下面是自定义格式数据包的示例转储,具有两个字节的私有标头" 00 01"在每个数据包的开头。
那么有没有办法让wireshark跳过两个字节的私有头,并将剩余内容视为普通PDU?或者如何为此编写客户解剖器?
0000 00 01 ff ff ff ff ff ff f0 1f af 20 18 52 08 00
0010 45 00 01 63 4b cf 00 00 40 11 2d bc 00 00 00 00
0020 ff ff ff ff 00 44 00 43 01 4f 7a 9d 01 01 06 00
0030 09 e9 ac d2 04 00 00 00 00 00 00 00 00 00 00 00
0040 00 00 00 00 00 00 00 00 f0 1f af 20 18 52 00 00
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0110 00 00 00 00 00 00 00 00 63 82 53 63 35 01 03 3d
0120 07 01 f0 1f af 20 18 52 32 04 0a 29 04 74 0c 0b
0130 42 4a 4e 47 4c 48 5a 42 41 4f 59 51 1d 00 00 00
0140 42 4a 4e 47 4c 48 5a 42 41 4f 59 2e 61 70 2e 74
0150 68 6d 75 6c 74 69 2e 63 6f 6d 3c 08 4d 53 46 54
0160 20 35 2e 30 37 0c 01 0f 03 06 2c 2e 2f 1f 21 79
0170 f9 2b ff
答案 0 :(得分:0)
您尝试实现的目标是什么?前导是否意味着数据包属于您想要解析的原型?
无论如何,如果我纠正你,你需要将这些字节视为协议的一个字段,我猜。
如果是这样,请在解剖器中添加以下结构。
local f_magic = ProtoField.uint16("proto.magic", "Magic", base.HEX)
function proto.dissector (buf, pkt, root)
pkt.cols.protocol = proto.name
subtree = root:add(proto, buf(0))
local magic_item = subtree:add(f_magic, buf(0,2))
如果您需要进一步的帮助,我会用更多代码/详细信息更新我的答案。希望这会有所帮助。