编写 wireshark lua 链式 HTTP 解析器时获取 http 负载
get http payload when writing wireshark lua chained HTTP dissector
我的协议是基于 HTTP 的,我需要一个解析器来分析 HTTP 负载。如何在解析器函数中获取http payload?
链式解剖器看起来像:
local original_http_dissector = DissectorTable.get("tcp.port"):get_dissector(80)
local function my_dissector(buf, pkt, root)
-- 'buf' here contains all tcp data,
-- including the http header
-- How to get the http payload only(skip http header)?
local b = buf
end
function p_MM.dissector(buf, pkt, root)
if original_http_dissector:call(buf, pkt, root) then
my_dissector(buf, pkt, root)
end
end
我在尝试做类似的事情时遇到了一些困难。下面(基于 https://wiki.wireshark.org/Lua/Dissector 处的 http_extra)将 http 内容放在一个新的数据选项卡中,然后进行一些非常基本的处理(与 0xA5 进行异或运算,这有点麻烦)和在第二个选项卡中显示。
do
local http_proto = Proto("http_extra", "Further process HTTP traffic");
local f_http_data = Field.new("http.file_data")
local original_http_dissector
-- simple function to XOR data against 0xA5 to show some processing
-- it turns out it's actually quite hard to reconstruct a tvb for display
-- as you need it in hex string format
function xorf(data)
data = data:raw()
local d = {}
for i = 1, data:len() do
local x = bit32.bxor(data:byte(i), 0xA5)
local c = string.format("%02x", x)
table.insert(d, c)
end
return table.concat(d, "")
end
function http_proto.dissector(tvbuffer, pinfo, treeitem)
-- we've replaced the original http dissector in the
-- dissector table, but we still want the original to run,
-- especially because we need to read its data
original_http_dissector:call(tvbuffer, pinfo, treeitem)
-- validate packet length is adequate, otherwise quit
if tvbuffer:len() == 0 then return end
local a=f_http_data()
if a then
-- get the (whole) subset as a tvbrange
local tvbrange = a.range()
-- get a ByteArray composed of the bytes in the TvbRange
local data = tvbrange:bytes()
-- create a new tab
local tvc = ByteArray.tvb(data, "http.file_data")
-- process the http.file_data to change it
local tvy = ByteArray.tvb(ByteArray.new(xorf(data)), "xor'ed")
end
end
local tcp_dissector_table = DissectorTable.get("tcp.port")
-- save the original dissector so we can still get to it
original_http_dissector = tcp_dissector_table:get_dissector(443)
-- and take its place in the dissector table
tcp_dissector_table:add(443, http_proto)
end
我的协议是基于 HTTP 的,我需要一个解析器来分析 HTTP 负载。如何在解析器函数中获取http payload?
链式解剖器看起来像:
local original_http_dissector = DissectorTable.get("tcp.port"):get_dissector(80)
local function my_dissector(buf, pkt, root)
-- 'buf' here contains all tcp data,
-- including the http header
-- How to get the http payload only(skip http header)?
local b = buf
end
function p_MM.dissector(buf, pkt, root)
if original_http_dissector:call(buf, pkt, root) then
my_dissector(buf, pkt, root)
end
end
我在尝试做类似的事情时遇到了一些困难。下面(基于 https://wiki.wireshark.org/Lua/Dissector 处的 http_extra)将 http 内容放在一个新的数据选项卡中,然后进行一些非常基本的处理(与 0xA5 进行异或运算,这有点麻烦)和在第二个选项卡中显示。
do
local http_proto = Proto("http_extra", "Further process HTTP traffic");
local f_http_data = Field.new("http.file_data")
local original_http_dissector
-- simple function to XOR data against 0xA5 to show some processing
-- it turns out it's actually quite hard to reconstruct a tvb for display
-- as you need it in hex string format
function xorf(data)
data = data:raw()
local d = {}
for i = 1, data:len() do
local x = bit32.bxor(data:byte(i), 0xA5)
local c = string.format("%02x", x)
table.insert(d, c)
end
return table.concat(d, "")
end
function http_proto.dissector(tvbuffer, pinfo, treeitem)
-- we've replaced the original http dissector in the
-- dissector table, but we still want the original to run,
-- especially because we need to read its data
original_http_dissector:call(tvbuffer, pinfo, treeitem)
-- validate packet length is adequate, otherwise quit
if tvbuffer:len() == 0 then return end
local a=f_http_data()
if a then
-- get the (whole) subset as a tvbrange
local tvbrange = a.range()
-- get a ByteArray composed of the bytes in the TvbRange
local data = tvbrange:bytes()
-- create a new tab
local tvc = ByteArray.tvb(data, "http.file_data")
-- process the http.file_data to change it
local tvy = ByteArray.tvb(ByteArray.new(xorf(data)), "xor'ed")
end
end
local tcp_dissector_table = DissectorTable.get("tcp.port")
-- save the original dissector so we can still get to it
original_http_dissector = tcp_dissector_table:get_dissector(443)
-- and take its place in the dissector table
tcp_dissector_table:add(443, http_proto)
end