Wireshark Lua 解剖器不显示树
Whireshark Lua dissector not showing tree
我在 ixia 时间戳尾部的数据包之后有一个带有尾部数据的数据包。我正在尝试为 Wireshark 编写一个与 ixia-packet_trailer 插件完全相同的解析器。 https://raw.githubusercontent.com/boundary/wireshark/master/epan/dissectors/packet-ixiatrailer.c
但是我想写成Lua,所以最容易改
我用函数 is_my_trailer 做了 lua 作为启发式(如 中所提议),它现在停止在以太网树中显示预告片所以我相信它识别模式 0xae12,但它没有显示我的 "my trailer" 树
-- declare our protocol
local my_trailer_proto = Proto("my_trailer","my Trailer")
-- Header fields
local timestamp = ProtoField.uint64 ("my_trailer_proto.timestamp", "timestamp", base.HEX)
local proto_flag = ProtoField.uint8 ("my_trailer_proto.proto_flag", "protoFlag", base.HEX)
local msg_id = ProtoField.uint16("my_trailer_proto.msg_id" , "msdId" , base.HEX)
my_trailer_proto.fields = { timestamp, proto_flag, msg_id }
-- does this packet contains a trailer
local function is_my_trailer(buffer,pinfo,tree)
local length = buffer:len()
if length < 12 then return 1 end
local type = buffer(length-12, 2):uint()
if type == 0xae12 then return true end
return false
end
function my_trailer_proto.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local subtree = tree:add(my_trailer_proto, buffer(), "my trailer")
-- Header
subtree:add(timestamp, buffer(length-10,8))
subtree:add(proto_flag, buffer(length-3,1))
subtree:add(msg_id, buffer(length-2,2))
pinfo.cols.protocol = my_trailer_proto.name
pinfo.cols.protocol:set("proto_flag")
pinfo.cols.info:set("proto_flag: " .. proto_flag)
end
my_trailer_proto:register_heuristic("eth.trailer", is_my_trailer)
这是带有预告片的 pcap 文件示例 https://transfernow.net/87kwt2k0dne7
您忘记了关键代码行:
if type == 0xae12 then return true end
return false
应该是:
if type == 0xae12 then
my_trailer_proto.dissector(buffer, pinfo, tree)
return true
end
return false
你还有一个bug。这一行是错误的:
pinfo.cols.info:set("proto_flag: " .. proto_flag)
应该是这样的:
pinfo.cols.info:set("proto_flag: " .. buffer(length-3,1):uint())
我在 ixia 时间戳尾部的数据包之后有一个带有尾部数据的数据包。我正在尝试为 Wireshark 编写一个与 ixia-packet_trailer 插件完全相同的解析器。 https://raw.githubusercontent.com/boundary/wireshark/master/epan/dissectors/packet-ixiatrailer.c
但是我想写成Lua,所以最容易改
我用函数 is_my_trailer 做了 lua 作为启发式(如
-- declare our protocol
local my_trailer_proto = Proto("my_trailer","my Trailer")
-- Header fields
local timestamp = ProtoField.uint64 ("my_trailer_proto.timestamp", "timestamp", base.HEX)
local proto_flag = ProtoField.uint8 ("my_trailer_proto.proto_flag", "protoFlag", base.HEX)
local msg_id = ProtoField.uint16("my_trailer_proto.msg_id" , "msdId" , base.HEX)
my_trailer_proto.fields = { timestamp, proto_flag, msg_id }
-- does this packet contains a trailer
local function is_my_trailer(buffer,pinfo,tree)
local length = buffer:len()
if length < 12 then return 1 end
local type = buffer(length-12, 2):uint()
if type == 0xae12 then return true end
return false
end
function my_trailer_proto.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local subtree = tree:add(my_trailer_proto, buffer(), "my trailer")
-- Header
subtree:add(timestamp, buffer(length-10,8))
subtree:add(proto_flag, buffer(length-3,1))
subtree:add(msg_id, buffer(length-2,2))
pinfo.cols.protocol = my_trailer_proto.name
pinfo.cols.protocol:set("proto_flag")
pinfo.cols.info:set("proto_flag: " .. proto_flag)
end
my_trailer_proto:register_heuristic("eth.trailer", is_my_trailer)
这是带有预告片的 pcap 文件示例 https://transfernow.net/87kwt2k0dne7
您忘记了关键代码行:
if type == 0xae12 then return true end
return false
应该是:
if type == 0xae12 then
my_trailer_proto.dissector(buffer, pinfo, tree)
return true
end
return false
你还有一个bug。这一行是错误的:
pinfo.cols.info:set("proto_flag: " .. proto_flag)
应该是这样的:
pinfo.cols.info:set("proto_flag: " .. buffer(length-3,1):uint())