如何处理Wireshark lua解剖器中的跨场?

时间:2018-07-06 13:25:04

标签: lua wireshark wireshark-dissector

我正在编写Wireshark Lua解剖器,用于跨八位字节边界跨越字段的协议:

Octet 0:
    bits 0..3: a
    bits 4..6: b
    bits 7:    c
Octet 1:
    bits 0..3: x
    bits 4..7: y (ls nibble)
Octet 2:
    bits 0..3: y (ms nibble)
    bits 4..7: z

一个人如何在Lua中管理这些字段?

1 个答案:

答案 0 :(得分:0)

这应该可以帮助您实现大部分目标。 (问题出在y上,因为您指出最低有效位在较低的八位位组中,而不是通常所期望的最高有效位。)

local p_foo = Proto("foo", "FOO Protocol")

local f_foo_a = ProtoField.uint8("foo.a", "A", base.DEC, nil, 0xf0)
local f_foo_b = ProtoField.uint8("foo.b", "B", base.DEC, nil, 0x0e)
local f_foo_c = ProtoField.uint8("foo.c", "C", base.DEC, nil, 0x01)

local f_foo_x = ProtoField.uint8("foo.x", "X", base.DEC, nil, 0xf0)
local f_foo_y = ProtoField.uint16("foo.y", "Y", base.DEC, nil, 0x0ff0)
local f_foo_z = ProtoField.uint8("foo.z", "Z", base.DEC, nil, 0x0f)

p_foo.fields = { f_foo_a, f_foo_b, f_foo_c, f_foo_x, f_foo_y, f_foo_z }

function p_foo.dissector(buf, pinfo, tree)
    local foo_tree = tree:add(p_foo, buf(0,-1))

    pinfo.cols.protocol:set("FOO")
    foo_tree:add(f_foo_a, buf(0, 1))
    foo_tree:add(f_foo_b, buf(0, 1))
    foo_tree:add(f_foo_c, buf(0, 1))

    foo_tree:add(f_foo_x, buf(1, 1))
    foo_tree:add(f_foo_y, buf(1, 2))
    foo_tree:add(f_foo_z, buf(2, 1))
end

-- Registration: TODO

如果您确实需要按照指示处理y,则必须进行位交换。也许有一种更优雅的方法可以做到这一点,但这是一个解决方案:

local p_foo = Proto("foo", "FOO Protocol")

local f_foo_a = ProtoField.uint8("foo.a", "A", base.DEC, nil, 0xf0)
local f_foo_b = ProtoField.uint8("foo.b", "B", base.DEC, nil, 0x0e)
local f_foo_c = ProtoField.uint8("foo.c", "C", base.DEC, nil, 0x01)

local f_foo_x = ProtoField.uint8("foo.x", "X", base.DEC, nil, 0xf0)
local f_foo_y = ProtoField.uint16("foo.y", "Y", base.DEC, nil, 0x0ff0)
local f_foo_z = ProtoField.uint8("foo.z", "Z", base.DEC, nil, 0x0f)

p_foo.fields = { f_foo_a, f_foo_b, f_foo_c, f_foo_x, f_foo_y, f_foo_z }

nib2bin = {
    [0] = "0000", [1] = "0001",
    [2] = "0010", [3] = "0011",
    [4] = "0100", [5] = "0101",
    [6] = "0110", [7] = "0111",
    [8] = "1000", [9] = "1001",
    [10] = "1010", [11] = "1011",
    [12] = "1100", [13] = "1101",
    [14] = "1110", [15] = "1111"
}

function nibble2binary(n)
    return nib2bin[bit.band(n, 0x0f)]
end

function p_foo.dissector(buf, pinfo, tree)
    local foo_tree = tree:add(p_foo, buf(0,-1))
    local y_lsn = bit.band(buf(1, 1):uint(), 0x0f)
    local y_msn = bit.band(buf(2, 1):uint(), 0xf0)
    local y = bit.bor(y_lsn, y_msn)

    pinfo.cols.protocol:set("FOO")
    foo_tree:add(f_foo_a, buf(0, 1))
    foo_tree:add(f_foo_b, buf(0, 1))
    foo_tree:add(f_foo_c, buf(0, 1))

    foo_tree:add(f_foo_x, buf(1, 1))
    foo_tree:add(f_foo_y, buf(1, 2)):set_text(".... " ..
        nibble2binary(bit.rshift(y_msn, 4)) .. " " ..  nibble2binary(y_lsn) ..
        " .... = Y: " .. y)
    foo_tree:add(f_foo_z, buf(2, 1))
end

-- Registration: TODO
相关问题
最新问题