新增wireshark插件的框架代码

最新推荐文章于 2025-03-02 20:52:19 发布
最新推荐文章于 2025-03-02 20:52:19 发布
阅读量2k 收藏
点赞数

前言

断断续续的再看wireshark插件和wireshark解析器的代码。
今天做了实验, 如何在wireshark代码上新增一个wireshark插件。

有时做实验,该看的文档都看完了,感觉还不对,墨墨迹迹的不想动手,只能在心里琢磨,也不知道在琢磨什么…:(
等感觉对了,再做实验,心情很放松, 实验也做的很快。

因为插件代码少了,只能将插件加入wireshark插件体系, 但是解析具体应用层协议时(不管是啥应用层协议,都当作foo协议来解析),选择 Decode as foo, 会崩溃的,还需要按照 wireshark\doc\README.dissector 的指南,增加更多的代码。

解析器代码不全时,报错代码片如下.
handle->dissector 为 NULL, 调用解析器回调指针时报错。
说明解析器回调指针没注册引起的.

/* This function will return
 * old style dissector :
 *   length of the payload or 1 of the payload is empty
 * new dissector :
 *   >0  this protocol was successfully dissected and this was this protocol.
 *   0   this packet did not match this protocol.
 *
 * The only time this function will return 0 is if it is a new style dissector
 * and if the dissector rejected the packet.
 */
static int
call_dissector_through_handle(dissector_handle_t handle, tvbuff_t *tvb,
                  packet_info *pinfo, proto_tree *tree, void *data)
{
    const char *saved_proto;
    int         len;

    saved_proto = pinfo->current_proto;

    if ((handle->protocol != NULL) && (!proto_is_pino(handle->protocol))) {
        pinfo->current_proto =
            proto_get_protocol_short_name(handle->protocol);
    }

    len = (*handle->dissector)(tvb, pinfo, tree, data);
    pinfo->current_proto = saved_proto;

    return len;
}

本实验的目的是增加一个合法的wireshark插件,只要能被wireshark载入,实验目的就达到了

先安装一个和源码配套的wireshark安装包(e.g. Wireshark-win64-2.4.2.msi),然后将新编译releasex64的插件丢进入C:\Program Files\Wireshark\plugins\2.4.2.0.

打开wireshark, 在显示过滤器里面输入foo, 如果显示的是绿色,说明新增的插件载入成功. 我这是成功的。开始编译的是debug-x64版本,丢进插件目录,载入失败, 报错信息是乱码。想起真机上并没有装QT(没有QT版的DebugDLL), 就再编译release-x64, 这次插件载入成功了。

wireshark所有x64版本安装包下载点

实验

拷贝插件模板并修改

先将C:\Development\wireshark\plugins\gryphon作为模板(用C:\Development\wireshark\plugins\其他插件做模板也是可以的),将文件拷贝到C:\Development\wireshark\plugins\foo,再修改成foo版本,将不用的代码都删掉,只留初始化的代码(只保留最基本的代码,只要注册插件的代码在就行)。

C:\Development\wireshark\plugins\foo>tree /F
文件夹 PATH 列表
卷序列号为 82BE-4BEF
C:.
    AUTHORS
    ChangeLog
    CMakeLists.txt
    COPYING
    Makefile.am
    moduleinfo.h
    packet-foo.c
    packet-foo.h
    plugin.c
    plugin.rc.in

修改配置文件

这一步,参考wireshark\doc\README.plugins,步骤还挺多的。实验成功后,用svn做了一个patch文件, 这比用文字描述要清楚专业的多。看了网上同学写的修改wireshark配置文件的文章,无论看中国同学还是外国同学写的都感到乱。
patch文件的好处是,只要修改前的顶层文件夹归档到了svn, svn提供了应用补丁的功能,指定补丁文件,指定补丁到的顶层文件夹, 直接打补丁就一步到位。
patch输出文件的含义可以参考svn patch 文件输出格式的含义
看懂了patch文件的格式,不用svn打补丁,自己手工打补丁也是很快的。
patch文件下载点:wireshark_foo_plugin_2018_0706_1607.patch

