活动

天翼云最新优惠活动,涵盖免费试用,产品折扣等,助您降本增效!
热门活动
免费活动
  • 活动
  • 智算服务
  • 产品
  • 解决方案
  • 应用商城
  • 合作伙伴
  • 开发者
  • 支持与服务
  • 了解天翼云
searchusermenu
  • 发布文章
  • 消息中心
点赞
收藏
评论
分享
原创

如何编写wireshark插件

安全加速
2025-01-08 09:31:54
44
0

1 插件支持的语言

插件支持c, lua, python语言开发,c需要编译插件,python需要环境安装,lua基本上发行版本默认支持(在帮助->关于里面,可以看到支持的lua版本,例

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.37, build 32822), with GLib 2.72.3, with PCRE2, with zlib 1.2.12, with Qt 5.15.2, with libpcap, with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 support

本文以lua插件为例

2 编写插件

1 首先注册一个协议
例:
local flv = Proto("flv", "flv parser");
该协议名称为flv,描述为flv parser,后续加载该插件时会看到这些字段。

2 绑定处理的协议或端口
例:
DissectorTable.get("tcp.port"):add(80, flv)

3 实现分析函数dissector(buf, pinfo, tree)
例 function flv.dissector(buf, pinfo, tree)

其中buf是网卡捕获的数据内容
例:
buf:len()获取数据长度
local str = buf(0,len):string() 转为lua string


pinfo对应wireshark界面上方的解析框,修改pinfo的值,可以修改各个字段的内容,颜色等
例:pinfo.cols.protocol:set('FLV')可以修改protocal列的名称为FLV

tree对应wireshark界面下发的数据解析tree,修改可以改变tree的内容,或者增加子tree
例 tree:add(flv, buf(0), "flv parser")在tree界面增加一个新的模块


3启用插件

插件文件放入wireshark的插件目录,通常是Program Files\Wireshark\plugins

打开wireshark的分析->启用的协议->已启用的协议

界面中可以勾选刚添加的协议内容flv

打开抓包文件时,匹配到该协议内容的数据,就会呈现相应的info和tree内容

 

调试:

通过ctrl+shift+L可以重新加载lua插件

可通过增加debug tree来进行数据调试

 

附件:解析flv的meta

 

local flv = Proto("flv", "flv parser");
local f_proto = ProtoField.uint8("flv.protocol", "FLV", base.HEX)
local f_str = ProtoField.string("flv.text", "FLV")

flv.fields = {
    f_proto,f_str
}

local AMF_DATA_TYPE_NUMBER      = "00"
local AMF_DATA_TYPE_BOOL        = "01"
local AMF_DATA_TYPE_STRING      = "02"
local AMF_DATA_TYPE_OBJECT      = "03"
local AMF_DATA_TYPE_NULL        = "05"
local AMF_DATA_TYPE_UNDEFINED   = "06"
local AMF_DATA_TYPE_REFERENCE   = "07"
local AMF_DATA_TYPE_MIXEDARRAY  = "08"
local AMF_DATA_TYPE_OBJECT_END  = "09"
local AMF_DATA_TYPE_ARRAY       = "0a"
local AMF_DATA_TYPE_DATE        = "0b"
local AMF_DATA_TYPE_LONG_STRING = "0c"
local AMF_DATA_TYPE_UNSUPPORTED = "0d"
local onMetadata = "02000A6F6E4D65746144617461"

local STATUS_NONE = 0
local STATUS_BODY = 1
local STATUS_META = 2
local STATUS_DONE = 3

local dmap = {}
function debug(tree, msg)
    if tree then
        local dt = dmap[tree]
        if dt == nil then
            dt = tree:add("[DEBUG]")
            dmap[tree] = dt
        end
        dt:add(msg)
    end
end

local function hex32_to_float(str)
    local num = tonumber(str, 16)
    local sign = math.modf(num / (2^31))
    local e = num % (2^31)
    e = math.modf(e/(2^23)) - 127
    local m = num % (2^23)
    for i=1, 23 do
        m = m / 2
    end
    m = m + 1
    num = (-1)^sign * m * 2^e
    num = tonumber(string.format('%.3f', num))
    return num
end

