+    end
+
+    local dns_tvb = ByteArray.new(dns_b64, true):base64_decode():tvb("Base64-decoded DNS")
+
+    -- Allow HTTP GET line to be replaced with the DNS one in the Info column.
+    pinfo.columns.info:clear_fence()
+
+    -- Call media_type table instead of dns directly, this ensures that the
+    -- protocol is properly displayed as "DoH".
+    media_type:try("application/dns-message", dns_tvb, pinfo, tree)
+end
+
+register_postdissector(doh_get)
-- 
cgit v1.2.1