Wireshark的一些使用经验

在Wireshark可以使用wireshark支持的lua语言进行定制或扩充。

注：本文所测试脚本以Wireshar2.0.4为准

#

工作中经常会遇到需要将某些UDP报文固定解析为RTP协议，这个操作通过在init.lua中扩充分析器

local rtp_dissector  = Dissector.get("rtp")

DissectorTable.get("udp.port"):add(40002,rtp_dissector)

对于某些优先生效的解析协议，需要通过wireshar首选项里面的协议配置进行修改，以避免此段配置脚本不生效

如果固定将rtp协议中某些payload解析为某些协议，则可以进一步扩充DissectorTable.get("rtp.pt")

#监听器listner

在wireshark的帮助文档里面有如何使用lua写一个监听器的模板。监听器可以根据过滤报文采取某些动作。例如，将需要将报文流，写入到文件中，则可以依据此模板文件进行扩充

-- This program will register a menu that will open a window with a count of occurrences-- of every address in the capturelocal function menuable_tap()        -- Declare the window we will use        local tw = TextWindow.new("Address Counter")        -- This will contain a hash of counters of appearances of a certain address        local ips = {}

        --customized get the input filter content.取得和过滤显示报文一样的条件，以适应变化

        local filter = "rtp"if string.len(get_filter()) > 0 then        filter  = get_filter()end  

        -- for get field info from each packet      local udp_data  = Field.new("udp")

        -- this is our tap

        local tap = Listener.new("ip",filter);        function remove()                -- this way we remove the listener that otherwise will remain running indefinitely                tap:remove();        end        -- we tell the window to call the remove() function when closed        tw:set_atclose(remove)        -- this function will be called once for each packet        function tap.packet(pinfo,tvb)                local src = ips[tostring(pinfo.src)] or 0                local dst = ips[tostring(pinfo.dst)] or 0                ips[tostring(pinfo.src)] = src + 1                ips[tostring(pinfo.dst)] = dst + 1

                --customized each packet to write,get field data pinfo是包的一些信息 tvb是报文数据信息.获得udp信息域获得一些基础偏移量，以利于计算local udpFieldInfo      = udp_data() 

                local offset         = udpFieldInfo.offset

                --根据应用协议所需要的偏移进行偏移计算，以取到相应的数据

                local wirte_content      = tvb:raw(offset)            

                --根据某些规则写入

        end        -- this function will be called once every few seconds to update our window        function tap.draw(t)                tw:clear()                for ip,num in pairs(ips) do                        tw:append(ip .. "\t" .. num .. "\n");                end        end        -- this function will be called whenever a reset is needed        -- e.g. when reloading the capture file        function tap.reset()                tw:clear()                ips = {}        endend-- using this function we register our function-- to be called when the user selects the Tools->Test->Packets menuregister_menu("Test/Packets", menuable_tap, MENU_TOOLS_UNSORTED)