wireshark Lua脚本编写
Lua语言是脚本语言,只需要编写相关协议解析的脚本内容,然后由wireshark加载即可(Wireshark自带Lua解析器),wireshark封装丰富的接口给Lua使用,一些有用的docs:
https://www.wireshark.org/docs/wsdg_html_chunked/index.html
第十章:
第十一章:
11. Wireshark’s Lua API Reference Manual
解析器:
dissector:call(tvb, pinfo, tree)
Calls a dissector against a given packet (or part of it).
Arguments
-
tvb
The buffer to dissect.
-
pinfo
The packet info.
-
tree
The tree on which to add the protocol items.
Returns
Number of bytes dissected. Note that some dissectors always return number of bytes in incoming buffer, so be aware.
proto 字段中type的类型:
ftypes.BOOLEAN`, `ftypes.CHAR`, `ftypes.UINT8`, `ftypes.UINT16`, `ftypes.UINT24`, `ftypes.UINT32`, `ftypes.UINT64`, `ftypes.INT8`, `ftypes.INT16`, `ftypes.INT24`, `ftypes.INT32`, `ftypes.INT64`, `ftypes.FLOAT`, `ftypes.DOUBLE` , `ftypes.ABSOLUTE_TIME`, `ftypes.RELATIVE_TIME`, `ftypes.STRING`, `ftypes.STRINGZ`, `ftypes.UINT_STRING`, `ftypes.ETHER`, `ftypes.BYTES`, `ftypes.UINT_BYTES`, `ftypes.IPv4`, `ftypes.IPv6`, `ftypes.IPXNET`, `ftypes.FRAMENUM`, `ftypes.PCRE`, `ftypes.GUID`, `ftypes.OID`, `ftypes.PROTOCOL`, `ftypes.REL_OID`, `ftypes.SYSTEM_ID`, `ftypes.EUI64` or `ftypes.NONE
base的类型:
base.NONE`, `base.DEC`, `base.HEX`, `base.OCT`, `base.DEC_HEX`, `base.HEX_DEC`, `base.UNIT_STRING` or `base.RANGE_STRING
主讲解析器编写:
-
自定义proto
Proto.new(name, desc)
Creates a new
Protoobject.
local my_proto = Proto("my_proto", "my example proto");
- 添加proto中的字段:
ProtoField.new(name, abbr, type, [valuestring], [base], [mask], [descr])
Creates a newProtoFieldobject to be used for a protocol field.