The lua script for this is not working for all three of the VPNS and not detecting the traffic in case the following condtions are all be true
The logic is
- VPN A Detection:
- MAC Address: 78:63:58:48:43:23 (gpon.net)
- Port: 443 or 88
- Packet Length: 1482 bytes
- Protocol: UDP
- VPN B Detection:
- Source and Destination Ports: Must be the same and either 51820 or 5353
- Packet Length: 1494 bytes
- Protocol: UDP
- VPN C Detection:
MAC Address: 78:63:58:48:43:23 (gpon.net)
- Port: 51820
- Packet Length: 1494 bytes
- Protocol: UDP
lua script
<code>local udp_src_port_field = Field.new("udp.srcport") -- Extracts source UDP port
local udp_dst_port_field = Field.new("udp.dstport") -- Extracts destination UDP port
local eth_src_mac_field = Field.new("eth.src") -- Extracts source MAC address
local eth_dst_mac_field = Field.new("eth.dst") -- Extracts destination MAC address
local ipv4_proto_field = Field.new("ip.proto") -- Extracts IPv4 protocol
local ipv6_proto_field = Field.new("ipv6.nxt") -- Extracts IPv6 next header
local vpn_signatures = {
A = {
mac_address = "78:63:58:48:43:23",
dst_ports = {443, 88},
packet_length = 1482
},
B = {
src_dst_ports = {51820, 5353},
packet_length = 1494
},
C = {
mac_address = "78:63:58:48:43:23",
dst_port = 51820,
packet_length = 1494
}
}
local function table_contains(tbl, element)
for _, value in ipairs(tbl) do
if value == element then
return true
end
end
return false
end
tap = Listener.new("ip")
function tap.packet(pinfo, tvb)
local packet_length = tvb:len() -- Get the packet length
local src_port_value = udp_src_port_field()
local dst_port_value = udp_dst_port_field()
if src_port_value == nil or dst_port_value == nil then return end
local src_port = tonumber(src_port_value.value)
local dst_port = tonumber(dst_port_value.value)
local src_mac_value = tostring(eth_src_mac_field())
local dst_mac_value = tostring(eth_dst_mac_field())
local proto_field_value = ipv4_proto_field() or ipv6_proto_field()
if proto_field_value == nil then return end -- Skip if no protocol field
local protocol = tonumber(proto_field_value.value)
print("Source MAC:", src_mac_value, "Destination MAC:", dst_mac_value, "Source Port:", src_port, "Destination Port:", dst_port, "Packet Length:", packet_length, "Protocol:", protocol)
if protocol ~= 17 then return end
if (src_mac_value == vpn_signatures.A.mac_address or dst_mac_value == vpn_signatures.A.mac_address) and
table_contains(vpn_signatures.A.dst_ports, dst_port) and
packet_length == vpn_signatures.A.packet_length then
print("A Detected!")
end
if table_contains(vpn_signatures.B.src_dst_ports, src_port) and
src_port == dst_port and
packet_length == vpn_signatures.B.packet_length then
print("B VPN Detected!")
end
if (src_mac_value == vpn_signatures.C.mac_address or dst_mac_value == vpn_signatures.C.mac_address) and
dst_port == vpn_signatures.C.dst_port and
packet_length == vpn_signatures.C.packet_length then
print("C VPN Detected!")
