如何在 Wireshark Lua 解析器中使用 add_packet_field?
How to use add_packet_field in a Wireshark Lua dissector?
我正在为 Lua 中的自定义协议编写解析器,这让我跌跌撞撞。虽然我有基本的场提取工作,但我们的许多场都有与之相关的比例因子。除了原始提取值之外,我还想显示缩放后的值。
在我看来tree_item:add_packet_field就是为此量身定做的。除了我无法让它工作。
我发现 Mika's blog 非常有帮助,并按照他的模式将我的解析器分成不同的文件等。一切正常。
给定数据包类型“my_packet”,我有一个 14 位有符号整数“AOA”,我可以很好地提取它
local pref = "my_packet"
local m = {
aoa = ProtoField.new("AOA", pref .. ".aoa", ftypes.INT16, nil, base.DEC, 0x3FFF, "angle of arrival measurement"),
}
local option=2
local aoa_scale = 0.1
function m.parse(tree_arg, buffer)
if option == 1 then
-- basic field extraction. This works just fine. The field is extracted and added to the tree
tree_arg:add(m.aoa, buffer)
elseif option == 2 then
-- This parses and runs. The item is decoded and added to the tree,
-- but the value of 'v' is always nil
local c,v = tree_arg:add_packet_field(m.aoa, buffer, ENC_BIG_ENDIAN)
-- this results in an error, doing arithmetic on 'nil'
c:append_text(" (scaled= " .. tostring(v*aoa_scale) .. ")")
end
end
(我使用 ProtoField.new 而不是任何特定于类型的变体,以便在声明我的字段时保持一致)
add_packet_field 的 documentation 表示编码参数是必需的。
源代码中有一个 README 说 ENC_BIG_ENDIAN 应该为网络字节顺序数据指定(我的是)。我知道该部分用于 proto_tree_add_item,但我跟踪代码足够远,可以看到 add_packet_field 最终将编码传递给 proto_tree_add_item。
基本上,在这一点上,我迷路了。我确实发现 this post 从 2014 年开始建议对 add_packet_field 的有限支持,但现在肯定支持像整数值这样基本的东西?
此外,我知道如何声明 Field 并在 tree:add 进行解析后提取值;最坏的情况我会回到那个,但是肯定有更方便的方法来访问添加到树中的刚刚解析的值?
Wireshark 版本
3.2.4 (v3.2.4-0-g893b5a5e1e3e)
Compiled (64-bit) with Qt 5.12.8, with WinPcap SDK (WpdPack) 4.1.2, with GLib
2.52.3, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4,
with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos,
with MaxMind DB resolver, with nghttp2 1.39.2, with brotli, with LZ4, with
Zstandard, with Snappy, with libxml2 2.9.9, with QtMultimedia, with automatic
updates using WinSparkle 0.5.7, with AirPcap, with SpeexDSP (using bundled
resampler), with SBC, with SpanDSP, with bcg729.
Running on 64-bit Windows 10 (1803), build 17134, with Intel(R) Xeon(R) CPU
E3-1505M v6 @ 3.00GHz (with SSE4.2), with 32558 MB of physical memory, with
locale English_United States.1252, with light display mode, without HiDPI, with
Npcap version 0.9991, based on libpcap version 1.9.1, with GnuTLS 3.6.3, with
Gcrypt 1.8.3, with brotli 1.0.2, without AirPcap, binary plugins supported (19
loaded).
Built using Microsoft Visual Studio 2019 (VC++ 14.25, build 28614).