local function hex64tofloat(str)
    local num = tonumber(str, 16)
    local sign = math.modf(num / (2^63))
    local e = num % (2^63)
    e = math.modf(e/(2^52)) - 1023
    local m = num % (2^52)
    for i=1, 52 do
        m = m / 2
    end
    m = m + 1
    num = (-1)^sign * m * 2^e
    num = tonumber(string.format('%.3f', num))
    return num
end

local function get_type(buf)
    local type = string.sub(buf.data, buf.pos, buf.pos + 1)
    buf.pos = buf.pos + 2
    return type
end

local function get_num(buf, tree)
    local str = string.sub(buf.data, buf.pos, buf.pos + 15)
    local num = hex64tofloat(str)
    buf.pos = buf.pos + 16
    return num
end

local function get_bool(buf, tree)
    local str = string.sub(buf.data, buf.pos, buf.pos + 1)
    buf.pos = buf.pos + 2
    if str == "01" then
        return "1"
    end
    return "0"
end

local function get_string(buf, tree)
    local len = tonumber(string.sub(buf.data, buf.pos, buf.pos + 3), 16)
    buf.pos = buf.pos + 4
    if len == 0 then
        debug(tree, "len:"..len.." next:"..buf.pos.. " buf:"..string.sub(buf.data, buf.pos, buf.pos + 3))
        return nil
    end
    local str = ""
    for i = 1, len, 1 do
        str = str ..  string.char(tonumber(string.sub(buf.data, buf.pos, buf.pos + 1), 16))
        buf.pos = buf.pos + 2
    end
    debug(tree, "len:"..len.." " .. str.. " next:"..buf.pos)
    return str
end

local function parse_meta(buf, subtree)
    local type = get_type(buf)
    if buf.pos<buf.len - 15 then
        debug(subtree, "pos:".. buf.pos.. " type:"..type.. " buf:"..string.sub(buf.data, buf.pos, buf.pos + 15))
    else
        debug(subtree, "pos:".. buf.pos.. " type:"..type.. " buf:"..string.sub(buf.data, buf.pos, buf.len - buf.pos))
    end
    if type == AMF_DATA_TYPE_NUMBER then
        local num = get_num(buf, subtree)
        return num
    elseif type == AMF_DATA_TYPE_BOOL then
        local num = get_bool(buf, subtree)
        return num
    elseif type == AMF_DATA_TYPE_STRING then
        local str = get_string(buf, subtree)
        return str
    elseif type == AMF_DATA_TYPE_OBJECT then
        while buf.pos < buf.len do
            if not buf.key then
                buf.key = get_string(buf, subtree)
                if buf.key == nil then
                    parse_meta(buf, subtree)
                end
            else
                local ret = parse_meta(buf, subtree)
                if ret == nil then
                    return
                end
                subtree:add(buf.key .. ":".. ret)
                --debug(subtree, "key:"..buf.key.." val:" .. ret)
                buf.key = nil
            end
        end
    elseif type == AMF_DATA_TYPE_ARRAY then
        buf.depth = buf.depth + 1
        --todo
    elseif type == AMF_DATA_TYPE_DATE then
    elseif type == AMF_DATA_TYPE_MIXEDARRAY then
        buf.pos = buf.pos + 8
        while buf.pos < buf.len do
            if not buf.key then
                buf.key = get_string(buf, subtree)
                if buf.key == nil then
                    parse_meta(buf, subtree)
                end
            else
                local ret = parse_meta(buf, subtree)
                subtree:add(buf.key .. ":".. ret)
                --debug(subtree, "key:"..buf.key.." val:" .. ret)
                buf.key = nil
            end
        end
    elseif type == AMF_DATA_TYPE_NULL or type == AMF_DATA_TYPE_UNDEFINED or type == AMF_DATA_TYPE_UNSUPPORTED then
    elseif type == AMF_DATA_TYPE_OBJECT_END then
        buf.pos = buf.len
        return nil
    else
        buf.pos = buf.len
    end
end

local data_dis = Dissector.get("data")



function flv.init()

end

local function parse_body(body, pinfo, tree)
    local b = string.find(body, onMetadata)
    if b then
        --find onMetadata
        pinfo.cols.info = "onMetadata"
        body = string.sub(body, b+string.len(onMetadata))
        local parse = {}
        parse.pos = 1
        parse.data = body
        parse.len = string.len(body)
        parse.depth = 1
        parse.key = nil
        while true do
            if parse.pos >= parse.len then
                break
            end
            parse_meta(parse, tree)
        end
    end
end

