我正在研究lua中的wireshark解剖器,以剖析基于802.15.4的自定义协议。不幸的是我无法找出正确的DissectorTable名称:IEEE 802.15.4的Wireshark Lua解剖器 - 解剖器名称?
table = DissectorTable.get("wpan") -- wpan does not work
table:add(0, myProto) -- I'm unsure about the first argument here
什么剥离表名我必须用它来创建所描述的剥离?以及作为add函数的第一个参数的是什么?
在此先感谢!
编辑
我想通了,我必须这样做,这样说:
table = DissectorTable.get("wtap_encap")
table:add(104, myProto)
,其中104架为802.15.4。
我发现它通过查看Wireshark的 - >内部 - >剥离表
要添加到马丁的回答,您还可以使用wtap表(包含这些整型常量)从init.lua像这样:
table:add(wtap["IEEE802_15_4"], myProto) table:add(wtap["IEEE802_15_4_NOFCS"], myProto)
从/usr/share/wireshark/init.lua(视窗:%PROGRAMFILES%\Wireshark\init.lua):
wtap = {
["UNKNOWN"] = 0,
["ETHERNET"] = 1,
["TOKEN_RING"] = 2,
["SLIP"] = 3,
["PPP"] = 4,
["FDDI"] = 5,
["FDDI_BITSWAPPED"] = 6,
["RAW_IP"] = 7,
["ARCNET"] = 8,
["ARCNET_LINUX"] = 9,
["ATM_RFC1483"] = 10,
["LINUX_ATM_CLIP"] = 11,
["LAPB"] = 12,
["ATM_PDUS"] = 13,
["ATM_PDUS_UNTRUNCATED"] = 14,
["NULL"] = 15,
["ASCEND"] = 16,
["ISDN"] = 17,
["IP_OVER_FC"] = 18,
["PPP_WITH_PHDR"] = 19,
["IEEE_802_11"] = 20,
["PRISM_HEADER"] = 21,
["IEEE_802_11_WITH_RADIO"] = 22,
["IEEE_802_11_WLAN_RADIOTAP"] = 23,
["IEEE_802_11_WLAN_AVS"] = 24,
["SLL"] = 25,
["FRELAY"] = 26,
["FRELAY_WITH_PHDR"] = 27,
["CHDLC"] = 28,
["CISCO_IOS"] = 29,
["LOCALTALK"] = 30,
["OLD_PFLOG"] = 31,
["HHDLC"] = 32,
["DOCSIS"] = 33,
["COSINE"] = 34,
["WFLEET_HDLC"] = 35,
["SDLC"] = 36,
["TZSP"] = 37,
["ENC"] = 38,
["PFLOG"] = 39,
["CHDLC_WITH_PHDR"] = 40,
["BLUETOOTH_H4"] = 41,
["MTP2"] = 42,
["MTP3"] = 43,
["IRDA"] = 44,
["USER0"] = 45,
["USER1"] = 46,
["USER2"] = 47,
["USER3"] = 48,
["USER4"] = 49,
["USER5"] = 50,
["USER6"] = 51,
["USER7"] = 52,
["USER8"] = 53,
["USER9"] = 54,
["USER10"] = 55,
["USER11"] = 56,
["USER12"] = 57,
["USER13"] = 58,
["USER14"] = 59,
["USER15"] = 60,
["SYMANTEC"] = 61,
["APPLE_IP_OVER_IEEE1394"] = 62,
["BACNET_MS_TP"] = 63,
["NETTL_RAW_ICMP"] = 64,
["NETTL_RAW_ICMPV6"] = 65,
["GPRS_LLC"] = 66,
["JUNIPER_ATM1"] = 67,
["JUNIPER_ATM2"] = 68,
["REDBACK"] = 69,
["NETTL_RAW_IP"] = 70,
["NETTL_ETHERNET"] = 71,
["NETTL_TOKEN_RING"] = 72,
["NETTL_FDDI"] = 73,
["NETTL_UNKNOWN"] = 74,
["MTP2_WITH_PHDR"] = 75,
["JUNIPER_PPPOE"] = 76,
["GCOM_TIE1"] = 77,
["GCOM_SERIAL"] = 78,
["NETTL_X25"] = 79,
["K12"] = 80,
["JUNIPER_MLPPP"] = 81,
["JUNIPER_MLFR"] = 82,
["JUNIPER_ETHER"] = 83,
["JUNIPER_PPP"] = 84,
["JUNIPER_FRELAY"] = 85,
["JUNIPER_CHDLC"] = 86,
["JUNIPER_GGSN"] = 87,
["LINUX_LAPD"] = 88,
["CATAPULT_DCT2000"] = 89,
["BER"] = 90,
["JUNIPER_VP"] = 91,
["USB"] = 92,
["IEEE802_16_MAC_CPS"] = 93,
["NETTL_RAW_TELNET"] = 94,
["USB_LINUX"] = 95,
["MPEG"] = 96,
["PPI"] = 97,
["ERF"] = 98,
["BLUETOOTH_H4_WITH_PHDR"] = 99,
["SITA"] = 100,
["SCCP"] = 101,
["BLUETOOTH_HCI"] = 102,
["IPMB"] = 103,
["IEEE802_15_4"] = 104,
["X2E_XORAYA"] = 105,
["FLEXRAY"] = 106,
["LIN"] = 107,
["MOST"] = 108,
["CAN20B"] = 109,
["LAYER1_EVENT"] = 110,
["X2E_SERIAL"] = 111,
["I2C"] = 112,
["IEEE802_15_4_NONASK_PHY"] = 113,