end
end
</code>
<code>local udp_src_port_field = Field.new("udp.srcport") -- Extracts source UDP port
local udp_dst_port_field = Field.new("udp.dstport") -- Extracts destination UDP port
local eth_src_mac_field = Field.new("eth.src") -- Extracts source MAC address
local eth_dst_mac_field = Field.new("eth.dst") -- Extracts destination MAC address
local ipv4_proto_field = Field.new("ip.proto") -- Extracts IPv4 protocol
local ipv6_proto_field = Field.new("ipv6.nxt") -- Extracts IPv6 next header
local vpn_signatures = {
A = {
mac_address = "78:63:58:48:43:23",
dst_ports = {443, 88},
packet_length = 1482
},
B = {
src_dst_ports = {51820, 5353},
packet_length = 1494
},
C = {
mac_address = "78:63:58:48:43:23",
dst_port = 51820,
packet_length = 1494
}
}
local function table_contains(tbl, element)
for _, value in ipairs(tbl) do
if value == element then
return true
end
end
return false
end
tap = Listener.new("ip")
function tap.packet(pinfo, tvb)
local packet_length = tvb:len() -- Get the packet length
local src_port_value = udp_src_port_field()
local dst_port_value = udp_dst_port_field()
if src_port_value == nil or dst_port_value == nil then return end
local src_port = tonumber(src_port_value.value)
local dst_port = tonumber(dst_port_value.value)
local src_mac_value = tostring(eth_src_mac_field())
local dst_mac_value = tostring(eth_dst_mac_field())
local proto_field_value = ipv4_proto_field() or ipv6_proto_field()
if proto_field_value == nil then return end -- Skip if no protocol field
local protocol = tonumber(proto_field_value.value)
print("Source MAC:", src_mac_value, "Destination MAC:", dst_mac_value, "Source Port:", src_port, "Destination Port:", dst_port, "Packet Length:", packet_length, "Protocol:", protocol)
if protocol ~= 17 then return end
if (src_mac_value == vpn_signatures.A.mac_address or dst_mac_value == vpn_signatures.A.mac_address) and
table_contains(vpn_signatures.A.dst_ports, dst_port) and
packet_length == vpn_signatures.A.packet_length then
print("A Detected!")
end
if table_contains(vpn_signatures.B.src_dst_ports, src_port) and
src_port == dst_port and
packet_length == vpn_signatures.B.packet_length then
print("B VPN Detected!")
end
if (src_mac_value == vpn_signatures.C.mac_address or dst_mac_value == vpn_signatures.C.mac_address) and
dst_port == vpn_signatures.C.dst_port and
packet_length == vpn_signatures.C.packet_length then
print("C VPN Detected!")
end
end
</code>
local udp_src_port_field = Field.new("udp.srcport") -- Extracts source UDP port
local udp_dst_port_field = Field.new("udp.dstport") -- Extracts destination UDP port
local eth_src_mac_field = Field.new("eth.src") -- Extracts source MAC address
local eth_dst_mac_field = Field.new("eth.dst") -- Extracts destination MAC address
local ipv4_proto_field = Field.new("ip.proto") -- Extracts IPv4 protocol
local ipv6_proto_field = Field.new("ipv6.nxt") -- Extracts IPv6 next header
local vpn_signatures = {
A = {
mac_address = "78:63:58:48:43:23",
dst_ports = {443, 88},
packet_length = 1482
},
B = {
src_dst_ports = {51820, 5353},
packet_length = 1494
},
C = {
mac_address = "78:63:58:48:43:23",
dst_port = 51820,
packet_length = 1494
}
}
local function table_contains(tbl, element)
for _, value in ipairs(tbl) do
if value == element then
return true
end
end
return false
end
tap = Listener.new("ip")
function tap.packet(pinfo, tvb)
local packet_length = tvb:len() -- Get the packet length
local src_port_value = udp_src_port_field()
local dst_port_value = udp_dst_port_field()
if src_port_value == nil or dst_port_value == nil then return end
local src_port = tonumber(src_port_value.value)
local dst_port = tonumber(dst_port_value.value)
local src_mac_value = tostring(eth_src_mac_field())
local dst_mac_value = tostring(eth_dst_mac_field())
local proto_field_value = ipv4_proto_field() or ipv6_proto_field()
if proto_field_value == nil then return end -- Skip if no protocol field
local protocol = tonumber(proto_field_value.value)
print("Source MAC:", src_mac_value, "Destination MAC:", dst_mac_value, "Source Port:", src_port, "Destination Port:", dst_port, "Packet Length:", packet_length, "Protocol:", protocol)
if protocol ~= 17 then return end
if (src_mac_value == vpn_signatures.A.mac_address or dst_mac_value == vpn_signatures.A.mac_address) and
table_contains(vpn_signatures.A.dst_ports, dst_port) and
packet_length == vpn_signatures.A.packet_length then
print("A Detected!")
end
if table_contains(vpn_signatures.B.src_dst_ports, src_port) and
src_port == dst_port and
packet_length == vpn_signatures.B.packet_length then
print("B VPN Detected!")
end
if (src_mac_value == vpn_signatures.C.mac_address or dst_mac_value == vpn_signatures.C.mac_address) and
dst_port == vpn_signatures.C.dst_port and
packet_length == vpn_signatures.C.packet_length then
print("C VPN Detected!")
end
end
I have tried running this script but its not detecting the VPNS
New contributor
hira javed is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.