Index: CMakeLists.txt
===================================================================
--- CMakeLists.txt  (revision 1)
+++ CMakeLists.txt  (working copy)
@@ -1271,6 +1271,7 @@
    set(PLUGIN_SRC_DIRS
        plugins/docsis
        plugins/ethercat
+       plugins/foo
        plugins/gryphon
        plugins/irda
        plugins/m2m
Index: configure.ac
===================================================================
--- configure.ac    (revision 1)
+++ configure.ac    (working copy)
@@ -3012,6 +3012,7 @@
   plugins/docsis/Makefile
   plugins/easy_codec/Makefile
   plugins/ethercat/Makefile
+  plugins/foo/Makefile
   plugins/gryphon/Makefile
   plugins/irda/Makefile
   plugins/m2m/Makefile
Index: epan/Makefile.am
===================================================================
--- epan/Makefile.am    (revision 1)
+++ epan/Makefile.am    (working copy)
@@ -479,6 +479,8 @@
    ../plugins/ethercat/packet-ioraw.c \
    ../plugins/ethercat/packet-nv.c \
    ../plugins/ethercat/plugin.c \
+   ../plugins/foo/packet-foo.c \
+   ../plugins/foo/plugin.c \
    ../plugins/gryphon/packet-gryphon.c \
    ../plugins/gryphon/plugin.c \
    ../plugins/irda/packet-ircomm.c \
Index: Makefile.am
===================================================================
--- Makefile.am (revision 1)
+++ Makefile.am (working copy)
@@ -354,6 +354,7 @@
 plugin_ldadd = $(_CUSTOM_plugin_ldadd_) \
    -dlopen plugins/docsis/docsis.la \
    -dlopen plugins/ethercat/ethercat.la \
+   -dlopen plugins/foo/foo.la \
    -dlopen plugins/gryphon/gryphon.la \
    -dlopen plugins/irda/irda.la \
    -dlopen plugins/m2m/m2m.la \
Index: packaging/nsis/wireshark.nsi
===================================================================
--- packaging/nsis/wireshark.nsi    (revision 1)
+++ packaging/nsis/wireshark.nsi    (working copy)
@@ -1008,6 +1008,7 @@
 SetOutPath '$INSTDIR\plugins\${VERSION}'
 File "${STAGING_DIR}\plugins\docsis.dll"
 File "${STAGING_DIR}\plugins\ethercat.dll"
+File "${STAGING_DIR}\plugins\foo.dll"
 File "${STAGING_DIR}\plugins\gryphon.dll"
 File "${STAGING_DIR}\plugins\irda.dll"
 File "${STAGING_DIR}\plugins\m2m.dll"
Index: plugins/foo/AUTHORS
===================================================================
--- plugins/foo/AUTHORS (nonexistent)
+++ plugins/foo/AUTHORS (working copy)
@@ -0,0 +1,2 @@
+// @file AUTHORS
+// @note this file not allow empty
Index: plugins/foo/CMakeLists.txt
===================================================================
--- plugins/foo/CMakeLists.txt  (nonexistent)
+++ plugins/foo/CMakeLists.txt  (working copy)
@@ -0,0 +1,83 @@
+# CMakeLists.txt
+#
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+
+include(WiresharkPlugin)
+
+# Plugin name and version info (major minor micro extra)
+set_module_info(foo 1 0 1 1)
+
+set(DISSECTOR_SRC
+   packet-foo.c
+)
+
+set(PLUGIN_FILES
+   plugin.c
+   ${DISSECTOR_SRC}
+)
+
+set(CLEAN_FILES
+   ${PLUGIN_FILES}
+)
+
+set_source_files_properties(
+   ${CLEAN_FILES}
+   PROPERTIES
+   COMPILE_FLAGS "${WERROR_COMMON_FLAGS}"
+)
+
+include_directories(${CMAKE_CURRENT_SOURCE_DIR})
+
+register_dissector_files(plugin.c
+   plugin
+   ${DISSECTOR_SRC}
+)
+
+add_plugin_library(foo)
+
+install(TARGETS foo
+   LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR}/${CPACK_PACKAGE_NAME}/plugins/${CPACK_PACKAGE_VERSION} NAMELINK_SKIP
+   RUNTIME DESTINATION ${CMAKE_INSTALL_LIBDIR}/${CPACK_PACKAGE_NAME}/plugins/${CPACK_PACKAGE_VERSION}
+   ARCHIVE DESTINATION ${CMAKE_INSTALL_LIBDIR}/${CPACK_PACKAGE_NAME}/plugins/${CPACK_PACKAGE_VERSION}
+)
+
+file(GLOB DISSECTOR_HEADERS RELATIVE "${CMAKE_CURRENT_SOURCE_DIR}" "*.h")
+CHECKAPI(
+   NAME
+     foo
+   SWITCHES
+     -g abort -g termoutput -build
+   SOURCES
+     ${DISSECTOR_SRC}
+     ${DISSECTOR_HEADERS}
+)
+
+#
+# Editor modelines  -  http://www.wireshark.org/tools/modelines.html
+#
+# Local variables:
+# c-basic-offset: 8
+# tab-width: 8
+# indent-tabs-mode: t
+# End:
+#
+# vi: set shiftwidth=8 tabstop=8 noexpandtab:
+# :indentSize=8:tabSize=8:noTabs=false:
+#
Index: plugins/foo/COPYING
===================================================================
--- plugins/foo/COPYING (nonexistent)
+++ plugins/foo/COPYING (working copy)
@@ -0,0 +1,2 @@
+// @file COPYING
+// @note this file not allow empty
Index: plugins/foo/ChangeLog
===================================================================
--- plugins/foo/ChangeLog   (nonexistent)
+++ plugins/foo/ChangeLog   (working copy)
@@ -0,0 +1,2 @@
+// @file ChangeLog
+// @note this file not allow empty
Index: plugins/foo/Makefile.am
===================================================================
