Wireshark解剖器解码64位十六进制

时间:2016-07-10 20:58:11

标签: lua wireshark-dissector

我无法解析64位十六进制,而我正在阅读的方法是使用ProtoField.uint64。

我可以在没有protofield的Wireshark中很好地看到这个解码,虽然它对uint64不起作用。

-- declare our protocol
trivial_proto = Proto("triviala","trivial Protocol")

-- create a function to dissect it
function trivial_proto.dissector(buffer,pinfo,tree)
    pinfo.cols.protocol = "TRIVIA"
    local subtree = tree:add(trivial_proto,buffer(),"Trivia Protocol Data")
    subtree:add(buffer(0,2),"Seq number: " .. buffer(0,2):uint())
    subtree:add(buffer(2,4),"Seq number: " .. buffer(2,4):uint())
    subtree:add(buffer(6,2),"no messages: " .. buffer(6,2):uint())
    --Doesnt work
    --subtree:add(buffer(8,8),"no messages: " .. buffer(8,8):uint64())

end
-- load the udp.port table
udp_table = DissectorTable.get("udp.port")
-- register our protocol to handle udp port
udp_table:add(20004,trivial_proto)
udp_table:add(20006,trivial_proto)
udp_table:add(20021,trivial_proto)

Wireshark dissecting msgs

当我尝试完全相同的东西时,使用ProtoField使用相同的pcap,我可以在wireshark中看到我的消息类型“TRIVIA”但在其子树中没有解码

-- declare our protocol
trivial_proto = Proto("triviala","Trivia Protocol")

local F = trivial_proto.fields

F.f_1 = ProtoField.uint8("triviala.sessnum","Session Number",base.HEX)
F.f_2 = ProtoField.uint32("triviala.seqnum","Sequence Number",base.HEX)
F.f_3 = ProtoField.uint8("triviala.nomsgs","Number Mesages",base.HEX)
F.f_4 = ProtoField.uint64("triviala.time","Date Time",base.HEX)


-- create a function to dissect it
function trivial_proto.dissector(buffer,pinfo,tree)
    pinfo.cols.protocol = "TRIVIA"
    local subtree = tree:add(trivial_proto,buffer(),"Trivia Protocol Data")
    subtree:add(F.f_1, buffer(0,2))
    subtree:add(F.f_2, buffer(2,4))
    subtree:add(F.f_3, buffer(6,2))
    --subtree:add(F.f_4, buffer(8,8))
end
-- load the udp.port table
udp_table = DissectorTable.get("udp.port")
-- register our protocol to handle udp port
udp_table:add(20004,trivial_proto)
udp_table:add(20006,trivial_proto)
udp_table:add(20021,trivial_proto)

Wireshark not dissecting msgs

请帮忙!

1 个答案:

答案 0 :(得分:0)

您需要将trivial_proto.fields分配给F,而不是相反。

如果您参考Wireshark Lua/Examples wiki页面上提供的fpm.lua脚本,您将看到需要执行以下操作:

local F =
{
    f_1 = ProtoField.uint8("triviala.sessnum","Session Number",base.HEX)
    f_2 = ProtoField.uint32("triviala.seqnum","Sequence Number",base.HEX)
    f_3 = ProtoField.uint8("triviala.nomsgs","Number Mesages",base.HEX)
    f_4 = ProtoField.uint64("triviala.time","Date Time",base.HEX)
}

trivial_proto.fields = F

...

subtree:add(F.f_1, buffer(0,2))
subtree:add(F.f_2, buffer(2,4))
subtree:add(F.f_3, buffer(6,2))
相关问题
最新问题