wireshark源码探索No.1---编译，调试，阅读

最新推荐文章于 2024-08-08 08:29:44 发布

timebomb

最新推荐文章于 2024-08-08 08:29:44 发布

阅读量7.2k

点赞数 2

分类专栏： wireshark learning 文章标签： wireshark 源码网络安全

本文链接：https://blog.csdn.net/timebomb/article/details/72851810

版权

wireshark learning 专栏收录该内容

5 篇文章 5 订阅

订阅专栏

每一个做过网络安全的工程师，都对wireshark有很深的感情，市面上也充斥各种wireshark的培训手册，手把手练习博文，但是真正面向开发者，面向developer的博文却少的可怜，CSDN仅有的几篇博文，内容虽然也很有价值，但是是站在一个程序的角度去剖析代码，内容并非每个开发者想要的内容。
最近一直在看这方面的资料，也有一些自己的心得，所以想从一个开发者的角度，去了解wireshark，将wireshark的经典内容介绍出来，以给更多的人去了解这个利器。

我的学习习惯是要想了解一份开源软件，首先down下代码，编译通过，熟悉使用方法，再去从代码角度了解会有事半功倍的效果。否则直接拿出代码来啃，可能会将自己陷入到一个个的坑中。所以wireshark的了解，也从编译开始：

1、编译

（编译环境建议大家还是在linux里面更容易，毕竟网络安全开发基本都是在Linux里面搞的）

down下源代码，这不不比多说，https://www.wireshark.org/
解压源码，tar jxvf wireshark-2.2.6.tar.bz2
瞅瞅INSTALL文件，咋编译，./configure;make;make install就这么简单？

最好./configure -h看看大概的编译选项，比如看到--enable-wireshark build the Wireshark GUI (with Gtk+, Qt, or both)，说明是可以开启wireshark编译的，但是wireshark的GUI版本我们并不需要（自己安装一个就好了，非要去编译干嘛），那不编译wireshark我们怎么调试呢？
tshark！了解代码用它就足够了
所以编译选项直接./configure --disable-wireshark即可，中间可能会有检查一些内容不通过，一般都是缺少开发库啥的，自行安装即可。最后大概如下：
这里写图片描述

然后make，漫长的编译过程结束后（要多长有多长，你的有多长，可以留言下让我嫉妒嫉妒），就可以在本地看到一个tshark程序了，这个时候一个坑就来了。

2、调试坑

当你使用gdb tshark调试的时候，会出现不能调试的问题，google一下，可能你会找到https://unix.stackexchange.com/questions/86342/tshark-not-running-via-gdb这里的介绍，说加个libtool –mode=execute gdb ./tshark就好了，但是真正调试的时候会有各种奇怪的问题。其实这就是上面说的那个坑。

这里tshark仅仅是一个shell脚本，他会调用真正的tshark程序，那真正的程序在哪里呢？find一下，就在.libs下面，但是你调试它的时候又显示各种so库不存在。所以最好编译完以后make install一下，让各个so库归位，便于你调试，只要ldd tshark显示各个库都能找到就行了。

因为环境不尽相同，可能你即使make install也没有找到，可能是环境变量没有生效，ldconfig一下就差不多了。

3、再调试

调试我们以ftp协议为例，（ftp协议代码比较简单，且包含内容比较多，后续都以他为例）

gdb .libs/tshark
b dissect_ftp
r -r ftp.cap
bt

bt后就会显示出所有的调用关系来：

ftp调用关系图

#0  dissect_ftp (tvb=0xa32ed0, pinfo=0xb42418, tree=0x0, data=0x7fffffffcd50) at packet-ftp.c:516

#1  0x00007ffff447a0ef in call_dissector_through_handle (handle=0x7fffe5ea0a40, handle=0x7fffe5ea0a40, data=0x7fffffffcd50, tree=0x0, pinfo=0xb42418, tvb=0xa32ed0) at packet.c:648
#2  call_dissector_work (handle=0x7fffe5ea0a40, tvb=0xa32ed0, pinfo_arg=0xb42418, tree=0x0, add_proto_name=<optimized out>, data=0x7fffffffcd50) at packet.c:723
#3  0x00007ffff447a7dc in dissector_try_uint_new (sub_dissectors=<optimized out>, uint_val=21, tvb=tvb@entry=0xa32ed0, pinfo=pinfo@entry=0xb42418, tree=tree@entry=0x0, add_proto_name=add_proto_name@entry=1, data=data@entry=0x7fffffffcd50) at packet.c:1188