--- plugins/foo/Makefile.am (nonexistent)
+++ plugins/foo/Makefile.am (working copy)
@@ -0,0 +1,68 @@
+# Makefile.am
+#
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+include $(top_srcdir)/Makefile.am.inc
+include ../Makefile.am.inc
+
+# the name of the plugin
+PLUGIN_NAME = foo
+
+# Non-generated sources to be scanned for registration routines
+NONGENERATED_REGISTER_C_FILES = \
+   packet-foo.c
+
+# Non-generated sources
+NONGENERATED_C_FILES = \
+   $(NONGENERATED_REGISTER_C_FILES)
+
+# Headers.
+CLEAN_HEADER_FILES = \
+   packet-foo.h
+
+HEADER_FILES = \
+   $(CLEAN_HEADER_FILES)
+
+plugin_LTLIBRARIES = foo.la
+
+foo_la_SOURCES = \
+   plugin.c \
+   moduleinfo.h \
+   $(SRC_FILES)   \
+   $(HEADER_FILES)
+
+foo_la_CPPFLAGS = $(AM_CPPFLAGS) $(PLUGIN_CPPFLAGS)
+
+foo_la_CFLAGS = $(AM_CFLAGS) $(PLUGIN_CFLAGS)
+
+foo_la_LDFLAGS = $(PLUGIN_LDFLAGS)
+
+CLEANFILES = \
+   foo \
+   *~
+
+DISTCLEANFILES = \
+   plugin.c
+
+MAINTAINERCLEANFILES = \
+   Makefile.in
+
+EXTRA_DIST = \
+   plugin.rc.in        \
+   CMakeLists.txt
Index: plugins/foo/moduleinfo.h
===================================================================
--- plugins/foo/moduleinfo.h    (nonexistent)
+++ plugins/foo/moduleinfo.h    (working copy)
@@ -0,0 +1,40 @@
+/* moduleinfo.h
+ *
+ * Module info header for wireshark plugins.
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+/* Included *after* config.h, in order to re-define these macros */
+
+#ifdef PACKAGE
+#undef PACKAGE
+#endif
+
+/* Name of package */
+#define PACKAGE "foo"
+
+
+#ifdef VERSION
+#undef VERSION
+#endif
+
+/* Version number of package */
+#define VERSION "0.0.4"
+
Index: plugins/foo/packet-foo.c
===================================================================
--- plugins/foo/packet-foo.c    (nonexistent)
+++ plugins/foo/packet-foo.c    (working copy)
@@ -0,0 +1,41 @@
+// @file packet-foo.c
+// @ref http://www.dgtech.com/foo/sys/www/docs/html/
+
+#include "config.h"
+
+#include <epan/packet.h>
+#include <epan/prefs.h>
+#include <epan/dissectors/packet-tcp.h>
+#include "packet-foo.h"
+
+void proto_register_foo(void);
+void proto_reg_handoff_foo(void);
+
+#define foo_TCP_PORT 7000 /* Not IANA registed */
+
+static dissector_t dissect_foo = NULL;
+static int proto_foo = -1;
+
+void proto_register_foo(void)
+{
+   // first entry proto_register_foo
+   // then entry proto_reg_handoff_foo
+
+   module_t *foo_module = NULL;
+
+    proto_foo = proto_register_protocol("foo Protocol", "foo", "foo");
+   foo_module = prefs_register_protocol(proto_foo, NULL);
+
+   // @note
+   // when Decode as ... => foo => ok
+   // will be crash on call_dissector_through_handle
+   // please see wireshark\doc\README.dissector, add more code
+}
+
+void proto_reg_handoff_foo(void)
+{
+    dissector_handle_t foo_handle = NULL;
+
+    foo_handle = create_dissector_handle(dissect_foo, proto_foo);
+    dissector_add_uint_with_preference("tcp.port", foo_TCP_PORT, foo_handle);
+}
Index: plugins/foo/packet-foo.h
===================================================================
--- plugins/foo/packet-foo.h    (nonexistent)
+++ plugins/foo/packet-foo.h    (working copy)
@@ -0,0 +1 @@
+// @file packet-foo.h
Index: plugins/foo/plugin.c
===================================================================
--- plugins/foo/plugin.c    (nonexistent)
+++ plugins/foo/plugin.c    (working copy)
@@ -0,0 +1,40 @@
+/*
+ * Do not modify this file. Changes will be overwritten.
+ *
+ * Generated automatically from ../../tools/make-dissector-reg.py.
+ */
+
+#include "config.h"
+
+#include <gmodule.h>
+
+#include "moduleinfo.h"
+
+/* plugins are DLLs */
+#define WS_BUILD_DLL
+#include "ws_symbol_export.h"
+
+#ifndef ENABLE_STATIC
+WS_DLL_PUBLIC_DEF void plugin_register (void);
+WS_DLL_PUBLIC_DEF const gchar version[] = VERSION;
+
+extern void proto_register_foo(void);
+
+/* Start the functions we need for the plugin stuff */
+
+WS_DLL_PUBLIC_DEF void
+plugin_register (void)
+{
+    proto_register_foo();
+}
+
+extern void proto_reg_handoff_foo(void);
+
+WS_DLL_PUBLIC_DEF void plugin_reg_handoff(void);
+
+WS_DLL_PUBLIC_DEF void
+plugin_reg_handoff(void)
+{
+    proto_reg_handoff_foo();
+}
+#endif
Index: plugins/foo/plugin.rc.in
===================================================================
--- plugins/foo/plugin.rc.in    (nonexistent)
+++ plugins/foo/plugin.rc.in    (working copy)
@@ -0,0 +1,34 @@
+#include "winver.h"
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION @RC_MODULE_VERSION@
+ PRODUCTVERSION @RC_VERSION@
+ FILEFLAGSMASK 0x0L
+#ifdef _DEBUG
+ FILEFLAGS VS_FF_DEBUG