查看try_add_packet_field()源代码,只支持某些FT_类型,即:
FT_BYTESFT_UINT_BYTESFT_OIDFT_REL_OIDFT_SYSTEM_IDFT_ABSOLUTE_TIMEFT_RELATIVE_TIME
None 其他 FT_ 类型 [还] 受支持,包括 FT_UINT16,这是您在这里感兴趣的类型,即 其他任何事情都只需要以老式的方式完成。
如果您希望实施此功能,我建议您在 Wireshark Bug Tracker 上为此提交 Wireshark 增强错误请求。
我正在为 Lua 中的自定义协议编写解析器,这让我跌跌撞撞。虽然我有基本的场提取工作,但我们的许多场都有与之相关的比例因子。除了原始提取值之外,我还想显示缩放后的值。
在我看来tree_item:add_packet_field就是为此量身定做的。除了我无法让它工作。
我发现 Mika's blog 非常有帮助,并按照他的模式将我的解析器分成不同的文件等。一切正常。
给定数据包类型“my_packet”,我有一个 14 位有符号整数“AOA”,我可以很好地提取它
local pref = "my_packet"
local m = {
aoa = ProtoField.new("AOA", pref .. ".aoa", ftypes.INT16, nil, base.DEC, 0x3FFF, "angle of arrival measurement"),
}
local option=2
local aoa_scale = 0.1
function m.parse(tree_arg, buffer)
if option == 1 then
-- basic field extraction. This works just fine. The field is extracted and added to the tree
tree_arg:add(m.aoa, buffer)
elseif option == 2 then
-- This parses and runs. The item is decoded and added to the tree,
-- but the value of 'v' is always nil
local c,v = tree_arg:add_packet_field(m.aoa, buffer, ENC_BIG_ENDIAN)
-- this results in an error, doing arithmetic on 'nil'
c:append_text(" (scaled= " .. tostring(v*aoa_scale) .. ")")
end
end
(我使用 ProtoField.new 而不是任何特定于类型的变体,以便在声明我的字段时保持一致)
add_packet_field 的 documentation 表示编码参数是必需的。
源代码中有一个 README 说 ENC_BIG_ENDIAN 应该为网络字节顺序数据指定(我的是)。我知道该部分用于 proto_tree_add_item,但我跟踪代码足够远,可以看到 add_packet_field 最终将编码传递给 proto_tree_add_item。
基本上,在这一点上,我迷路了。我确实发现 this post 从 2014 年开始建议对 add_packet_field 的有限支持,但现在肯定支持像整数值这样基本的东西?
此外,我知道如何声明 Field 并在 tree:add 进行解析后提取值;最坏的情况我会回到那个,但是肯定有更方便的方法来访问添加到树中的刚刚解析的值?
Wireshark 版本
3.2.4 (v3.2.4-0-g893b5a5e1e3e)
Compiled (64-bit) with Qt 5.12.8, with WinPcap SDK (WpdPack) 4.1.2, with GLib
2.52.3, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4,
with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos,
with MaxMind DB resolver, with nghttp2 1.39.2, with brotli, with LZ4, with
Zstandard, with Snappy, with libxml2 2.9.9, with QtMultimedia, with automatic
updates using WinSparkle 0.5.7, with AirPcap, with SpeexDSP (using bundled
resampler), with SBC, with SpanDSP, with bcg729.
Running on 64-bit Windows 10 (1803), build 17134, with Intel(R) Xeon(R) CPU
E3-1505M v6 @ 3.00GHz (with SSE4.2), with 32558 MB of physical memory, with
locale English_United States.1252, with light display mode, without HiDPI, with
Npcap version 0.9991, based on libpcap version 1.9.1, with GnuTLS 3.6.3, with
Gcrypt 1.8.3, with brotli 1.0.2, without AirPcap, binary plugins supported (19
loaded).
Built using Microsoft Visual Studio 2019 (VC++ 14.25, build 28614).
查看try_add_packet_field()源代码,只支持某些FT_类型,即:
FT_BYTESFT_UINT_BYTESFT_OIDFT_REL_OIDFT_SYSTEM_IDFT_ABSOLUTE_TIMEFT_RELATIVE_TIME
None 其他 FT_ 类型 [还] 受支持,包括 FT_UINT16,这是您在这里感兴趣的类型,即 其他任何事情都只需要以老式的方式完成。
如果您希望实施此功能,我建议您在 Wireshark Bug Tracker 上为此提交 Wireshark 增强错误请求。