#4  0x00007ffff4c3078c in decode_tcp_ports (tvb=tvb@entry=0xa32f20, offset=<optimized out>, pinfo=pinfo@entry=0xb42418, tree=tree@entry=0x0, src_port=src_port@entry=21, dst_port=dst_port@entry=3526,   tcpd=tcpd@entry=0x7fffe4034770, tcpinfo=tcpinfo@entry=0x7fffffffcd50) at packet-tcp.c:5250
#5  0x00007ffff4c30b23 in process_tcp_payload (tvb=tvb@entry=0xa32f20, offset=offset@entry=20, pinfo=pinfo@entry=0xb42418, tree=tree@entry=0x0, tcp_tree=tcp_tree@entry=0x0, src_port=src_port@entry=21, dst_port=dst_port@entry=3526, seq=seq@entry=0, nxtseq=nxtseq@entry=0, is_tcp_segment=is_tcp_segment@entry=0, tcpd=tcpd@entry=0x7fffe4034770, tcpinfo=tcpinfo@entry=0x7fffffffcd50) at packet-tcp.c:5322
#6  0x00007ffff4c31117 in desegment_tcp (tcpinfo=0x7fffffffcd50, tcpd=0x7fffe4034770, tcp_tree=0x0, tree=0x0, dport=3526, sport=21, nxtseq=69, seq=1, offset=20, pinfo=0xb42418, tvb=0xa32f20)    at packet-tcp.c:2865
#7  dissect_tcp_payload (tvb=tvb@entry=0xa32f20, pinfo=pinfo@entry=0xb42418, offset=offset@entry=20, seq=<optimized out>, nxtseq=nxtseq@entry=69, sport=21, dport=3526, tree=tree@entry=0x0,     tcp_tree=tcp_tree@entry=0x0, tcpd=tcpd@entry=0x7fffe4034770, tcpinfo=tcpinfo@entry=0x7fffffffcd50) at packet-tcp.c:5389
#8  0x00007ffff4c32c26 in dissect_tcp (tvb=0xa32f20, pinfo=<optimized out>, tree=0x0, data=<optimized out>) at packet-tcp.c:6273

#9  0x00007ffff447a0ef in call_dissector_through_handle (handle=0x7fffe5fa3570, handle=0x7fffe5fa3570, data=0x7fffe3e32030, tree=0x0, pinfo=0xb42418, tvb=0xa32f20) at packet.c:648
#10 call_dissector_work (handle=0x7fffe5fa3570, tvb=0xa32f20, pinfo_arg=0xb42418, tree=0x0, add_proto_name=<optimized out>, data=0x7fffe3e32030) at packet.c:723
#11 0x00007ffff447a7dc in dissector_try_uint_new (sub_dissectors=<optimized out>, uint_val=6, tvb=tvb@entry=0xa32f20, pinfo=pinfo@entry=0xb42418, tree=tree@entry=0x0, add_proto_name=add_proto_name@entry=1,     data=data@entry=0x7fffe3e32030) at packet.c:1188

#12 0x00007ffff488273e in ip_try_dissect (heur_first=<optimized out>, tvb=tvb@entry=0xa32f20, pinfo=pinfo@entry=0xb42418, tree=tree@entry=0x0, iph=iph@entry=0x7fffe3e32030) at packet-ip.c:1976
#13 0x00007ffff488381e in dissect_ip_v4 (tvb=0xa32f70, pinfo=<optimized out>, parent_tree=0x0, data=<optimized out>) at packet-ip.c:2438

#14 0x00007ffff447a0ef in call_dissector_through_handle (handle=0x7fffe4880f60, handle=0x7fffe4880f60, data=0x0, tree=0x0, pinfo=0xb42418, tvb=0xa32f70) at packet.c:648
#15 call_dissector_work (handle=0x7fffe4880f60, tvb=0xa32f70, pinfo_arg=0xb42418, tree=0x0, add_proto_name=<optimized out>, data=0x0) at packet.c:723
#16 0x00007ffff447a7dc in dissector_try_uint_new (sub_dissectors=<optimized out>, uint_val=2048, tvb=0xa32f70, pinfo=pinfo@entry=0xb42418, tree=tree@entry=0x0, add_proto_name=add_proto_name@entry=1,     data=data@entry=0x0) at packet.c:1188
#17 0x00007ffff447a827 in dissector_try_uint (sub_dissectors=<optimized out>, uint_val=<optimized out>, tvb=<optimized out>, pinfo=pinfo@entry=0xb42418, tree=tree@entry=0x0) at packet.c:1214

#18 0x00007ffff4747123 in dissect_ethertype (tvb=0xb42000, pinfo=0xb42418, tree=0x0, data=0x7fffffffd300) at packet-ethertype.c:262

#19 0x00007ffff447a0ef in call_dissector_through_handle (handle=0x7fffe5ea01f0, handle=0x7fffe5ea01f0, data=0x7fffffffd300, tree=0x0, pinfo=0xb42418, tvb=0xb42000) at packet.c:648
#20 call_dissector_work (handle=0x7fffe5ea01f0, tvb=0xb42000, pinfo_arg=0xb42418, tree=0x0, add_proto_name=<optimized out>, data=0x7fffffffd300) at packet.c:723
#21 0x00007ffff447b9e2 in call_dissector_with_data (handle=<optimized out>, tvb=tvb@entry=0xb42000, pinfo=pinfo@entry=0xb42418, tree=tree@entry=0x0, data=data@entry=0x7fffffffd300) at packet.c:2816

