Wireshark如何在同一端口上使用两个lua解剖器正确解剖 [英] How wireshark dissect correctly with two lua dissectors on the same port
问题描述
我正在编写lua脚本作为wirehark(1.12.4)插件来剖析我的私有协议,我有两个协议,并且我为每个协议编写了一个lua脚本,这两个lua脚本似乎都如下所示:
I'm writting lua scripts as wireshark(1.12.4) plugin to dissect my private protocols,I have two protocols,and I write single lua script for each of them,both lua script seems like follow:
local my_pro = Proto("MyPro","My Protocol")
local my_pro_field_1 = ProtoField.uint16("MyPro.filed_1","Field 1",base.HEX)
local my_pro_field_2 = ProtoField.uint16("MyPro.filed_2","Field 2",base.HEX)
my_pro.fields = {my_pro_field_1,my_pro_field_2}
local data_dis = Dissector.get("data")
function my_pro.dissector(buf,pkt,root)
if (buf(0,2):uint() ~= 1 or buf(2,2):uint() ~= 1) then
data_dis:call(buf,pkt,root)
return false
end
pkt.cols.protocol = "My Protocol"
local tree = root:add(my_pro,buf(0,buf:len()))
tree:add_le(my_pro_field_1,buf(0,2))
tree:add_le(my_pro_field_2,buf(2,2))
return true
end
local tcp_encap_table = DissectorTable.get("tcp.port")
tcp_encap_table:add(80,my_pro)
问题是: 这两个协议使用相同的端口,因为我将这两个脚本都添加到了wireshark的init.lua中,只有其中一个生效. 那么,如何才能同时使这两个协议解剖器正常工作? 任何解决方案都可以,但是端口不能更改.
The problem is: The two protocol use the same port,as I add both of these scripts to the wireshark's init.lua,only one of them take effect. So,how can I get these two protocol dissector work correctly in the mean time? Any solution is good but the port can't be changed.
推荐答案
如果绝对不能更改端口(这很奇怪,因为该端口似乎正在端口80上运行,该端口是IANA分配的端口) http),您有两个真正的选择.
If the port definitely can't be changed (which would be strange, since this appears to be running on port 80, which is the IANA-assigned port for http) you have two real choices.
1)从Wireshark数据包列表中,使用"decode-as"选项为每个tcp流手动选择所需的协议-尽管这可能会更改捕获中的所有流.
1) From the wireshark packet list, use the "decode-as" option to manually select the protocol you want for each tcp stream - although this may modify for all streams in the capture.
2)添加一个额外的解剖器层,该层从tcp.data中获取有效载荷,检测它是哪个协议,然后将数据传递到您的实际解剖器中.
2) Add an extra dissector layer, that takes the payload from the tcp.data, detects which of your protocols it is, and then passes the data on to your real dissectors.
第三个选择是将单独的解剖器合并为一个.假设每个tcp流中仅包含一个或其他协议,请在第一个数据包中找出它是哪个协议,然后进行解码.
A third option, is just to combine your separate dissectors into one. Assuming each tcp stream will only have one or other protocol in it, figure out in the first packet which protocol it is, and then decode as that.
这篇关于Wireshark如何在同一端口上使用两个lua解剖器正确解剖的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