+#else
+ FILEFLAGS 0
+#endif
+ FILEOS VOS_NT_WINDOWS32
+ FILETYPE VFT_DLL
+BEGIN
+    BLOCK "StringFileInfo"
+    BEGIN
+        BLOCK "040904b0"
+        BEGIN
+            VALUE "CompanyName", "The Wireshark developer community, http://www.wireshark.org/\0"
+            VALUE "FileDescription", "@PACKAGE@ dissector\0"
+            VALUE "FileVersion", "@MODULE_VERSION@\0"
+            VALUE "InternalName", "@PACKAGE@ @MODULE_VERSION@\0"
+            VALUE "LegalCopyright", "Copyright ?1998 Gerald Combs <gerald@wireshark.org>, Gilbert Ramirez <gram@alumni.rice.edu> and others\0"
+            VALUE "OriginalFilename", "@PLUGIN_NAME@.dll\0"
+            VALUE "ProductName", "Wireshark\0"
+            VALUE "ProductVersion", "@VERSION@\0"
+            VALUE "Comments", "Built with @MSVC_VARIANT@\0"
+        END
+    END
+    BLOCK "VarFileInfo"
+    BEGIN
+        VALUE "Translation", 0x409, 1200
+    END
+END
Index: plugins/foo/AUTHORS
===================================================================
--- plugins/foo/AUTHORS (nonexistent)
+++ plugins/foo/AUTHORS (working copy)
@@ -0,0 +1,2 @@
+// @file AUTHORS
+// @note this file not allow empty
Index: plugins/foo/ChangeLog
===================================================================
--- plugins/foo/ChangeLog   (nonexistent)
+++ plugins/foo/ChangeLog   (working copy)
@@ -0,0 +1,2 @@
+// @file ChangeLog
+// @note this file not allow empty
Index: plugins/foo/CMakeLists.txt
===================================================================
--- plugins/foo/CMakeLists.txt  (nonexistent)
+++ plugins/foo/CMakeLists.txt  (working copy)
@@ -0,0 +1,83 @@
+# CMakeLists.txt
+#
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+
+include(WiresharkPlugin)
+
+# Plugin name and version info (major minor micro extra)
+set_module_info(foo 1 0 1 1)
+
+set(DISSECTOR_SRC
+   packet-foo.c
+)
+
+set(PLUGIN_FILES
+   plugin.c
+   ${DISSECTOR_SRC}
+)
+
+set(CLEAN_FILES
+   ${PLUGIN_FILES}
+)
+
+set_source_files_properties(
+   ${CLEAN_FILES}
+   PROPERTIES
+   COMPILE_FLAGS "${WERROR_COMMON_FLAGS}"
+)
+
+include_directories(${CMAKE_CURRENT_SOURCE_DIR})
+
+register_dissector_files(plugin.c
+   plugin
+   ${DISSECTOR_SRC}
+)
+
+add_plugin_library(foo)
+
+install(TARGETS foo
+   LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR}/${CPACK_PACKAGE_NAME}/plugins/${CPACK_PACKAGE_VERSION} NAMELINK_SKIP
+   RUNTIME DESTINATION ${CMAKE_INSTALL_LIBDIR}/${CPACK_PACKAGE_NAME}/plugins/${CPACK_PACKAGE_VERSION}
+   ARCHIVE DESTINATION ${CMAKE_INSTALL_LIBDIR}/${CPACK_PACKAGE_NAME}/plugins/${CPACK_PACKAGE_VERSION}
+)
+
+file(GLOB DISSECTOR_HEADERS RELATIVE "${CMAKE_CURRENT_SOURCE_DIR}" "*.h")
+CHECKAPI(
+   NAME
+     foo
+   SWITCHES
+     -g abort -g termoutput -build
+   SOURCES
+     ${DISSECTOR_SRC}
+     ${DISSECTOR_HEADERS}
+)
+
+#
+# Editor modelines  -  http://www.wireshark.org/tools/modelines.html
+#
+# Local variables:
+# c-basic-offset: 8
+# tab-width: 8
+# indent-tabs-mode: t
+# End:
+#
+# vi: set shiftwidth=8 tabstop=8 noexpandtab:
+# :indentSize=8:tabSize=8:noTabs=false:
+#
Index: plugins/foo/COPYING
===================================================================
--- plugins/foo/COPYING (nonexistent)
+++ plugins/foo/COPYING (working copy)
@@ -0,0 +1,2 @@
+// @file COPYING
+// @note this file not allow empty
Index: plugins/foo/Makefile.am
===================================================================
--- plugins/foo/Makefile.am (nonexistent)
+++ plugins/foo/Makefile.am (working copy)
@@ -0,0 +1,68 @@
+# Makefile.am
+#
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+include $(top_srcdir)/Makefile.am.inc
+include ../Makefile.am.inc
+
+# the name of the plugin
+PLUGIN_NAME = foo
+
+# Non-generated sources to be scanned for registration routines
+NONGENERATED_REGISTER_C_FILES = \
+   packet-foo.c
+
+# Non-generated sources
+NONGENERATED_C_FILES = \
+   $(NONGENERATED_REGISTER_C_FILES)
+
+# Headers.
+CLEAN_HEADER_FILES = \
+   packet-foo.h
+
+HEADER_FILES = \
+   $(CLEAN_HEADER_FILES)
+
+plugin_LTLIBRARIES = foo.la
+
+foo_la_SOURCES = \
+   plugin.c \
+   moduleinfo.h \
+   $(SRC_FILES)   \
+   $(HEADER_FILES)
+
+foo_la_CPPFLAGS = $(AM_CPPFLAGS) $(PLUGIN_CPPFLAGS)
+
+foo_la_CFLAGS = $(AM_CFLAGS) $(PLUGIN_CFLAGS)
+
+foo_la_LDFLAGS = $(PLUGIN_LDFLAGS)
+
+CLEANFILES = \
+   foo \
+   *~
+
+DISTCLEANFILES = \
+   plugin.c
+
+MAINTAINERCLEANFILES = \
+   Makefile.in
+
+EXTRA_DIST = \
+   plugin.rc.in        \
+   CMakeLists.txt
Index: plugins/foo/moduleinfo.h
===================================================================
--- plugins/foo/moduleinfo.h    (nonexistent)
