wireshark lua 插件编写
wireshark 目前已经支持数千种协议的解析,但有些用户自定义的协议如需使用wireshark解析有如下两种方法实现:
1.使用c语言开发
- 集成到wireshark内部(built-in),修改makefile重新编译wireshrk
- windows生成*.dll,linux下生成*.so加入wireshark安装目录*\plugins\3.x\epan
2.使用lua开发wireshark插件
由于lua语言开发较简单,本文主要以lua编写插件。并附一解析Autoasr UpperTester例子。
- 编写模板
XXX_protocol = Proto("XXX", "XXX Protocol")
field1 = ProtoField.uint16("ut.xx", "xxx", base.xx)
field2 = ProtoField.uint16("ut.xx", "xxx", base.xx)
...
ut_protocol.fields = { field1, field1,... }
function ut_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
end
local udp_port = DissectorTable.get("udp.port")
udp_port:add(xxx, XXX_protocol)
- UppterTester 例子
-- created by shawn
ut_protocol = Proto("UT", "UpperTester Protocol")
local gid = {[0]="GENERAL",[1]="UDP",[2]="TCP",[3]="ICMP",[5]="IP",[7]="DHCP",[9]="ARP"}
local type_id ={[0]="Request",[0x80]="Response",[2]="Event"}
local result_id ={[0x00]="E_OK",
[0x01]="E_NOK",
[0xFF]="The requested service primitive was not found",
[0xFE]="The Upper Tester or a service primitive is pending",
[0xFD]="Insufficient buffer size",
[0xFC]="Invalid Input or Parameter",
[0xEF]="nvalid socket ID" ,
[0xEE]="nable to create socket or no free socket",
[0xED]="nable to bind socket, port taken" ,
[0xEC]="nvalid network or virtual interface" ,
[0xEB]="precedence not allowed" ,
[0xEA]="foreign socket unspecified" ,
[0xE9]="connection illegal for this process" ,
[0xE8]="insufficient resources" ,
[0xE7]="connection already exists" ,
[0xE6]="connection closing" ,
[0xE5]="connection does not exist" ,
[0xE4]="connection reset" ,
[0xE3]="connection aborted due to user timeout" ,
[0xE2]="connection refused" ,
}
service_id = ProtoField.uint16("ut.service_id", "service id", base.HEX)
group_id = ProtoField.uint8("ut.group_id", "group id", base.DEC,gid)
service_primitive_id = ProtoField.uint8("ut.service_primitive_id", "service_primitive_id", base.DEC)
len = ProtoField.uint32("ut.LEN", "Length", base.DEC)
pv = ProtoField.uint32("ut.pv", "Protocol Version", base.DEC)
iv = ProtoField.uint32("ut.iv", "Interface Version", base.DEC)
tid = ProtoField.uint8("ut.tid", "message type id", base.HEX,type_id)
rid = ProtoField.uint8("ut.rid", "result id", base.DEC,result_id)
dat = ProtoField.bytes("s2s.dat", "parameter data", base.SPACE)
ut_protocol.fields = { service_id, group_id, service_primitive_id,len,pv,iv,tid,rid,dat}
function ut_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
pinfo.cols.protocol = ut_protocol.name
local offset = 0
local subtree = tree:add(ut_protocol, buffer(), "UpperTester Protocol Data")
subtree:add(service_id, buffer(offset, 2))
offset=offset+2
subtree:add(group_id, buffer(offset, 1))
offset=offset+1
subtree:add(service_primitive_id, buffer(offset, 1))
offset=offset+1
subtree:add(len, buffer(offset, 4))
offset=offset+8
subtree:add(pv, buffer(offset, 1))
offset=offset+1
subtree:add(iv, buffer(offset, 1))
offset=offset+1
subtree:add(tid, buffer(offset, 1))
offset=offset+1
subtree:add(rid, buffer(offset, 1))
offset=offset+1
if length>16 then
subtree:add(dat, buffer(offset, buffer:len() - 16))
end
end
local udp_port = DissectorTable.get("udp.port")
udp_port:add(10000, ut_protocol)
-
wireshark 加载
-
- 将编写好的xxx.lua放置wireshak.exe所在目录
-
-
修改wireshak.exe所在目录init.lua
-- 修改为 true enable_lua = true -- 最后一行加入 dofile("xxx.lua")
-
-
- Analyze ===>Reload Lua Plugins
-
2655
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