#22 0x00007ffff4745a61 in dissect_eth_common (tvb=tvb@entry=0xb42000, pinfo=pinfo@entry=0xb42418, parent_tree=parent_tree@entry=0x0, fcs_len=0) at packet-eth.c:539
#23 0x00007ffff47465c1 in dissect_eth (tvb=0xb42000, pinfo=0xb42418, tree=0x0, data=0xb1bd28) at packet-eth.c:803

#24 0x00007ffff447a0ef in call_dissector_through_handle (handle=0x7fffe4864dd0, handle=0x7fffe4864dd0, data=0xb1bd28, tree=0x0, pinfo=0xb42418, tvb=0xb42000) at packet.c:648
#25 call_dissector_work (handle=0x7fffe4864dd0, tvb=0xb42000, pinfo_arg=0xb42418, tree=0x0, add_proto_name=<optimized out>, data=0xb1bd28) at packet.c:723
#26 0x00007ffff447a7dc in dissector_try_uint_new (sub_dissectors=<optimized out>, uint_val=1, tvb=tvb@entry=0xb42000, pinfo=pinfo@entry=0xb42418, tree=tree@entry=0x0, add_proto_name=add_proto_name@entry=1,     data=0xb1bd28) at packet.c:1188

#27 0x00007ffff4777914 in dissect_frame (tvb=0xb42000, pinfo=0xb42418, parent_tree=0x0, data=0x7fffffffd710) at packet-frame.c:507

#28 0x00007ffff447a0ef in call_dissector_through_handle (handle=0x7fffe5ea49d0, handle=0x7fffe5ea49d0, data=0x7fffffffd710, tree=0x0, pinfo=0xb42418, tvb=0xb42000) at packet.c:648
#29 call_dissector_work (handle=0x7fffe5ea49d0, tvb=0xb42000, pinfo_arg=0xb42418, tree=0x0, add_proto_name=<optimized out>, data=0x7fffffffd710) at packet.c:723
    ****call_dissector_with_data(frame_handle,...)中的frame_handle是在epan_init中的packet_cache_proto_handles函数中，拿到的"frame"名称的解析器，实际指向的就是dissect_frame函数
#30 0x00007ffff447b9e2 in call_dissector_with_data (handle=<optimized out>, tvb=0xb42000, pinfo=0xb42418, tree=0x0, data=<optimized out>) at packet.c:2816
#31 0x00007ffff447bef6 in dissect_record (edt=edt@entry=0xb42400, file_type_subtype=file_type_subtype@entry=32, phdr=phdr@entry=0xb1bcc0, tvb=tvb@entry=0xb42000, fd=fd@entry=0x7fffffffd8d0,     cinfo=cinfo@entry=0x641140 <cfile+544>) at packet.c:531

#32 0x00007ffff4471884 in epan_dissect_run_with_taps (edt=edt@entry=0xb42400, file_type_subtype=32, phdr=phdr@entry=0xb1bcc0, tvb=0xb42000, fd=fd@entry=0x7fffffffd8d0, cinfo=cinfo@entry=0x641140 <cfile+544>)    at epan.c:378
#33 0x0000000000416994 in process_packet (cf=cf@entry=0x640f20 <cfile>, edt=edt@entry=0xb42400, offset=<optimized out>, whdr=0xb1bcc0, pd=pd@entry=0xb1cf50 "", tap_flags=tap_flags@entry=0) at tshark.c:3440
#34 0x000000000040e67f in load_cap_file (cf=0x640f20 <cfile>, max_byte_count=<optimized out>, max_packet_count=<optimized out>, out_file_name_res=<optimized out>, out_file_type=<optimized out>, save_file=0x0)    at tshark.c:3196
#35 main (argc=<optimized out>, argv=<optimized out>) at tshark.c:1896

看到整个调用关系还是比较复杂的，调用层数比较多，但是随着我们后续的分析会逐渐明朗起来。至此，我们的基本环境已经搭建出来，下一篇文章我们不讲代码，讲讲wireshark的文档，也许会有更大的收获。

4、阅读器

一开始我使用的source insight 3.5作为代码阅读器，但是后来逐渐发现它对一些大的宏定义有兼容问题，例如wireshark中的TRY、ENDTRY、CATCH(x)这些宏定义识别有问题，导致代码阅读出现问题。
后续我迁移到source insight 4.0，大部分没有问题，但是还是会有些许识别问题。
最后改用vim，发现正常了许多。。。

建议大家如果单纯阅读，毕竟vim还是有一些学习成本，直接拿SI 4.0看就好了，影响不会太大，假设强迫症没有那么严重的话。。。