+++ plugins/foo/moduleinfo.h    (working copy)
@@ -0,0 +1,40 @@
+/* moduleinfo.h
+ *
+ * Module info header for wireshark plugins.
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+/* Included *after* config.h, in order to re-define these macros */
+
+#ifdef PACKAGE
+#undef PACKAGE
+#endif
+
+/* Name of package */
+#define PACKAGE "foo"
+
+
+#ifdef VERSION
+#undef VERSION
+#endif
+
+/* Version number of package */
+#define VERSION "0.0.4"
+
Index: plugins/foo/packet-foo.c
===================================================================
--- plugins/foo/packet-foo.c    (nonexistent)
+++ plugins/foo/packet-foo.c    (working copy)
@@ -0,0 +1,41 @@
+// @file packet-foo.c
+// @ref http://www.dgtech.com/foo/sys/www/docs/html/
+
+#include "config.h"
+
+#include <epan/packet.h>
+#include <epan/prefs.h>
+#include <epan/dissectors/packet-tcp.h>
+#include "packet-foo.h"
+
+void proto_register_foo(void);
+void proto_reg_handoff_foo(void);
+
+#define foo_TCP_PORT 7000 /* Not IANA registed */
+
+static dissector_t dissect_foo = NULL;
+static int proto_foo = -1;
+
+void proto_register_foo(void)
+{
+   // first entry proto_register_foo
+   // then entry proto_reg_handoff_foo
+
+   module_t *foo_module = NULL;
+
+    proto_foo = proto_register_protocol("foo Protocol", "foo", "foo");
+   foo_module = prefs_register_protocol(proto_foo, NULL);
+
+   // @note
+   // when Decode as ... => foo => ok
+   // will be crash on call_dissector_through_handle
+   // please see wireshark\doc\README.dissector, add more code
+}
+
+void proto_reg_handoff_foo(void)
+{
+    dissector_handle_t foo_handle = NULL;
+
+    foo_handle = create_dissector_handle(dissect_foo, proto_foo);
+    dissector_add_uint_with_preference("tcp.port", foo_TCP_PORT, foo_handle);
+}
Index: plugins/foo/packet-foo.h
===================================================================
--- plugins/foo/packet-foo.h    (nonexistent)
+++ plugins/foo/packet-foo.h    (working copy)
@@ -0,0 +1 @@
+// @file packet-foo.h
Index: plugins/foo/plugin.c
===================================================================
--- plugins/foo/plugin.c    (nonexistent)
+++ plugins/foo/plugin.c    (working copy)
@@ -0,0 +1,40 @@
+/*
+ * Do not modify this file. Changes will be overwritten.
+ *
+ * Generated automatically from ../../tools/make-dissector-reg.py.
+ */
+
+#include "config.h"
+
+#include <gmodule.h>
+
+#include "moduleinfo.h"
+
+/* plugins are DLLs */
+#define WS_BUILD_DLL
+#include "ws_symbol_export.h"
+
+#ifndef ENABLE_STATIC
+WS_DLL_PUBLIC_DEF void plugin_register (void);
+WS_DLL_PUBLIC_DEF const gchar version[] = VERSION;
+
+extern void proto_register_foo(void);
+
+/* Start the functions we need for the plugin stuff */
+
+WS_DLL_PUBLIC_DEF void
+plugin_register (void)
+{
+    proto_register_foo();
+}
+
+extern void proto_reg_handoff_foo(void);
+
+WS_DLL_PUBLIC_DEF void plugin_reg_handoff(void);
+
+WS_DLL_PUBLIC_DEF void
+plugin_reg_handoff(void)
+{
+    proto_reg_handoff_foo();
+}
+#endif
Index: plugins/foo/plugin.rc.in
===================================================================
--- plugins/foo/plugin.rc.in    (nonexistent)
+++ plugins/foo/plugin.rc.in    (working copy)
@@ -0,0 +1,34 @@
+#include "winver.h"
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION @RC_MODULE_VERSION@
+ PRODUCTVERSION @RC_VERSION@
+ FILEFLAGSMASK 0x0L
+#ifdef _DEBUG
+ FILEFLAGS VS_FF_DEBUG
+#else
+ FILEFLAGS 0
+#endif
+ FILEOS VOS_NT_WINDOWS32
+ FILETYPE VFT_DLL
+BEGIN
+    BLOCK "StringFileInfo"
+    BEGIN
+        BLOCK "040904b0"
+        BEGIN
+            VALUE "CompanyName", "The Wireshark developer community, http://www.wireshark.org/\0"
+            VALUE "FileDescription", "@PACKAGE@ dissector\0"
+            VALUE "FileVersion", "@MODULE_VERSION@\0"
+            VALUE "InternalName", "@PACKAGE@ @MODULE_VERSION@\0"
+            VALUE "LegalCopyright", "Copyright ?1998 Gerald Combs <gerald@wireshark.org>, Gilbert Ramirez <gram@alumni.rice.edu> and others\0"
+            VALUE "OriginalFilename", "@PLUGIN_NAME@.dll\0"
+            VALUE "ProductName", "Wireshark\0"
+            VALUE "ProductVersion", "@VERSION@\0"
+            VALUE "Comments", "Built with @MSVC_VARIANT@\0"
+        END
+    END
+    BLOCK "VarFileInfo"
+    BEGIN
+        VALUE "Translation", 0x409, 1200
+    END
+END
Index: plugins/Makefile.am
===================================================================
--- plugins/Makefile.am (revision 1)
+++ plugins/Makefile.am (working copy)
@@ -25,6 +25,7 @@
    docsis \
    easy_codec \
    ethercat \
+   foo \
    gryphon \
    irda \
    m2m \

