Reset Plugin for Wireshark

nsrstplug.lua

@@ -0,0 +1,325 @@
+--------------------------------------------------------------------------------
+-- 1. Define a new protocol
+--------------------------------------------------------------------------------
+
+local citrix_reset_proto = Proto("citrix_reset", "Citrix ADC Reset Codes")
+
+--------------------------------------------------------------------------------
+-- 2. Define the fields for this protocol
+--------------------------------------------------------------------------------
+
+citrix_reset_proto.fields.reset_window = ProtoField.uint16(
+    "citrix_reset.window_size",
+    "Citrix Reset Window Size",
+    base.DEC
+)
+
+--------------------------------------------------------------------------------
+-- 3. Define field extractors from the existing TCP dissector
+--------------------------------------------------------------------------------
+
+local f_tcp_srcport       = Field.new("tcp.srcport")
+local f_tcp_dstport       = Field.new("tcp.dstport")
+local f_tcp_window_size   = Field.new("tcp.window_size")       -- or "tcp.window_size_value"
+local f_tcp_flags_reset   = Field.new("tcp.flags.reset")
+
+--------------------------------------------------------------------------------
+-- 4. Define the lookup table for Citrix ADC reset codes
+--------------------------------------------------------------------------------
+
+local window_size_lookup = {
+    [8196]  = "SSL bad record.",
+    [8201]  = "NSDBG_RST_SSTRAY, 8201 – NSDBG_RST_SSTRAY",
+    [8202]  = "NSDBG_RST_CSTRAY: Triggered when the NetScaler receives data on a connection with an expired SYN cookie.",
+    [8204]  = "Client retransmitted SYN with the wrong sequence number.",
+    [8205]  = "ACK number in the final ACK from peer during connection establishment is wrong.",
+    [8206]  = "Received a bad packet in TCPS_SYN_SENT state (non-RST). Possibly reused 4-tuple from old connection.",
+    [8207]  = "Received SYN on an established connection within the window. Protects from spoofing attacks.",
+    [8208]  = "Reset after receiving more than the configured number of duplicate retransmissions.",
+    [8209]  = "Memory allocation failure (system out of memory).",
+    [8210]  = "HTTP DoS protection triggered by a bad client request.",
+    [8211]  = "Cleanup of idle connections.",
+    [8212]  = "Stray SYN packet with no listening service or invalid SYN cookie.",
+    [8213]  = "Sure Connect feature, bad client sending post on a closing connection.",
+    [8214]  = "MSS in SYN exceeded NIC/VLAN MTU.",
+    [9100]  = "NSDBG_RST_ORP: Orphan HTTP connection timed out waiting for completion.",
+    [9212]  = "HTTP invalid request.",
+    [9214]  = "Cache resource store failed.",
+    [9216]  = "Cache async no memory.",
+    [9217]  = "HTTP state machine error from receiving content longer than specified Content-Length.",
+    [9218]  = "Terminated due to extra orphan data.",
+    [9219]  = "NSB allocation failure.",
+    [9220]  = "Could not allocate new NSB (various reasons).",
+    [9221]  = "vurl includes an invalid domain shard.",
+    [9222]  = "Response was RFC-noncompliant (e.g., both Content-Length and Transfer-Encoding invalid).",
+    [9300]  = "NSDBG_RST_ZSSSR: Zombie timer/idle timeout or service-down event.",
+    [9301]  = "NSDBG_RST_ZSSSR: Zombie timer/idle timeout or service-down event.",
+    [9302]  = "NSDBG_RST_ZSSSR: Zombie timer/idle timeout or service-down event.",
+    [9303]  = "NSDBG_RST_ZSSSR: Zombie timer/idle timeout or service-down event.",
+    [9304]  = "NSDBG_RST_LINK_GIVEUPS: Freed session after zero window probe limit exceeded.",
+    [9305]  = "Server ACK to SYN had an invalid ACK number.",
+    [9306]  = "TCP buffering undone due to duplicate TCPB enablement.",
+    [9307]  = "Small window protection triggered reset.",
+    [9308]  = "Small window protection triggered reset.",