function flv.dissector(buf, pinfo, tree)
    if pinfo then
        local len = buf:len()
        if status then
            if status == STATUS_BODY then
                local str = buf(0,len):string()
                local subtree = tree:add(flv, buf(0), "flv parser")
                local bodybytes = buf:bytes(0, len):tohex()
                parse_body(bodybytes,pinfo, tree)
            end
        end
        if len < 10 then
        elseif buf(0,4):string() == "HTTP" then
            status = STATUS_BODY
            local str = buf(0,len):string()
            local p = string.find(str, "\r\n\r\n")
            if p then
                --find body
                local subtree = tree:add(flv, buf(0), "flv parser")
                p = string.find(str, "FLV", p + 1)
                if p then
                    --find FLV
                    debug(tree, "find flv")
                    local bodybytes = buf:bytes(p+4, len - p - 4):tohex()
                    parse_body(bodybytes,pinfo, subtree)
                end
            end
            return
        elseif buf(0,3):string() == "GET" then
            status = STATUS_NONE
            local str = buf(0,len):string()
            local p = string.find(str, ".flv")
            if p then
                local stream = string.sub(str, 4, p+4)
                pinfo.cols.info = "Stream:" .. stream
                p = string.find(str, "Host")
                if p then
                    local p2 = string.find(str, "\n", p + 1)
                    local host = string.sub(str, p, p2-1)
                    pinfo.cols.info:append(host)
                end
                pinfo.cols.protocol:set('FLV')
            end
            return
        end
    end
    data_dis:call(buf(0):tvb(), pinfo, tree)
end


DissectorTable.get("tcp.port"):add(80, flv

版权声明:本文内容系天翼云实名用户自发贡献,版权归原作者所有,天翼云开发者社区不拥有其著作权,亦不承担相应法律责任,未经许可,不得转载。

如有疑问或争议,请联系ctyunbbs@chinatelecom.cn删除。

0条评论
0 / 1000
张****东
8文章数
0粉丝数
张****东
8 文章 | 0 粉丝
Ta的热门文章查看更多
直播中的延播实现直播时移流的录制redis使用lua脚本Redis集群迁移redis版本升级
张****东
8文章数
0粉丝数
张****东
8 文章 | 0 粉丝
原创

如何编写wireshark插件

安全加速
2025-01-08 09:31:54
44
0

1 插件支持的语言

插件支持c, lua, python语言开发,c需要编译插件,python需要环境安装,lua基本上发行版本默认支持(在帮助->关于里面,可以看到支持的lua版本,例

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.37, build 32822), with GLib 2.72.3, with PCRE2, with zlib 1.2.12, with Qt 5.15.2, with libpcap, with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 support

本文以lua插件为例

2 编写插件

1 首先注册一个协议
例:
local flv = Proto("flv", "flv parser");
该协议名称为flv,描述为flv parser,后续加载该插件时会看到这些字段。

2 绑定处理的协议或端口
例:
DissectorTable.get("tcp.port"):add(80, flv)

3 实现分析函数dissector(buf, pinfo, tree)
例 function flv.dissector(buf, pinfo, tree)

其中buf是网卡捕获的数据内容
例:
buf:len()获取数据长度
local str = buf(0,len):string() 转为lua string


pinfo对应wireshark界面上方的解析框,修改pinfo的值,可以修改各个字段的内容,颜色等
例:pinfo.cols.protocol:set('FLV')可以修改protocal列的名称为FLV

tree对应wireshark界面下发的数据解析tree,修改可以改变tree的内容,或者增加子tree
例 tree:add(flv, buf(0), "flv parser")在tree界面增加一个新的模块


3启用插件

插件文件放入wireshark的插件目录,通常是Program Files\Wireshark\plugins

打开wireshark的分析->启用的协议->已启用的协议

界面中可以勾选刚添加的协议内容flv

打开抓包文件时,匹配到该协议内容的数据,就会呈现相应的info和tree内容

 

调试:

通过ctrl+shift+L可以重新加载lua插件

可通过增加debug tree来进行数据调试

 

