使用lua脚本编写wireshark协议插件

最新推荐文章于 2023-11-22 17:43:38 发布

转载最新推荐文章于 2023-11-22 17:43:38 发布 · 2.1k 阅读

文章标签：

#lua脚本

杂谈专栏收录该内容

76 篇文章

订阅专栏

本文介绍如何使用Lua脚本为Wireshark开发自定义协议解析插件，包括配置Wireshark支持Lua、编写协议解析逻辑及如何注册自定义协议。

使用wireshark做协议分析，自定义协议可以编写Dissector插件进行分析，开始考虑使用c语言编写插件，了解了一下，发觉太麻烦，在效率要求不高的情况下，可以使用lua脚本编写插件：

要使用lua脚本，先使wireshark支持lua脚本，编辑init.lua(在wireshark目录下)，找到"disable_lua = true; do return end;"行，在最前面添加"--"将此行注释掉；
编写lua脚本文件，GZTP.lua 文件 lua

do local p_GZTP = Proto("GZTP","GZTP") local f_identifier = ProtoField.bytes("GZTP.identifier","Identifier") local f_frametype = ProtoField.uint8("GZTP.frametype","FrameType",base.HEX,{ [1] = "up-data", [129] = "resp-up", [2] = "request-data", [130] = "down-data"}) local f_len = ProtoField.uint8("GZTP.length","Data Length",base.DEC) local f_address = ProtoField.uint16("GZTP.address","Address",base.HEX) local f_control = ProtoField.uint16("GZTP.Control","Control",base.HEX) local f_data = ProtoField.bytes("gztp.data","Data") p_GZTP.fields = { f_identifier, f_frametype, f_len,f_address,f_control,f_data} local data_dis = Dissector.get("data") local function GWData_dissector(buf,pkf,root) local buf_len = buf:len(); if buf_len < 6 then return false end if(buf(0,1):uint()~=255) then return false end local t = root:add(buf(0,buf_len),"GWData") local f_sym = ProtoField.uint8("GWData.Sym","Sym",base.HEX) t:add(f_sym,buf(0,1)) return true end local function GZTP_dissector(buf,pkt,root) local buf_len = buf:len(); if buf_len < 8 then return false end local v_identifier = buf(0,2) if ((buf(0,1):uint()~=254) or (buf(1,1):uint()~=254)) then return false end local v_frametype = buf(2,1) local i_operator = v_frametype:uint() local v_len = buf(3,1) local v_address = buf(4,2) local v_control = buf(6,2) --控制字 local t = root:add(p_GZTP,buf(0,buf_len)) pkt.cols.protocol = "GZTP" t:add(f_identifier,v_identifier) t:add(f_frametype,v_frametype) t:add(f_len,v_len) t:add(f_address,v_address) t:add(f_control,v_control) local i_len = v_len:uint() if i_len > 0 then local deal = false local dissector = Dissector.get("gwdata") if dissector ~= nil then local databuf = buf(8,i_len):tvb() if dissector:call(databuf,pkt,root) then deal = true end else t:add(buf(8,i_len),"Data:") end end return true end function p_GZTP.dissector(buf,pkt,root) if GZTP_dissector(buf,pkt,root) then --valid GZTP diagram else data_dis:call(buf,pkt,root) end end local udp_encap_table = DissectorTable.get("udp.port") udp_encap_table:add(10110,p_GZTP) end
GWData.lua文件
do function GetTimeOfMinVal(Value) local val = Value local minVal = val % 60 val = val / 60 local hour = val % 24 val = val / 24 local day = val % 32 val = val / 32 local month = val % 12 + 1 local year = val / 12 return string.format("%04d-%02d-%02d %02d:%02d",year,month,day,hour,minVal) end end do runinfo_proto = Proto("runinfo","RUNINFO","RunInfo Protocol") function runinfo_proto.dissector(buffer,pinfo,tree) pinfo.cols.info = "GWData run info" local t = tree:add(runinfo_proto,buffer(),"Run Info Protocol Data") end end --雨量分钟数据 do raindata_proto = Proto("raindata","RAINDATA","Rain Data Protocol") local f_ctype = ProtoField.uint8("RAINDATA.ctype","CType",base.DEC,{ [0] = "sample",[1] = "compress"}) raindata_proto.fields = {f_ctype} function raindata_proto.dissector(buffer,pinfo,tree) local str_minutes = string.format("%d",buffer(2,2):le_uint()) --分钟数 local str_time = GetTimeOfMinVal(buffer(4,4):le_uint()) --时间 pinfo.cols.protocol = "RAIN DATA" pinfo.cols.info = "Time: "..str_time .. " Minutes: " .. str_minutes --local buf_len = buffer:len(); local t = tree:add(raindata_proto,buffer(),"Rain Data Protocol Data") t:add(f_ctype,buffer(0,1)) t:add(buffer(1,1),"Res: " .. string.format("0x%02X",buffer(1,1):uint())) t:add(buffer(2,2),"Minutes: " .. str_minutes) t:add(buffer(4,4),"Time: ".. str_time) t:add(buffer(8),"Data: ") end end do -- declare our protocol gwdata_proto = Proto("gwdata","GWDATA","GWDATA Protocol") local f_datatype = ProtoField.uint8("GWDATA.datatype","DataType",base.HEX,{ [0x02] = "run info",[0x12] = "rain data", [3] = "gprs"}) local f_trantype = ProtoField.uint8("GWDATA.trantype","TranType",base.HEX,{ [1] = "net", [2] = "modem", [3] = "gprs"}) gwdata_proto.fields = {f_datatype,f_trantype} local protos ={ [0x02] = Dissector.get("runinfo"), [0x12] = Dissector.get("raindata"), } -- create a function to dissect it function gwdata_proto.dissector(buffer,pinfo,tree) pinfo.cols.protocol = "GWDATA" if (buffer(0,1):uint()~=255) then return false end local subtree = tree:add(gwdata_proto,buffer(),"GWData Protocol Data") subtree:add(buffer(0,1),"Sym: " .. string.format("0x%02X",buffer(0,1):uint())) subtree:add(buffer(1,1),"Length: " .. buffer(1,1):uint()) subtree:add(f_datatype,buffer(2,1)) subtree:add(f_trantype,buffer(3,1)) subtree:add(buffer(4,2),"Addr: " .. buffer(4,2):le_uint()) local data_len = buffer(1,1):uint() local proto_id = buffer(2,1):uint() local dissector = protos[proto_id] if dissector ~= nil then dissector:call(buffer(6,data_len):tvb(),pinfo,tree) end return true end end
在init.lua文件最后添加：
dofile("GWData.lua") dofile("GZTP.lua")
将抓包文件*.pcap重新打开就可以了