编译wireshark全部工程

将C:\Development\wsbuild32目录的内容删掉,重新编译。

wireshark 2.4.2

open vs2015 cmd line

cd c:\Development

call env.bat

cd wsbuild32

cmake -DENABLE_CHM_GUIDES=on -G "Visual Studio 14 2015 Win64" ..\wireshark
@echo off
rem @file env.bat
rem Let CMake determine the library download directory name under
rem WIRESHARK_BASE_DIR or set it explicitly by using WIRESHARK_LIB_DIR.
rem Set *one* of these.
set WIRESHARK_BASE_DIR=C:\Development
rem set WIRESHARK_LIB_DIR=c:\wireshark-win64-libs
rem Set the Qt installation directory
rem set QT5_BASE_DIR=C:\Qt\5.9.1\msvc2015_64
set QT5_BASE_DIR=C:\Qt\Qt5.9.3\5.9.3\msvc2015_64
rem Append a custom string to the package version. Optional.
set WIRESHARK_VERSION_EXTRA=-LsBuild
rem Chocolatey installs Cygwin in an odd location
rem set WIRESHARK_CYGWIN_INSTALL_PATH=C:\ProgramData\chocolatey\lib\Cygwin\tools\cygwin
set WIRESHARK_CYGWIN_INSTALL_PATH=C:\cygwin64

打开C:\Development\wsbuild32\Wireshark.sln, 先运行ALL_BUILD工程,会将C:\Development\wsbuild32\run下的依赖dll都build或拷贝过来,否则wireshark编译完了,也会因为缺少运行时dll, 而不能运行。
然后再编译Wireshark工程和foo插件工程,都编译过了,就可以在foo工程中下断点,跑起wireshark工程,随便抓个包,将tcp协议之上的应用层协议的包,用右击 => Decode as … => 选择应用层协议的端口(不能是tcp, 必须是具体的协议) + foo协议 => 确定,就可以调试foo插件代码了。

因为代码加少了,Decode as foo时,会崩溃(看到崩溃处的解析器指针为空), 正好可以继续看wireshark\doc\README.dissector,做后续的实验, 包分析,UI展现。

如果一个实验,就那么顺利的就做完,没有一点绕的地方,那就没意思了:)

