版权声明:博客地址:blog.csdn.net/x356982611,未经允许不得转载,不得转载,不得转载 https://blog.csdn.net/x356982611/article/details/81628777
code
-- @brief RtmpProxy over UDP Protocol dissector plugin
-- @author
-- @date 2018.08.12
-- @man https://wiki.wireshark.org/LuaAPI
local VALS_FOO = {[0x333333] = "New York", [0x303030] = "Los Angeles",[0x313233] = "Chicago"}
local VALS_BAR = {[0x06] = "Whiskey", [0x12] = "Rum", [0x13] ="Vodka", [0x14] = "Gin"}
local VALS_BOOL = {[0] = "False", [1] = "True"}
-- calling tostring() on random FieldInfo's can cause an error, so this func handles it
local function getstring(finfo)
local ok, val = pcall(tostring, finfo)
if not ok then val = "(unknown)" end
return val
end
-- 1. 创建解析器对象
local NAME = "RPU" --自定义的协议名
local rpouProto = Proto(NAME, " RtmpProxy over UDP Protocol")
-- rpouProto 定义协议的解析字段
local fields = rpouProto.fields
fields.sessionID = ProtoField.uint32 (NAME .. ".sessionID", "sessionID") --session id 头
fields.Seq = ProtoField.uint32 (NAME .. ".Seq", "Seq") -- seq头
fields.Length = ProtoField.uint32(NAME .. ".Length", "[Length]",base.DEC) --代理包总长度
fields.DataLength = ProtoField.uint32(NAME .. ".DataLength", "[DataLength]",base.DEC) --有效数据长度
fields.bf = ProtoField.uint64(NAME .. ".bf" , "Bitfield" , base.HEX)
fields.bfhi = ProtoField.uint32("toy.bfhi" , "Upper 32 bits" , base.HEX)
fields.bflo = ProtoField.uint32("toy.bflo" , "Lower 32 bits" , base.HEX)
fields.bf_foo = ProtoField.uint32("RPU.bf.foo", "Bitfield-0" , base.DEC,VALS_FOO , 0x00FFFFFF)
fields.bf_bar = ProtoField.uint32("RPU.bf.bar", "Bitfield-1" , base.DEC,VALS_BAR , 0x0000000F)
fields.bf_st = ProtoField.uint32("toy.bf.st" , "Sticky" , base.DEC,VALS_BOOL, 0x00000001)
fields.bf_rd = ProtoField.uint32("toy.bf.rd" , "Read" , base.DEC,VALS_BOOL, 0x00000002)
fields.bf_wr = ProtoField.uint32("toy.bf.wr" , "Write" , base.DEC,VALS_BOOL, 0x00000004)
fields.bf_ex = ProtoField.uint32("toy.bf.ex" , "Execute" , base.DEC,VALS_BOOL, 0x00000008)
local data_dis = Dissector.get("data")
-- 2. 解析器函数 dissect packet
--[[
下面定义 foo 解析器的主函数,这个函数由 wireshark调用
第一个参数是 Tvb 类型,表示的是需要此解析器解析的数据
第二个参数是 Pinfo 类型,是协议解析树上的信息,包括 UI 上的显示
第三个参数是 TreeItem 类型,表示上一级解析树
--]]
function rpouProto.dissector (tvb, pinfo, tree)
local subtree = tree:add(rpouProto, tvb())
-- 分组详情中协议行显示的协议名
pinfo.cols.protocol = rpouProto.name
-- dissect field one by one, and add to protocol tree
local sessionID = tvb(0, 4) --表示从0开始4个字节
subtree:add(fields.sessionID, sessionID)
subtree:append_text(", sessionID: " .. sessionID:uint())
local seq = tvb(4, 4)
subtree:add(fields.Seq, tvb(4, 4))
--分组列表中的info信息
pinfo.cols.info:set(string.format("sessionID:%.11d seq= %.11d",sessionID:uint(),seq:uint()))
pinfo.cols.info:append(" " ..pinfo.src_port .. "->" .. pinfo.dst_port)
subtree:add(fields.Length, tvb:len())
subtree:add(fields.DataLength, tvb:len()-8)
-- 位域的例子
local t_bf = subtree:add( fields.bf, tvb(0,8) ) -- bitfield
local t_hi = t_bf:add( fields.bfhi, tvb(1,4) ) -- Upper 32 bits
t_hi:add( fields.bf_foo , tvb(0,4) ) -- Foo
t_hi:add( fields.bf_bar , tvb(0,4) ) -- Bar
local t_lo = t_bf:add( fields.bflo, tvb(4,4) ) -- Lower 32 bits
t_lo:add( fields.bf_st , tvb(4,4) ) -- Sticky
t_lo:add( fields.bf_rd , tvb(4,4) ) -- Read
t_lo:add( fields.bf_wr , tvb(4,4) ) -- Write
t_lo:add( fields.bf_ex , tvb(4,4) ) -- Execute
pinfo.cols.info:append(" ☼RTMP代理协议☢")
data_dis:call(tvb(8):tvb(), pinfo, tree) --解析有效数据
subtree:add_expert_info(PI_SECURITY, PI_ERROR , "添加专家信息!")
-- subtree:set_len(20)
end
-- 3 将解析器注册到wireshark解析表 register this dissector
local udp_port_table = DissectorTable.get("udp.port")
--添加解析的UDP端口,根据端口号识别协议
for i,port in ipairs{10000,20000} do
udp_port_table:add(port,rpouProto)
end
--Post-dissector 后处理解析器 -----
local myproto = Proto("hello","Dummy proto to edit info column")
-- the dissector function callback
function myproto.dissector(tvb,pinfo,tree)
local websocket_flag = false
local fields = { all_field_infos() }
for i, finfo in ipairs(fields) do
-- pinfo.cols.info:append("@" .. pinfo.port_type .. "$")
end
end
-- register our new dummy protocol for post-dissection
register_postdissector(myproto)
看下解析的效果
https://blog.csdn.net/x356982611/article/details/81628777
https://www.zybuluo.com/natsumi/note/77991
https://wiki.wireshark.org/Lua/Examples
https://www.wireshark.org/docs/wsdg_html_chunked/wslua_dissector_example.html
https://www.wireshark.org/docs/wsdg_html_chunked/wslua_tap_example.html
https://wiki.wireshark.org/LuaAPI