Wireshark Lua Script

1. Objective: To resolve the RSSP2 protocol 2. How to use the Wireshark Lua plugin

The LUA text that will be written (assuming Rssp2.lua) is placed in the Wireshark installation directory, where it can be placed as long as Dofile adds a path.

and locate Init.lua in the installation directory, and add the path code to the last line:

Dofile (Data_dir ... " Rssp2.lua ")

  3. Introduction

Parsing consists of Rssp2.lua, P2_data.lua, p2_parse.lua3 files. If the protocol is small, a LUA file can be fully resolved. Init.lua calls Rssp.lua,rssp2.lua to load P2_data.lua, P2_parse.lua files. Parser Dissectors Introduction can refer to official website: HTTPS ://wiki.wireshark.org/lua/dissectors

• Must be registered as a handle
• The parsing function must be set to the Proto object
• Call Wireshark is available via TVB buffer (TVB object) ORZ A packet information record (Pinfo object:) ORZ a tree root (TreeItem object)
• Only if the package matches the parsing table, or if the user forces "decode as" to resolve

4, Dofile, require usage

http://blog.csdn.net/leecrest/article/details/31742419 speak more thoroughly.

• When a LUA file is loaded, require will first look in package.load for the existence of this module, and if so, return the module directly. Load this module file if it does not exist.

The @require is loaded only once, and the module looks for the file to be loaded according to a specific search rule. Add the path First in Rssp2.lua:

Package.path = "D:/professional program/wireshark/plugins/?" LUA;; "

require ("data")Then load the path d:/professional Program/wireshark/plugins/data/lua

• Dofile and LoadFile differences; Dofile: reads the code file and compiles the execution. The dofile is recompiled once every call is performed. LoadFile: Compiles the code, returns the entire module file as a function, but does not execute the code. Dofile is a package for loadfile. Dofile using:

Dofile ("D:/professionalprogram/wireshark/plugins/data.lua")

• If you are not quite sure you can refer to the LUA module and package examples in http://www.runoob.com/lua/lua-modules-packages.html.

5. Wireshark Library functionHttps://www.wireshark.org/docs/wsdg_html_chunked/wsluarm_modules.html

• Package.path = "D:/professional program/wireshark/plugins/?" LUA;; "

Add path Package.path

• Require ("P2_data")

This is all that is used to parse the global variables, the function is not put inside

• Func = Dofile ("d:/professional Program/wireshark/plugins/p2_parse.lua")

func Returns all the functions that the Rssp2.lua needs to call

• SELF_RSSP2 = Proto ("RSSP2", "Rssp2_protocol")

Registration protocol, function proto

• F_usalelen = protofield.uint16 ("Rssp2.len", "Length", base. DEC)

Protofield.uint16 Parse the 2-byte f_usalelen field, length displays the name in Wireshark, base.de decimal display

• f_usrole = Protofield.uint8 ("rssp2. Role "," role ", base. HEX, {[0x10] = "Client", [0x11] = "Server"})

          It is also possible to display not only the value  [0x10] = "Client", but also the meaning.

• self_rssp2.fields = {F_usalelen, f_usalever, F_usapptype, F_ussequen, f_usnrflag}

 &n bsp;        eventually adds all the fields that need to be parsed to the field, and if you just define the fields, you can't parse them without adding them here.

• function Self_rssp2.dissector (buffer,pinfo,tree)

• pinfo.cols.protocol:set ("Rssp-ii") that have been parsed by message pinfo and upper Wireshark

         Display the "rssp-ii" protocol string in the Wireshark protocol column           Empathy Pinfo.cols.info:set ("Invalid Msg")           Display "Invalid Msg"

in Info

• Local Rssp2tree = Tree:add (self_rssp2, buffer (offset, buffer_len), "Rssp-ii Msg Structure")

Add your own tree, "Rssp-ii Msg Structure", and then you can parse the fields below this tree Rssp2tree ale_tree below. Local ale_tree = Rssp2tree:add (Self_rssp2,buffer (offset, ten), "ALE Layer")

• Local Usmsglen = buffer (offset,2): Le_uint ()

Offset

is the local variable that is defined by itself, the offset of the frame, which represents the resolution to the offset byte number. Offset after two bytes converted to unsigned 32 binary assignment to the variable Usmsglen

• Ale_tree:add (F_usalelen, buffer (offset,2))

ale_tree The following resolves the F_usalelen field, which is two bytes behind the start of the offset position

of the frame

• Local tcp_port_table = Dissectortable.get ("Tcp.port")

Add the Analytic function to tcp_port_table, this step is required

• Tcp_port_table:add (60005, SELF_RSSP2)

the frame is collected via 60005 port, this open Wireshark satisfies the frame condition, it can parse automatically. Really don't understand, can go to github search keyword "Wireshark lua", there are many people's LUA code

6. Attention

@ Unlike other languages, arrays use 0 as the initial index of an array, and the default initial index of the LUA table normally starts at 1.

@ 0 is true in Lua

@~= Not equal to

7, Wireshark in TCP frame format # Wireshark Data parsing format # http://note.youdao.com/noteshare?id= B2C354990472154833321E1D7B316DF1 0000-BA EF-E7 CB DC C9 01 01 96 08 00|  0010, Bf 8f, A0 D8 0a, 0a, 0020 0e| ea B2 0030 c3 ae -XX----| Separating the data Link Layer Network layer transport

layer

Reference Documentation:http://www.docin.com/p-1350594454.html Wireshak use tutorial http://blog.tianya.cn/blogger/post_show.asp? blogid=2338564&postid=19226926 Wireshak Plugin Authoring http://www.codingnow.com/2000/download/lua_manual.html Lua Chinese tutorial Http://manual.luaer.cn/lua online manual https://wiki.wireshark.org/Lua/Dissectors reference Https://www.wireshark.org/docs /wsdg_html_chunked/wsluarm_modules.html Wireshark Lua Library functions http://blog.csdn.net/leecrest/article/details/31742419 Speak more thoroughly #require, Dofile difference #http://blog.csdn.net/birdflyto206/article/details/49403801 #VC generate LUA Source code #

Wireshark Lua Script