我正在使用lua中的wireshark解剖器来剖析基于802.15.4的自定义协议。不幸的是我找不到正确的DissectorTable名称:
table = DissectorTable.get("wpan") -- wpan does not work
table:add(0, myProto) -- I'm unsure about the first argument here
我必须使用什么解剖器表名来创建所描述的解剖器?什么作为add函数的第一个参数?
提前致谢!
修改
我发现我必须这样做:
table = DissectorTable.get("wtap_encap")
table:add(104, myProto)
其中104代表802.15.4。
我通过查看wireshark找到了它 - >内部 - >解剖器表
答案 0 :(得分:3)
要添加到Martin的答案中,您还可以使用wtap中的init.lua表(包含这些整数常量),如下所示:
table:add(wtap["IEEE802_15_4"], myProto) table:add(wtap["IEEE802_15_4_NOFCS"], myProto)
来自/usr/share/wireshark/init.lua(Windows:%PROGRAMFILES%\Wireshark\init.lua):
wtap = {
["UNKNOWN"] = 0,
["ETHERNET"] = 1,
["TOKEN_RING"] = 2,
["SLIP"] = 3,
["PPP"] = 4,
["FDDI"] = 5,
["FDDI_BITSWAPPED"] = 6,
["RAW_IP"] = 7,
["ARCNET"] = 8,
["ARCNET_LINUX"] = 9,
["ATM_RFC1483"] = 10,
["LINUX_ATM_CLIP"] = 11,
["LAPB"] = 12,
["ATM_PDUS"] = 13,
["ATM_PDUS_UNTRUNCATED"] = 14,
["NULL"] = 15,
["ASCEND"] = 16,
["ISDN"] = 17,
["IP_OVER_FC"] = 18,
["PPP_WITH_PHDR"] = 19,
["IEEE_802_11"] = 20,
["PRISM_HEADER"] = 21,
["IEEE_802_11_WITH_RADIO"] = 22,
["IEEE_802_11_WLAN_RADIOTAP"] = 23,
["IEEE_802_11_WLAN_AVS"] = 24,
["SLL"] = 25,
["FRELAY"] = 26,
["FRELAY_WITH_PHDR"] = 27,
["CHDLC"] = 28,
["CISCO_IOS"] = 29,
["LOCALTALK"] = 30,
["OLD_PFLOG"] = 31,
["HHDLC"] = 32,
["DOCSIS"] = 33,
["COSINE"] = 34,
["WFLEET_HDLC"] = 35,
["SDLC"] = 36,
["TZSP"] = 37,
["ENC"] = 38,
["PFLOG"] = 39,
["CHDLC_WITH_PHDR"] = 40,
["BLUETOOTH_H4"] = 41,
["MTP2"] = 42,
["MTP3"] = 43,
["IRDA"] = 44,
["USER0"] = 45,
["USER1"] = 46,
["USER2"] = 47,
["USER3"] = 48,
["USER4"] = 49,
["USER5"] = 50,
["USER6"] = 51,
["USER7"] = 52,
["USER8"] = 53,
["USER9"] = 54,
["USER10"] = 55,
["USER11"] = 56,
["USER12"] = 57,
["USER13"] = 58,
["USER14"] = 59,
["USER15"] = 60,
["SYMANTEC"] = 61,
["APPLE_IP_OVER_IEEE1394"] = 62,
["BACNET_MS_TP"] = 63,
["NETTL_RAW_ICMP"] = 64,
["NETTL_RAW_ICMPV6"] = 65,
["GPRS_LLC"] = 66,
["JUNIPER_ATM1"] = 67,
["JUNIPER_ATM2"] = 68,
["REDBACK"] = 69,
["NETTL_RAW_IP"] = 70,
["NETTL_ETHERNET"] = 71,
["NETTL_TOKEN_RING"] = 72,
["NETTL_FDDI"] = 73,
["NETTL_UNKNOWN"] = 74,
["MTP2_WITH_PHDR"] = 75,
["JUNIPER_PPPOE"] = 76,
["GCOM_TIE1"] = 77,
["GCOM_SERIAL"] = 78,
["NETTL_X25"] = 79,
["K12"] = 80,
["JUNIPER_MLPPP"] = 81,
["JUNIPER_MLFR"] = 82,
["JUNIPER_ETHER"] = 83,
["JUNIPER_PPP"] = 84,
["JUNIPER_FRELAY"] = 85,
["JUNIPER_CHDLC"] = 86,
["JUNIPER_GGSN"] = 87,
["LINUX_LAPD"] = 88,
["CATAPULT_DCT2000"] = 89,
["BER"] = 90,
["JUNIPER_VP"] = 91,
["USB"] = 92,
["IEEE802_16_MAC_CPS"] = 93,
["NETTL_RAW_TELNET"] = 94,
["USB_LINUX"] = 95,
["MPEG"] = 96,
["PPI"] = 97,
["ERF"] = 98,
["BLUETOOTH_H4_WITH_PHDR"] = 99,
["SITA"] = 100,
["SCCP"] = 101,
["BLUETOOTH_HCI"] = 102,
["IPMB"] = 103,
["IEEE802_15_4"] = 104,
["X2E_XORAYA"] = 105,
["FLEXRAY"] = 106,
["LIN"] = 107,
["MOST"] = 108,
