在 Wireshark Lua 解析器中获取网络接口
Get network interface in Wireshark Lua dissector
我正在 Lua 中编写 Wireshark 解析器。有没有一种方法可以获取从解析器中接收到当前帧的网络接口on/transmitted?
有一个名为 frame.interface_id 的框架字段,根据 Wireshark Display Filter Reference page, which should give you the ID of the interface. The ID seems to match the enumeration given in the results of dumpcap -D (or tshark -D) if you subtract 1 from the enumeration. In other words, both dumpcap and tshark count interfaces starting with 1 in the respective -D outputs, while Wireshark seems to start counting from 0. This inconsistency seems like a bug to me and I would suggest filing a Wireshark bug report 反对这种不一致的行为,从 Wireshark 1.8.0 开始可用。
编辑(因为使用注释似乎不可能以连贯的方式对其进行格式化):
要访问该字段,您可以使用字段提取器,请参阅:https://www.wireshark.org/docs/wsdg_html_chunked/lua_module_Field.html
例如:
local fe_interface_id = Field.new("frame.interface_id")
function foo.dissector(buffer, pinfo, tree)
local f_interface_id = fe_interface_id()
pinfo.cols.info:append(", Interface ID=" .. tostring(f_interface_id))
end
我正在 Lua 中编写 Wireshark 解析器。有没有一种方法可以获取从解析器中接收到当前帧的网络接口on/transmitted?
有一个名为 frame.interface_id 的框架字段,根据 Wireshark Display Filter Reference page, which should give you the ID of the interface. The ID seems to match the enumeration given in the results of dumpcap -D (or tshark -D) if you subtract 1 from the enumeration. In other words, both dumpcap and tshark count interfaces starting with 1 in the respective -D outputs, while Wireshark seems to start counting from 0. This inconsistency seems like a bug to me and I would suggest filing a Wireshark bug report 反对这种不一致的行为,从 Wireshark 1.8.0 开始可用。
编辑(因为使用注释似乎不可能以连贯的方式对其进行格式化):
要访问该字段,您可以使用字段提取器,请参阅:https://www.wireshark.org/docs/wsdg_html_chunked/lua_module_Field.html
例如:
local fe_interface_id = Field.new("frame.interface_id")
function foo.dissector(buffer, pinfo, tree)
local f_interface_id = fe_interface_id()
pinfo.cols.info:append(", Interface ID=" .. tostring(f_interface_id))
end