+    [9309]  = "Small window protection triggered reset.",
+    [9310]  = "TCP keepalive probing failed.",
+    [9311]  = "DHT retry failed.",
+    [9400]  = "Reset server connections in reusepool that are not reusable.",
+    [9401]  = "Reset older connections to free capacity for new ones or when removing an entity with active connections.",
+    [9450]  = "SQL HS failed.",
+    [9451]  = "SQL response failed.",
+    [9452]  = "SQL request list failed.",
+    [9453]  = "SQL UNK not linked.",
+    [9454]  = "SQL NSB hold failed.",
+    [9455]  = "SQL Server First Packet.",
+    [9456]  = "SQL login response arrived before request.",
+    [9457]  = "SQL server login failed.",
+    [9458]  = "SQL no memory.",
+    [9459]  = "SQL bad server.",
+    [9460]  = "SQL link failed.",
+    [9600]  = "Reset if # of pkts with Sequence/ACK mismatch > nscfg_max_orphan_pkts.",
+    [9601]  = "Reset if # of data pkts with Sequence/ACK mismatch > nscfg_max_orphan_pkts.",
+    [9602]  = "SSL VPN CS probe limit exceeded.",
+    [9700]  = "NSDBG_RST_PASS: RST forwarded from client or server.",
+    [9701]  = "NSDBG_RST_ACK_PASS: RST + ACK forwarded from client or server.",
+    [9702]  = "Data received after FIN.",
+    [9704]  = "NSB dropped (hold limit or transaction error).",
+    [9800]  = "NSDBG_RST_PROBE: Monitoring service reset due to timeout.",
+    [9810]  = "Responses match the configured NAI status code.",
+    [9811]  = "NSDBG_RST_ERRHANDLER: Used with SSL after sending a Fatal Alert.",
+    [9812]  = "Connection flushing: existing IP removed from configuration.",
+    [9813]  = "Closing the SSF connection.",
+    [9814]  = "NSDBG_RST_PETRIGGER: Reset triggered by policy engine match.",
+    [9816]  = "Bad SSL record.",
+    [9817]  = "SSL connection changed while updating bound certificate.",
+    [9818]  = "Bad SSL header value.",
+    [9819]  = "Failed to allocate memory for SPCB.",
+    [9820]  = "SSL card operation failed.",
+    [9821]  = "SSL feature disabled; resetting the connection.",
+    [9822]  = "SSL cipher changed; old-cipher connection flush.",
+    [9823]  = "Malformed NSC_AAAC cookie or memory failure in certificate processing.",
+    [9824]  = "Reset on AAA orphan connections.",
+    [9825]  = "DBG_WRONG_GSLBRECDLEN: MEP error reset code, typically from version mismatch.",
+    [9826]  = "Insufficient memory for NET buffers.",
+    [9827]  = "Reset on SSL config change.",
+    [9829]  = "Reset on GSLB other site down/out of reach.",
+    [9830]  = "Reset for sessions matching ACL DENY rule.",
+    [9831]  = "Connection had no application data but needed it.",
+    [9832]  = "Application error.",
+    [9833]  = "Fatal SSL error.",
+    [9834]  = "Reset while flushing all SPCB (fips or hsm init).",
+    [9835]  = "DTLS record too large.",
+    [9836]  = "DTLS record zero length.",
+    [9837]  = "SSLv2 record too large.",
+    [9838]  = "NSBE_DBG_RST_SSL_BAD_RECORD: SSL record lookup error.",
+    [9839]  = "SSL max NSB hold limit reached.",
+    [9841]  = "SSL/DTLS split packet failure.",
+    [9842]  = "SSL NSB allocation failure.",
+    [9843]  = "Monitor wide IP probe.",
+    [9844]  = "SSL reneg max NSB limit or allocation failure.",
+    [9845]  = "Reset on Appsec policy.",
+    [9846]  = "Delta compression aborted or failed.",
+    [9847]  = "Delta compression aborted or failed.",
+    [9848]  = "Reset on new SSL connection accepted during config change.",
+    [9849]  = "GSLB conflict from misconfiguration.",
+    [9850]  = "DNS TCP connection untrackable (compact NSB failure, etc.).",
+    [9851]  = "DNS TCP failure (invalid payload length, etc.).",
+    [9852]  = "RTSP (ALG) session handling error.",
+    [9853]  = "MSSQL Auth response error.",
+    [9854]  = "Indirect GSLB sites tried to establish connection.",
+    [9855]  = "For HTTP/SSL vservers, SO threshold reached.",
+    [9856]  = "AppFW ASYNC failure.",
