在撰写wireshark lua链式HTTP解析器时获取http有效负载

时间:2016-02-14 06:21:16

标签: wireshark-dissector

我的协议基于HTTP,我需要一个解剖器来分析HTTP有效负载。如何在解剖器函数中获取http有效负载?

链式解剖器看起来像:

local original_http_dissector = DissectorTable.get("tcp.port"):get_dissector(80)

local function my_dissector(buf, pkt, root)
    -- 'buf' here contains all tcp data,
    -- including the http header
    -- How to get the http payload only(skip http header)?
    local b = buf
end
function p_MM.dissector(buf, pkt, root)
    if original_http_dissector:call(buf, pkt, root) then
        my_dissector(buf, pkt, root)
    end
end

1 个答案:

答案 0 :(得分:1)

我试图做类似的事情有点挣扎。下面(基于https://wiki.wireshark.org/Lua/Dissector的http_extra)将http内容放在一个新的数据选项卡中,然后进行一些非常基本的处理(xor与0xA5,结果有点像faff)并显示在第二个标签。

do
  local http_proto = Proto("http_extra", "Further process HTTP traffic");
  local f_http_data = Field.new("http.file_data")
  local original_http_dissector

  -- simple function to XOR data against 0xA5 to show some processing
  -- it turns out it's actually quite hard to reconstruct a tvb for display
  -- as you need it in hex string format
  function xorf(data)
    data = data:raw()
    local d = {}

    for i = 1, data:len() do
      local x = bit32.bxor(data:byte(i), 0xA5)
      local c = string.format("%02x", x)
      table.insert(d, c)
    end

    return table.concat(d, "")
  end

  function http_proto.dissector(tvbuffer, pinfo, treeitem)
    -- we've replaced the original http dissector in the
    -- dissector table, but we still want the original to run,
    -- especially because we need to read its data
    original_http_dissector:call(tvbuffer, pinfo, treeitem)

    -- validate packet length is adequate, otherwise quit
    if tvbuffer:len() == 0 then return end

    local a=f_http_data()
    if a then
       -- get the (whole) subset as a tvbrange
      local tvbrange = a.range()
      -- get a ByteArray composed of the bytes in the TvbRange
      local data = tvbrange:bytes()

      -- create a new tab
      local tvc = ByteArray.tvb(data, "http.file_data")

      -- process the http.file_data to change it
      local tvy = ByteArray.tvb(ByteArray.new(xorf(data)), "xor'ed")      
    end
  end

  local tcp_dissector_table = DissectorTable.get("tcp.port")
  -- save the original dissector so we can still get to it
  original_http_dissector = tcp_dissector_table:get_dissector(443)
  -- and take its place in the dissector table
  tcp_dissector_table:add(443, http_proto)
end
相关问题
最新问题