插件工程的位置

最开始看wireshark工程时,子工程挺多的,一时都找不到插件工程的位置.
这里写图片描述

加入的最初的插件代码

// @file packet-foo.c
// @ref http://www.dgtech.com/foo/sys/www/docs/html/

#include "config.h"

#include <epan/packet.h>
#include <epan/prefs.h>
#include <epan/dissectors/packet-tcp.h>
#include "packet-foo.h"

void proto_register_foo(void);
void proto_reg_handoff_foo(void);

#define foo_TCP_PORT 7000 /* Not IANA registed */

static dissector_t dissect_foo = NULL;
static int proto_foo = -1;

void proto_register_foo(void)
{
    // first entry proto_register_foo
    // then entry proto_reg_handoff_foo

    module_t *foo_module = NULL;

    proto_foo = proto_register_protocol("foo Protocol", "foo", "foo");
    foo_module = prefs_register_protocol(proto_foo, NULL);

    // @note
    // when Decode as ... => foo => ok
    // will be crash on call_dissector_through_handle
    // please see wireshark\doc\README.dissector, add more code
}

void proto_reg_handoff_foo(void)
{
    dissector_handle_t foo_handle = NULL;

    foo_handle = create_dissector_handle(dissect_foo, proto_foo);
    dissector_add_uint_with_preference("tcp.port", foo_TCP_PORT, foo_handle);
}

/*
 * Do not modify this file. Changes will be overwritten.
 *
 * Generated automatically from C:\Development\wireshark\tools\make-dissector-reg.py.
 */

#include "config.h"

#include <gmodule.h>

#include "moduleinfo.h"

/* plugins are DLLs */
#define WS_BUILD_DLL
#include "ws_symbol_export.h"

#ifndef ENABLE_STATIC
WS_DLL_PUBLIC_DEF void plugin_register (void);
WS_DLL_PUBLIC_DEF const gchar version[] = VERSION;

extern void proto_register_foo(void);

/* Start the functions we need for the plugin stuff */

WS_DLL_PUBLIC_DEF void
plugin_register (void)
{
    proto_register_foo();
}

extern void proto_reg_handoff_foo(void);

WS_DLL_PUBLIC_DEF void plugin_reg_handoff(void);