+    [9857]  = "Reset while flushing HTTP waiting PCB.",
+    [9858]  = "Reset on re-chunk abort.",
+    [9859]  = "New client connection deferrable by server on the label.",
+    [9860]  = "pcb->link cleaned, connection reset.",
+    [9861]  = "Push vserver connection reset if push disabled on client vserver.",
+    [9862]  = "Reset to client for duplicate server connection.",
+    [9863]  = "Reset old connection if new connection established but old one not freed.",
+    [9864]  = "CVPN HINFO restore failed.",
+    [9865]  = "CVPN MCMX error.",
+    [9866]  = "URL policy transform error.",
+    [9868]  = "MSSQL login errors.",
+    [9870]  = "SQL login parse error.",
+    [9871]  = "MSSQL memory allocation failure.",
+    [9872]  = "Websocket upgrade request dropped due to disabled Websocket in HTTP profile.",
+    [9873]  = "Agsvc MCMX failure.",
+    [9874]  = "NSB hold limit reached.",
+    [9875]  = "RADIUS request parse error.",
+    [9876]  = "RADIUS response parse error.",
+    [9877]  = "RADIUS request dropped.",
+    [9878]  = "RADIUS response dropped.",
+    [9879]  = "Invalid RADIUS request.",
+    [9880]  = "Invalid RADIUS response.",
+    [9881]  = "RADIUS no memory.",
+    [9882]  = "RADIUS link failed.",
+    [9883]  = "RADIUS unlinked.",
+    [9884]  = "RADIUS unexpected error.",
+    [9885]  = "RADIUS unhandled response.",
+    [9886]  = "RADIUS unhandled request.",
+    [9887]  = "RADIUS missing UNK.",
+    [9888]  = "RADIUS wrong UNK.",
+    [9889]  = "RADIUS UNK refcnt.",
+    [9890]  = "RADIUS UNK purge.",
+    [9891]  = "RADIUS tunnel reject.",
+    [9892]  = "RADIUS unknown error.",
+    [9893]  = "Monitor probe reset.",
+    [9894]  = "Monitor mark down.",
+    [9895]  = "Monitor probe flush.",
+    [9896]  = "Monitor payload too small.",
+    [9897]  = "SNMP wrong packet.",
+    [9898]  = "SNMP wrong version.",
+    [9899]  = "SNMP wrong community.",
+    [9900]  = "SNMP wrong community.",
+    [9901]  = "SNMP wrong PDU.",
+    [9902]  = "SNMP wrong type.",
+    [9903]  = "SNMP wrong request ID.",
+    [9904]  = "SNMP wrong error status.",
+    [9905]  = "SNMP wrong error index.",
+    [9906]  = "SNMP no such object.",
+    [9907]  = "SNMP no such instance.",
+    [9908]  = "SNMP too big.",
+    [9909]  = "SNMP read only.",
+    [9910]  = "SNMP gen error.",
+    [9911]  = "SNMP wrong encoding.",
+    [9912]  = "SNMP wrong length.",
+    [9913]  = "SNMP wrong value.",
+    [9914]  = "SNMP no memory.",
+    [9915]  = "SNMP no response.",
+    [9916]  = "SNMP not writable.",
+    [9917]  = "SNMP auth error.",
+    [9918]  = "SNMP wrong digest.",
+    [9919]  = "SNMP bad value.",
+    [9920]  = "SNMP not in MIB.",
+    [9921]  = "SNMP too many indices.",
+    [9922]  = "SNMP not enough indices.",
+    [9923]  = "SNMP wrong index type.",
+    [9924]  = "SNMP wrong index length.",
+    [9925]  = "SNMP wrong index value.",
+    [9926]  = "SNMP no such name.",
+    [9927]  = "SNMP wrong varbind list.",
+    [9928]  = "SNMP end of MIB.",
+    [9929]  = "SNMP too big for packet.",
+    [9930]  = "SNMP no such view.",
+    [9931]  = "SNMP no such context.",
+    [9932]  = "SNMP no such user.",
+    [9933]  = "SNMP not in view.",
+    [9934]  = "SNMP unsupported security level.",
+    [9935]  = "SNMP unsupported auth protocol.",
+    [9936]  = "SNMP unsupported priv protocol.",
+    [9937]  = "SNMP unknown user name.",
+    [9938]  = "SNMP unknown engine ID.",
+    [9939]  = "SNMP wrong security model.",
+    [9940]  = "SNMP bad security level.",
+    [9941]  = "SNMP bad engine ID.",
+    [9942]  = "SNMP bad user name.",
+    [9943]  = "SNMP bad auth protocol.",
+    [9944]  = "SNMP bad priv protocol.",
+    [9945]  = "SNMP bad security name.",
+    [9946]  = "SNMP bad security model.",
+    [9947]  = "SNMP bad message.",
+    [9948]  = "SNMP bad PDU.",
+    [9949]  = "SNMP bad SPI.",
+    [9950]  = "SNMP bad context.",