附件:解析flv的meta

 

local flv = Proto("flv", "flv parser");
local f_proto = ProtoField.uint8("flv.protocol", "FLV", base.HEX)
local f_str = ProtoField.string("flv.text", "FLV")

flv.fields = {
    f_proto,f_str
}

local AMF_DATA_TYPE_NUMBER      = "00"
local AMF_DATA_TYPE_BOOL        = "01"
local AMF_DATA_TYPE_STRING      = "02"
local AMF_DATA_TYPE_OBJECT      = "03"
local AMF_DATA_TYPE_NULL        = "05"
local AMF_DATA_TYPE_UNDEFINED   = "06"
local AMF_DATA_TYPE_REFERENCE   = "07"
local AMF_DATA_TYPE_MIXEDARRAY  = "08"
local AMF_DATA_TYPE_OBJECT_END  = "09"
local AMF_DATA_TYPE_ARRAY       = "0a"
local AMF_DATA_TYPE_DATE        = "0b"
local AMF_DATA_TYPE_LONG_STRING = "0c"
local AMF_DATA_TYPE_UNSUPPORTED = "0d"
local onMetadata = "02000A6F6E4D65746144617461"

local STATUS_NONE = 0
local STATUS_BODY = 1
local STATUS_META = 2
local STATUS_DONE = 3

local dmap = {}
function debug(tree, msg)
    if tree then
        local dt = dmap[tree]
        if dt == nil then
            dt = tree:add("[DEBUG]")
            dmap[tree] = dt
        end
        dt:add(msg)
    end
end

local function hex32_to_float(str)
    local num = tonumber(str, 16)
    local sign = math.modf(num / (2^31))
    local e = num % (2^31)
    e = math.modf(e/(2^23)) - 127
    local m = num % (2^23)
    for i=1, 23 do
        m = m / 2
    end
    m = m + 1
    num = (-1)^sign * m * 2^e
    num = tonumber(string.format('%.3f', num))
    return num
end

local function hex64tofloat(str)
    local num = tonumber(str, 16)
    local sign = math.modf(num / (2^63))
    local e = num % (2^63)
    e = math.modf(e/(2^52)) - 1023
    local m = num % (2^52)
    for i=1, 52 do
        m = m / 2
    end
    m = m + 1
    num = (-1)^sign * m * 2^e
    num = tonumber(string.format('%.3f', num))
    return num
end

local function get_type(buf)
    local type = string.sub(buf.data, buf.pos, buf.pos + 1)
    buf.pos = buf.pos + 2
    return type
end

local function get_num(buf, tree)
    local str = string.sub(buf.data, buf.pos, buf.pos + 15)
    local num = hex64tofloat(str)
    buf.pos = buf.pos + 16
    return num
end

local function get_bool(buf, tree)
    local str = string.sub(buf.data, buf.pos, buf.pos + 1)
    buf.pos = buf.pos + 2
    if str == "01" then
        return "1"
    end
    return "0"
end

local function get_string(buf, tree)
    local len = tonumber(string.sub(buf.data, buf.pos, buf.pos + 3), 16)
    buf.pos = buf.pos + 4
    if len == 0 then
        debug(tree, "len:"..len.." next:"..buf.pos.. " buf:"..string.sub(buf.data, buf.pos, buf.pos + 3))
        return nil
    end
    local str = ""
    for i = 1, len, 1 do
        str = str ..  string.char(tonumber(string.sub(buf.data, buf.pos, buf.pos + 1), 16))
        buf.pos = buf.pos + 2
    end
    debug(tree, "len:"..len.." " .. str.. " next:"..buf.pos)
    return str
end

