Protobuf UDP Message and its Types in Wireshark

The concept of Protobuf UDP Message Type in Wireshark is to parse the data on the specified UDP port, Wireshark uses this table to determine the type of Protobuf message, in case the payload of UDP includes the Protobuf encoding (s) on the specific ports.   The “User Table” consists of the following fields that keep the configuration maps for UDP Port(s) to Protobuf message type.

UDP Ports:

It specifies the range of UDP ports. “8000” or “8000,8008-8088,9080” are acceptable formats in this field.

Message Type:

This field specifies the Protobuf message type that is to be used for parsing the data on the given UDP port(s). The message type can be left empty, which implies Protobuf can analyze the data on the specified UDP ports as if it were a standard wire type without precise definitions. Protobuf dissector can be called by creating our dissector. If it is written in C language, then the message type can be passed using the data parameter of call dissector with data() function to the Protobuf dissector. If your dissector is written in Lua, then the message type can be passed on to the Protobuf dissector using pinfo.private[“pb_msg_type”]. 

Format:

The format of specifying data and pinfo.private[“pb_msg_type”] is

"message," message_type_name

For Example:

message,hello.Welcome

Hello is the package name and welcome is the message type.

Protocol Dependencies:

Wireshark typically dissects protobuf content from some upper-layer dissectors, such as gRPC or other UDP/TCP-based dissectors. Your C-coded dissector can now handle protobuf processing by using:

dissector_handle_t  protobuf_handle
 = find_dissector("protobuf");
call_dissector_with_data(protobuf_handle, tvb, 
pinfo, tree, "message,tutorial.AddressBook");

or a Lua-written dissector via:

local protobuf_dissector = Dissector.get("protobuf")
pinfo.private["pb_msg_type"] = "message,tutorial.AddressBook"
pcall(Dissector.call, protobuf_dissector, tvb, pinfo, tree)

The data parameter or private_table[“pb_msg type”] can be used by higher layer dissectors to provide protobuf message type information. The message type information is formatted as. 

"message," message_type_ name.

The message_type_name is the message type’s entire name, prefixed by the package name. When parsing Protobuf content, the Protobuf dissector will use the specified message type name to search the message definition file (*.proto) from the ‘Protobuf Search Paths choices.

Example Traffic:

 

Conclusion:

A language-neutral, platform-neutral, extensible method for serializing structured data in a way that is both forward- and backward-compatible is provided by protocol buffers. Similar to JSON, but smaller, quicker, and with native language bindings. Use Protobuf in the following conditions:

• You need quick serialization or deserialization.
• Type safety is essential. 
• Schema compliance is necessary.

Because of Backward compatibility, Proto files can prevent errors and make rolling out new features and services much simpler than JSON and XML. 

Validation and extensibility: The definitions of the required, optional, and repeated keywords in protocol buffers are extremely powerful.