wireshark lua插件解码私有协议

code

-- @brief RtmpProxy over UDP Protocol dissector plugin
-- @author 
-- @date 2018.08.12
-- @man  https://wiki.wireshark.org/LuaAPI


local VALS_FOO  = {[0x333333] = "New York", [0x303030] = "Los Angeles",[0x313233] = "Chicago"}
local VALS_BAR  = {[0x06] = "Whiskey", [0x12] = "Rum", [0x13] ="Vodka", [0x14] = "Gin"}
local VALS_BOOL = {[0] = "False", [1] = "True"}



-- calling tostring() on random FieldInfo's can cause an error, so this func handles it
local function getstring(finfo)
  local ok, val = pcall(tostring, finfo)
  if not ok then val = "(unknown)" end
  return val
end


-- 1. 创建解析器对象
local NAME = "RPU"  --自定义的协议名
local rpouProto = Proto(NAME, " RtmpProxy over UDP Protocol")

-- rpouProto 定义协议的解析字段
local fields = rpouProto.fields
fields.sessionID = ProtoField.uint32 (NAME .. ".sessionID", "sessionID") --session id 头
fields.Seq = ProtoField.uint32 (NAME .. ".Seq", "Seq") -- seq头
fields.Length = ProtoField.uint32(NAME .. ".Length", "[Length]",base.DEC)  --代理包总长度
fields.DataLength = ProtoField.uint32(NAME .. ".DataLength", "[DataLength]",base.DEC)  --有效数据长度


fields.bf   = ProtoField.uint64(NAME .. ".bf"   , "Bitfield"        , base.HEX)
fields.bfhi = ProtoField.uint32("toy.bfhi"  , "Upper 32 bits"   , base.HEX)
fields.bflo = ProtoField.uint32("toy.bflo"  , "Lower 32 bits"   , base.HEX)
fields.bf_foo   = ProtoField.uint32("RPU.bf.foo", "Bitfield-0"      , base.DEC,VALS_FOO , 0x00FFFFFF)
fields.bf_bar   = ProtoField.uint32("RPU.bf.bar", "Bitfield-1"      , base.DEC,VALS_BAR , 0x0000000F)

fields.bf_st    = ProtoField.uint32("toy.bf.st" , "Sticky"      , base.DEC,VALS_BOOL, 0x00000001)
fields.bf_rd    = ProtoField.uint32("toy.bf.rd" , "Read"        , base.DEC,VALS_BOOL, 0x00000002)
fields.bf_wr    = ProtoField.uint32("toy.bf.wr" , "Write"       , base.DEC,VALS_BOOL, 0x00000004)
fields.bf_ex    = ProtoField.uint32("toy.bf.ex" , "Execute" , base.DEC,VALS_BOOL, 0x00000008)




local data_dis = Dissector.get("data")

-- 2. 解析器函数 dissect packet 
--[[
    下面定义 foo 解析器的主函数，这个函数由 wireshark调用
    第一个参数是 Tvb 类型，表示的是需要此解析器解析的数据
    第二个参数是 Pinfo 类型，是协议解析树上的信息，包括 UI 上的显示
    第三个参数是 TreeItem 类型，表示上一级解析树
--]]

function rpouProto.dissector (tvb, pinfo, tree)
  local subtree = tree:add(rpouProto, tvb())

  -- 分组详情中协议行显示的协议名
  pinfo.cols.protocol = rpouProto.name 

  -- dissect field one by one, and add to protocol tree
  local sessionID = tvb(0, 4)  --表示从0开始4个字节
  subtree:add(fields.sessionID, sessionID)

  subtree:append_text(", sessionID: " .. sessionID:uint())

  local seq = tvb(4, 4)
  subtree:add(fields.Seq, tvb(4, 4))

  --分组列表中的info信息
  pinfo.cols.info:set(string.format("sessionID:%.11d seq= %.11d",sessionID:uint(),seq:uint())) 

  pinfo.cols.info:append(" " ..pinfo.src_port .. "->" .. pinfo.dst_port)

  subtree:add(fields.Length, tvb:len())
  subtree:add(fields.DataLength, tvb:len()-8)


  -- 位域的例子

  local t_bf = subtree:add( fields.bf, tvb(0,8) )       -- bitfield


  local t_hi = t_bf:add( fields.bfhi, tvb(1,4) )    -- Upper 32 bits
  t_hi:add( fields.bf_foo   , tvb(0,4) )        -- Foo
  t_hi:add( fields.bf_bar   , tvb(0,4) )        -- Bar

  local t_lo = t_bf:add( fields.bflo, tvb(4,4) )    -- Lower 32 bits
  t_lo:add( fields.bf_st    , tvb(4,4) )        -- Sticky
    t_lo:add( fields.bf_rd  , tvb(4,4) )        -- Read
    t_lo:add( fields.bf_wr  , tvb(4,4) )        -- Write
    t_lo:add( fields.bf_ex  , tvb(4,4) )        -- Execute


  pinfo.cols.info:append("  ☼RTMP代理协议☢") 

  data_dis:call(tvb(8):tvb(), pinfo, tree) --解析有效数据

  subtree:add_expert_info(PI_SECURITY, PI_ERROR , "添加专家信息!")
--  subtree:set_len(20)

end

-- 3 将解析器注册到wireshark解析表 register this dissector
local udp_port_table = DissectorTable.get("udp.port")

--添加解析的UDP端口，根据端口号识别协议
for i,port in ipairs{10000,20000} do
  udp_port_table:add(port,rpouProto)
end




--Post-dissector 后处理解析器 -----

local myproto = Proto("hello","Dummy proto to edit info column")

-- the dissector function callback
function myproto.dissector(tvb,pinfo,tree)

  local websocket_flag = false
  local fields = { all_field_infos() }
  for i, finfo in ipairs(fields) do

--  pinfo.cols.info:append("@" .. pinfo.port_type .. "$")

  end


end

-- register our new dummy protocol for post-dissection
register_postdissector(myproto)
看下解析的效果
这里写图片描述
https://blog.csdn.net/x356982611/article/details/81628777
https://www.zybuluo.com/natsumi/note/77991
https://wiki.wireshark.org/Lua/Examples
https://www.wireshark.org/docs/wsdg_html_chunked/wslua_dissector_example.html
https://www.wireshark.org/docs/wsdg_html_chunked/wslua_tap_example.html
https://wiki.wireshark.org/LuaAPI
wireshark lua插件解码私有协议

code

猜你喜欢