+    [9951]  = "SNMP bad security state ref.",
+    [9952]  = "SNMP bad security name.",
+    [9953]  = "SNMP bad community.",
+    [9954]  = "SNMP bad community uses.",
+    [9955]  = "SNMP bad community name.",
+    [9956]  = "SNMP bad community indexing.",
+    [9957]  = "SNMP bad party.",
+    [9958]  = "SNMP bad party uses.",
+    [9959]  = "SNMP bad party name.",
+    [9960]  = "SNMP bad party indexing.",
+    [9961]  = "SNMP bad party TDomain.",
+    [9962]  = "SNMP bad party TAddress.",
+    [9963]  = "SNMP bad party identity.",
+    [9964]  = "SNMP bad party TTimeout.",
+    [9965]  = "SNMP bad party TMaxMessageSize.",
+    [9966]  = "SNMP bad party priv proto.",
+    [9967]  = "SNMP bad party auth clock.",
+    [9968]  = "SNMP bad party auth lifetime.",
+    [9969]  = "SNMP bad party auth private.",
+    [9970]  = "SNMP bad party auth public.",
+    [9971]  = "SNMP bad party auth clock skew.",
+    [9972]  = "SNMP bad party auth truncated.",
+    [9973]  = "SNMP bad party auth wrong digest.",
+    [9974]  = "SNMP bad party auth wrong.",
+    [9975]  = "SNMP bad context.",
+    [9976]  = "SNMP bad context uses.",
+    [9977]  = "SNMP bad context name.",
+    [9978]  = "SNMP bad context indexing.",
+    [9979]  = "SNMP bad ACL.",
+    [9980]  = "SNMP bad ACL uses.",
+    [9981]  = "SNMP bad ACL name.",
+    [9982]  = "SNMP bad ACL indexing.",
+    [9983]  = "SNMP bad ACL party.",
+    [9984]  = "SNMP bad ACL context.",
+    [9985]  = "SNMP bad ACL privs.",
+    [9986]  = "SNMP bad view.",
+    [9987]  = "SNMP bad view uses.",
+    [9988]  = "SNMP bad view name.",
+    [9989]  = "SNMP bad view indexing.",
+    [9990]  = "SNMP bad view subtree.",
+    [9991]  = "SNMP bad view mask.",
+    [9992]  = "SNMP bad view type.",
+    [9993]  = "SNMP bad view storage.",
+    [9994]  = "SNMP bad view status.",
+    [9995]  = "SNMP bad MIB.",
+    [9996]  = "SNMP bad MIB name.",
+    [9997]  = "SNMP bad MIB syntax.",
+    [9998]  = "SNMP bad MIB write syntax.",
+    [9999]  = "SNMP bad MIB access.",
+    [10000] = "SNMP bad MIB status.",
+    [10001] = "SNMP bad MIB indexes.",
+    [10002] = "SNMP bad MIB deps.",
+    [10003] = "SNMP bad MIB inits."
+}
+
+--------------------------------------------------------------------------------
+-- 5. Dissection function
+--------------------------------------------------------------------------------
+
+function citrix_reset_proto.dissector(buffer, pinfo, tree)
+    -- Fetch extracted fields
+    local tcp_srcport = f_tcp_srcport()
+    local tcp_dstport = f_tcp_dstport()
+    local tcp_rstflag = f_tcp_flags_reset()
+    local tcp_win     = f_tcp_window_size()
+
+    -- If any required fields are nil, no further processing
+    if not (tcp_srcport and tcp_dstport and tcp_rstflag and tcp_win) then
+        return
+    end
+
+    -- Convert to numeric
+    local rst_val = tonumber(tostring(tcp_rstflag))
+    local win_val = tonumber(tostring(tcp_win))
+
+    -- Check if the RST flag is set
+    if rst_val == 1 and win_val then
+        local description = window_size_lookup[win_val]
+        if description then
+            -- Create a subtree for Citrix ADC info
+            local subtree = tree:add(
+                citrix_reset_proto,
+                buffer(),
+                "Citrix ADC Reset Info"
+            )
+            -- Add window size field
+            local item = subtree:add(
+                citrix_reset_proto.fields.reset_window,
+                buffer(),
+                win_val
+            )
+            -- Append textual description
+            item:append_text(" (" .. description .. ")")
+        end
+    end
+end
+
+--------------------------------------------------------------------------------
+-- 6. Register the post-dissector
+--------------------------------------------------------------------------------
+
+register_postdissector(citrix_reset_proto)