["TNEF"] = 114,
["USB_LINUX_MMAPPED"] = 115,
["GSM_UM"] = 116,
["DPNSS"] = 117,
["PACKETLOGGER"] = 118,
["NSTRACE_1_0"] = 119,
["NSTRACE_2_0"] = 120,
["FIBRE_CHANNEL_FC2"] = 121,
["FIBRE_CHANNEL_FC2_WITH_FRAME_DELIMS"] = 122,
["JPEG_JFIF"] = 123,
["IPNET"] = 124,
["SOCKETCAN"] = 125,
["IEEE802_11_NETMON_RADIO"] = 126,
["IEEE802_15_4_NOFCS"] = 127,
["RAW_IPFIX"] = 128,
["RAW_IP4"] = 129,
["RAW_IP6"] = 130,
["LAPD"] = 131,
["DVBCI"] = 132,
["MUX27010"] = 133,
["MIME"] = 134,
["NETANALYZER"] = 135,
["NETANALYZER_TRANSPARENT"] = 136,
["IP_OVER_IB"] = 137
}
这实际上好多了,因为它是可读的.... – 2012-02-09 16:28:46
要关闭此,我最终的解决方案是这样的:
table = DissectorTable.get("wtap_encap")
table:add(104, myProto)
table:add(127, myProto)
,其中104个127代表802.15。 4(见:Wireshark的 - >内部 - >剥离表)
如果协议是建立在802.15.4的顶部,并使用正常的802.15.4 datapackets,有更好的方法来做到这一点。上述答案完全取代了802.15.4解剖器的定制。但是,802.15.4解剖器通过一个名为“wpan.panid”的解剖器表来揭示数据包有效载荷的解剖。传入的“模式”是应该使用解剖器的pan ID(由于没有分配802.15.4 pan ID,所以没有意义)。
local foo = Proto("foo", "Foo dissector")
-- Register as the dissector for panid 3. Will be automatically
-- called for packets with panid 3 (picking a panid is mandatory,
-- see https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10696).
-- Can additionally be manually selected using the "Decode as..."
-- option.
table = DissectorTable.get("wpan.panid")
table:add(3, foo)
或者,你可以注册在“WPAN”表,这将被用于所有有效载荷802.15.4包的启发式剥离。同样有一个“wpan.beacon”表将被调用信标包。
function dissector(tvb, pinfo, tree)
-- Do stuff here
end
foo.dissector = dissector
-- Register as a heuristic dissector, that gets called for all wpan
-- packets. We'd want to pass foo.dissector here, but it turns out
-- register_heuristic needs an actual function. Passing a lambda
-- doesn't work (since calling foo.dissector(...) discards the
-- return value), so instead we define the dissector function in two
-- steps above, so we can directly access the real function here.
-- See also https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10695
foo:register_heuristic("wpan", dissector)
下面是这个相关人士透露:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-ieee802154.c;h=6051c84e971a629dc482722f265bb75f83b15259;hb=54aea456331825be6f802edec510e4cb2e6cc34a#l2821 https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-ieee802154.c;h=6051c84e971a629dc482722f265bb75f83b15259;hb=54aea456331825be6f802edec510e4cb2e6cc34a#l1100 https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-ieee802154.c;h=6051c84e971a629dc482722f265bb75f83b15259;hb=54aea456331825be6f802edec510e4cb2e6cc34a#l1085 https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-ieee802154.h;h=02acfd555f1154a469b4e74add2e0e9d04d6c81d;hb=54aea456331825be6f802edec510e4cb2e6cc34a#l29
我刚刚发现传递一个lambda到register_heuristic没有正确处理返回值,所以我更新了我的答案,直接将解析函数传递给register_heuristic。详情请参阅引用的bugzilla报告。 – 2014-11-13 11:01:21
您应该将编辑复制到回答框,并将其标记为答案。 – user748113 2012-02-08 04:19:46
是的,我试图这样做,但不幸的是,我不得不等待24小时回答我自己的问题,现在我不得不再等待接受它。 :-) – 2012-02-08 18:44:15