local function parse_meta(buf, subtree)
    local type = get_type(buf)
    if buf.pos<buf.len - 15 then
        debug(subtree, "pos:".. buf.pos.. " type:"..type.. " buf:"..string.sub(buf.data, buf.pos, buf.pos + 15))
    else
        debug(subtree, "pos:".. buf.pos.. " type:"..type.. " buf:"..string.sub(buf.data, buf.pos, buf.len - buf.pos))
    end
    if type == AMF_DATA_TYPE_NUMBER then
        local num = get_num(buf, subtree)
        return num
    elseif type == AMF_DATA_TYPE_BOOL then
        local num = get_bool(buf, subtree)
        return num
    elseif type == AMF_DATA_TYPE_STRING then
        local str = get_string(buf, subtree)
        return str
    elseif type == AMF_DATA_TYPE_OBJECT then
        while buf.pos < buf.len do
            if not buf.key then
                buf.key = get_string(buf, subtree)
                if buf.key == nil then
                    parse_meta(buf, subtree)
                end
            else
                local ret = parse_meta(buf, subtree)
                if ret == nil then
                    return
                end
                subtree:add(buf.key .. ":".. ret)
                --debug(subtree, "key:"..buf.key.." val:" .. ret)
                buf.key = nil
            end
        end
    elseif type == AMF_DATA_TYPE_ARRAY then
        buf.depth = buf.depth + 1
        --todo
    elseif type == AMF_DATA_TYPE_DATE then
    elseif type == AMF_DATA_TYPE_MIXEDARRAY then
        buf.pos = buf.pos + 8
        while buf.pos < buf.len do
            if not buf.key then
                buf.key = get_string(buf, subtree)
                if buf.key == nil then
                    parse_meta(buf, subtree)
                end
            else
                local ret = parse_meta(buf, subtree)
                subtree:add(buf.key .. ":".. ret)
                --debug(subtree, "key:"..buf.key.." val:" .. ret)
                buf.key = nil
            end
        end
    elseif type == AMF_DATA_TYPE_NULL or type == AMF_DATA_TYPE_UNDEFINED or type == AMF_DATA_TYPE_UNSUPPORTED then
    elseif type == AMF_DATA_TYPE_OBJECT_END then
        buf.pos = buf.len
        return nil
    else
        buf.pos = buf.len
    end
end

local data_dis = Dissector.get("data")



function flv.init()

end

local function parse_body(body, pinfo, tree)
    local b = string.find(body, onMetadata)
    if b then
        --find onMetadata
        pinfo.cols.info = "onMetadata"
        body = string.sub(body, b+string.len(onMetadata))
        local parse = {}
        parse.pos = 1
        parse.data = body
        parse.len = string.len(body)
        parse.depth = 1
        parse.key = nil
        while true do
            if parse.pos >= parse.len then
                break
            end
            parse_meta(parse, tree)
        end
    end
end

function flv.dissector(buf, pinfo, tree)
    if pinfo then
        local len = buf:len()
        if status then
            if status == STATUS_BODY then
                local str = buf(0,len):string()
                local subtree = tree:add(flv, buf(0), "flv parser")
                local bodybytes = buf:bytes(0, len):tohex()
                parse_body(bodybytes,pinfo, tree)
            end
        end
        if len < 10 then
        elseif buf(0,4):string() == "HTTP" then
            status = STATUS_BODY
            local str = buf(0,len):string()
            local p = string.find(str, "\r\n\r\n")
            if p then
                --find body
                local subtree = tree:add(flv, buf(0), "flv parser")
                p = string.find(str, "FLV", p + 1)
                if p then
                    --find FLV
                    debug(tree, "find flv")
                    local bodybytes = buf:bytes(p+4, len - p - 4):tohex()
                    parse_body(bodybytes,pinfo, subtree)
                end
            end
            return
        elseif buf(0,3):string() == "GET" then
            status = STATUS_NONE
            local str = buf(0,len):string()
            local p = string.find(str, ".flv")
            if p then
                local stream = string.sub(str, 4, p+4)
                pinfo.cols.info = "Stream:" .. stream
                p = string.find(str, "Host")
                if p then
                    local p2 = string.find(str, "\n", p + 1)
                    local host = string.sub(str, p, p2-1)
                    pinfo.cols.info:append(host)
                end
                pinfo.cols.protocol:set('FLV')
            end
            return
        end
    end
    data_dis:call(buf(0):tvb(), pinfo, tree)
end


DissectorTable.get("tcp.port"):add(80, flv

版权声明:本文内容系天翼云实名用户自发贡献,版权归原作者所有,天翼云开发者社区不拥有其著作权,亦不承担相应法律责任,未经许可,不得转载。

如有疑问或争议,请联系ctyunbbs@chinatelecom.cn删除。

文章来自个人专栏
文章 | 订阅
0条评论
0 / 1000
请输入你的评论
1
1
售前咨询热线
400-810-9889转1
关注天翼云
  • 权益商城
  • 天翼云APP
  • 天翼云微信公众号
服务与支持
账户管理
快速入口
云网生态
了解天翼云
热门产品
热门推荐
更多推荐
友情链接
©2025 天翼云科技有限公司版权所有 增值电信业务经营许可证A2.B1.B2-20090001
公司地址:北京市东城区青龙胡同甲1号、3号2幢2层205-32室
备案京公网安备11010802043424号京ICP备 2021034386号