Wireshark 如何在同一端口上使用两个 lua 解剖器正确解剖 [英] How wireshark dissect correctly with two lua dissectors on the same port
问题描述
我正在编写lua脚本作为wireshark(1.12.4)插件来剖析我的私有协议,我有两个协议,我为每个协议编写了一个lua脚本,两个lua脚本似乎都如下:
I'm writting lua scripts as wireshark(1.12.4) plugin to dissect my private protocols,I have two protocols,and I write single lua script for each of them,both lua script seems like follow:
local my_pro = Proto("MyPro","My Protocol")
local my_pro_field_1 = ProtoField.uint16("MyPro.filed_1","Field 1",base.HEX)
local my_pro_field_2 = ProtoField.uint16("MyPro.filed_2","Field 2",base.HEX)
my_pro.fields = {my_pro_field_1,my_pro_field_2}
local data_dis = Dissector.get("data")
function my_pro.dissector(buf,pkt,root)
if (buf(0,2):uint() ~= 1 or buf(2,2):uint() ~= 1) then
data_dis:call(buf,pkt,root)
return false
end
pkt.cols.protocol = "My Protocol"
local tree = root:add(my_pro,buf(0,buf:len()))
tree:add_le(my_pro_field_1,buf(0,2))
tree:add_le(my_pro_field_2,buf(2,2))
return true
end
local tcp_encap_table = DissectorTable.get("tcp.port")
tcp_encap_table:add(80,my_pro)
问题是:这两个协议使用相同的端口,因为我将这两个脚本都添加到了wireshark的init.lua中,只有其中一个生效.那么,我怎样才能让这两个协议解剖器同时正常工作呢?任何解决方案都很好,但不能更改端口.
The problem is: The two protocol use the same port,as I add both of these scripts to the wireshark's init.lua,only one of them take effect. So,how can I get these two protocol dissector work correctly in the mean time? Any solution is good but the port can't be changed.
推荐答案
如果端口肯定不能改变(这会很奇怪,因为这似乎运行在端口 80 上,这是 IANA 分配的端口http) 你有两个真正的选择.
If the port definitely can't be changed (which would be strange, since this appears to be running on port 80, which is the IANA-assigned port for http) you have two real choices.
1) 从wireshark 数据包列表中,使用decode-as"选项为每个 tcp 流手动选择您想要的协议 - 尽管这可能会针对捕获中的所有流进行修改.
1) From the wireshark packet list, use the "decode-as" option to manually select the protocol you want for each tcp stream - although this may modify for all streams in the capture.
2) 添加一个额外的解剖器层,它从 tcp.data 中获取有效载荷,检测它是哪种协议,然后将数据传递给真正的解剖器.
2) Add an extra dissector layer, that takes the payload from the tcp.data, detects which of your protocols it is, and then passes the data on to your real dissectors.
第三种选择,就是将您单独的解剖器合二为一.假设每个 tcp 流中只有一个或其他协议,在第一个数据包中找出它是哪个协议,然后按那个解码.
A third option, is just to combine your separate dissectors into one. Assuming each tcp stream will only have one or other protocol in it, figure out in the first packet which protocol it is, and then decode as that.
这篇关于Wireshark 如何在同一端口上使用两个 lua 解剖器正确解剖的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