WS_DLL_PUBLIC_DEF void
plugin_reg_handoff(void)
{
    proto_reg_handoff_foo();
}
#endif
LostSpeed
关注
wireshark插件开发 - 自定义协议
Jeffrey.chu的专栏
09-20 2195
虽然wireshark自带了很多知名协议的解析插件,譬如HTTP、DHCP等等,然而在实际应用环境中,有不少软件之间的通信协议都是私有的,如游戏客户端和服务器之间的交互协议通常都是私有的,wireshark无法具体解析出各种字段之间的含义,只能显示接收到的二进制数据,给协议的分析和问题的排查带来了一定的困难,尤其是协议内容比较复杂时。 本文一个自定义的简单协议入手,分析如何基于wireshark...
wireshark 二次开发 --c语言
weixin_45939263的博客
06-03 887
2、 准备Visual C++要编译wireshark,开发电脑上应该安装了Visual Studio并包括了Visual C++,请至少安装Visual Studio 2010以减少不必要的麻烦。1、点击新建→项目2、语言我们选择C++,同时选中下面的空项3、右键 点击添加→新建项 选择C++文件(.cpp)
wireshark 包解析插件
03-09
该资源为用脚本编写的适用于wireshark的一个新的协议。即当wireshark不能及时解析一些新的协议时,可以自己动手根据新协议字段编写解析文件。有新协议的话可以基于此脚本改写. 使用方法: 1. 打开wireshark根目录中的init.lua文件, 将disable_lua=false 并在最后添加dofile("map_port_set.lua") 2. 将map_port_set.lua 拷贝到wireshark根目录下 3. 重启wireshark 打开laft6-pcp.pcap观察是否解析成功
Wireshark 插件开发实战指南
轻口味的专栏
02-28 1251
本文介绍了如何开发 Wireshark 插件以扩展其功能。主要内容包括搭建开发环境、理解核心概念与 API 以及具体开发流程。关键步骤涵盖协议解析器的初始化和解码逻辑编写,还包括分片信息的记录与重组处理。开发者需确定目标协议及需求,阅读相关文档并参考现有插件实现,设计数据结构,编写代码,并进行测试与优化。通过本指南,开发者可掌握从零开始构建 Wireshark 插件的方法。
Wireshark 中实现自定义协议解析的 C++ 插件开发
最新发布
抟土成人祖,炼石补青天。眼中览银河,手可摘星辰。
03-02 420
Wireshark 提供了插件模板,可以直接在此基础上开发。启动 Wireshark插件会自动加载。进入 Wireshark 源码的。编译完成后,插件会生成在。中实现协议解析逻辑。将生成的插件文件(如。
wireshark插件开发
09-16
wireshark插件开发,version_info
wireshark-forensics-plugin:一款功能强大的Wireshark网络取证分析插件
Karka_的博客
08-03 362
毫无疑问,Wireshark是目前应用最为广泛的网络流量分析工具,无论是实时网络流量分析,还是信息安全取证分析,或是恶意软件分析,Wireshark都是必不可缺的利器。尽管Wireshark为协议解析和过滤提供了极其强大的功能,但它暂时还无法提供任何有关目标网络节点的上下文信息。对于一名安全分析人员来说,TA必须梳理大量的PCAP文件来识别恶意活动,这就有点像大海捞针了。plugin是一个跨平台Wireshark插件,它能够将网络流量数据与威胁情报、资产分类和漏洞数据关联起来,以加速网络取证分析活动。
windows下wireshark插件开发之源码编译
STK_tianwen的专栏
02-11 4268
闲来无事,想做个wireshark的协议解析插件,可以解决一下自己工作中的自定义协议解析问题。好了,废话少说,开始干活。 首先在网上查下资料。想在windows下开发插件环境需求如下:1  需要windows下的C/C++编译环境。 嗯,我装了VS2008,可以用。2 安装cygwin。   去http://www.cygwin.cn/下载一个吧。下载下来的只是一个setu
Wireshark首次更新OMCI脚本文件:支持G.988 2022版
Wireshark通过各种插件和脚本(如Lua脚本)来增强其功能,包括对特定协议的支持,例如OMCI。 从文件标题可以得知,wireshark官方原版的OMCI解析脚本文件omci.lua经过了一次更新,具体版本号为20250228。这意味着...
Wireshark和网络取证:数据包级别的安全调查与取证技术
本文全面介绍了网络取证的基础知识以及Wireshark的使用方法,包括其界面布局、数据包捕获和分析技术,以及高级特性和插件的应用。同时,文章还讨论了网络取证实践中的工作流程、取证分析技巧,并通过案例研究提
Wireshark在蓝牙协议开发中的应用:nRF Sniffer辅助设计,效率倍增
首先概述了Wireshark的基础使用方法、蓝牙协议栈的结构和利用Wireshark捕获蓝牙数据包的技术。随后,深入探讨了nRF Sniffer的设置、使用和与Wireshark集成分析的方法。在实践部分,本文分享了蓝牙协议开发中的
360路由器插件调试技巧:掌握快速定位问题与性能分析技术
本文首先概述了路由器插件的作用和重要性,随后深入探讨了调试环境的搭建、代码编写与测试、以及调试的常规方法。性能分析章节着重于介绍性能指标和瓶颈的识别,以及性能分析工具的使用和优化策略。实战技巧部分提供...
使用Lua脚本为wireshark编写自定义通信协议解析器插件
10-08
使用Lua脚本为wireshark编写自定义通信协议解析器插件 .
wireshark插件开发完整解决方案
03-14
wireshark插件开发完整解决方案(搭建环境+源代码编写)
【源代码安全性分析】:西门子博途中的代码安全性和保护机制深入解析
文章还介绍了安全性测试的方法论,包括静态代码分析和动态分析,并讨论了代码安全漏洞的识别与修复。最后,展望了西门子博途在安全策略方面的未来发展,包括面对当前安全挑战的创新方向和行业标准趋势。本文旨在
渗透测试——漏洞扫描工具
wuli1024的博客
11-20 2558
然后还要将all这个压缩包里的plugin_feed_info.inc提取出来,命令行是 tar -zxvf all-2.0.tar.gz plugin_feed_info.inc,然鹅,我提取不出来。将下载好的插件移动到Nessus目录下,然后输入sudo /opt/nessus/sbin/nessuscli update all-2.0.tar.gz。用户名和密码随便写写就好,随后将会更新补丁,OK,这样Nessus可以使用了。将会获得一串数字,然后去激活码的这个网站,输入自己的邮箱获取激活码。
【微记录】wireshark的脚本配置目录在哪?在哪看?(~/.wireshark/plugins/xxx.lua)
技术札记
05-22 507
假设需要再wireshark上添加解析自己报文的解析lua插件,写好后添加到哪里?不通操作系统,不同平台不一样。linux、mac、windows都不一样。但是有一个统一的方法可以查看。
Wireshark源码编译开发
weixin_41697061的博客
01-02 2512
Wireshark编译开发一、搭建开发环境1、说明2、安装Visual Studio 20193、安装Qt4、安装巧克力Chocolatey工具5、使用Choco安装第三方软件6、下载Wireshark源码使用“Visual Studio 2019”编译使用NSIS制作安装包三、所遇问题1、 Microsoft.CppCommon.target:error MSB6006: “cmd.exe”已退...
Wireshark自定义协议解析器插件C语言开发二
@evan_wu163
07-27 463
接着上一篇安装文章,在wireshark插件开发完成后,仿真的dll并不能直接分享使用,当另外电脑缺少必要的c++环境或依赖项时候,在打开wireshark软件时候即会报错。上图是仿真得到的dll文件路径,但是并不能在其他没有安装了vs软件的电脑上使用,网上查找一番,有网友表示是vs版本问题。然而,安装了vs2019和vs2022后,问题依然存在。因此vs版本不是主要问题。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值