["CAN20B"] = 109,
["LAYER1_EVENT"] = 110,
["X2E_SERIAL"] = 111,
["I2C"] = 112,
["IEEE802_15_4_NONASK_PHY"] = 113,
["TNEF"] = 114,
["USB_LINUX_MMAPPED"] = 115,
["GSM_UM"] = 116,
["DPNSS"] = 117,
["PACKETLOGGER"] = 118,
["NSTRACE_1_0"] = 119,
["NSTRACE_2_0"] = 120,
["FIBRE_CHANNEL_FC2"] = 121,
["FIBRE_CHANNEL_FC2_WITH_FRAME_DELIMS"] = 122,
["JPEG_JFIF"] = 123,
["IPNET"] = 124,
["SOCKETCAN"] = 125,
["IEEE802_11_NETMON_RADIO"] = 126,
["IEEE802_15_4_NOFCS"] = 127,
["RAW_IPFIX"] = 128,
["RAW_IP4"] = 129,
["RAW_IP6"] = 130,
["LAPD"] = 131,
["DVBCI"] = 132,
["MUX27010"] = 133,
["MIME"] = 134,
["NETANALYZER"] = 135,
["NETANALYZER_TRANSPARENT"] = 136,
["IP_OVER_IB"] = 137
}
答案 1 :(得分:1)
如果您的协议建立在802.15.4之上并使用普通的802.15.4数据包,那么有一种更好的方法可以做到这一点。以上答案完全取代了自定义的802.15.4解剖器。但是,802.15.4剖析器通过名为" wpan.panid"的解剖器表公开数据包有效载荷的剖析。 "模式"传入的是应该使用这个解剖器的pan id(由于没有分配802.15.4 panid,所以它并没有真正有意义。)
local foo = Proto("foo", "Foo dissector")
-- Register as the dissector for panid 3. Will be automatically
-- called for packets with panid 3 (picking a panid is mandatory,
-- see https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10696).
-- Can additionally be manually selected using the "Decode as..."
-- option.
table = DissectorTable.get("wpan.panid")
table:add(3, foo)
或者,您可以在" wpan"中注册启发式解剖器。表,将为所有802.15.4有效负载数据包调用。同样地,还有一个" wpan.beacon"将要为信标包调用的表。
function dissector(tvb, pinfo, tree)
-- Do stuff here
end
foo.dissector = dissector
-- Register as a heuristic dissector, that gets called for all wpan
-- packets. We'd want to pass foo.dissector here, but it turns out
-- register_heuristic needs an actual function. Passing a lambda
-- doesn't work (since calling foo.dissector(...) discards the
-- return value), so instead we define the dissector function in two
-- steps above, so we can directly access the real function here.
-- See also https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10695
foo:register_heuristic("wpan", dissector)
以下是相关来源:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-ieee802154.c;h=6051c84e971a629dc482722f265bb75f83b15259;hb=54aea456331825be6f802edec510e4cb2e6cc34a#l2821 https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-ieee802154.c;h=6051c84e971a629dc482722f265bb75f83b15259;hb=54aea456331825be6f802edec510e4cb2e6cc34a#l1100 https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-ieee802154.c;h=6051c84e971a629dc482722f265bb75f83b15259;hb=54aea456331825be6f802edec510e4cb2e6cc34a#l1085 https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-ieee802154.h;h=02acfd555f1154a469b4e74add2e0e9d04d6c81d;hb=54aea456331825be6f802edec510e4cb2e6cc34a#l29
答案 2 :(得分:0)
要结束这个,我的最终解决方案如下:
table = DissectorTable.get("wtap_encap")
table:add(104, myProto)
table:add(127, myProto)
其中104和127代表802.15.4(参见:wireshark - > internals - > dissector table)