参考链接:
http://alex-ii.github.io/tech/2018/05/08/dissector_for_Wireshark_udp.html
https://www.wireshark.org/docs/wsdg_html_chunked/lua_module_Proto.html#lua_class_ProtoField
简介
Wireshark 支持嵌入自定义的Lua格式脚本,可以用来解析自定义 UDP 数据包,并输出字段名称和描述以便快速分析。
使用方法
检查 Wireshark 是否启用了 Lua 支持:
在 Wireshark 的全局配置目录中查找 init.lua(帮助 > 关于 Wireshark > 文件夹 > 全局配置)。如果 enable_lua 变量设置为 true,则表示已启用 Lua 支持。
加载 Lua 文件:
如果是在linux下,指定wireshark路径启动wireshark,使用 wireshark -X lua_script:path_to_lua_script 命令行运行 Wireshark。启用的 lua 脚本应列在菜单 "帮助">"关于 Wireshark">"插件"下。
重新加载 Lua 插件
要重新加载插件,可以在 Wireshark 打开时使用 Ctrl+Shift+L。
打开捕获过滤器或 pcap 文件,在 "数据包详细信息 "窗格中检查解析的数据包。
下面是一个Lua脚本示例:
点击查看代码
local proto_position = Proto("Position", "Position Protocol")
local timestamp = ProtoField.uint64("position.timestamp", "TimeStamp", base.DEC)
local udp_sequence = ProtoField.uint32("position.udp_sequence", "UDP Sequence", base.DEC)
local position_x = ProtoField.uint64("position.x", "Position X", base.DEC)
local position_y = ProtoField.uint64("position.y", "Position Y", base.DEC)
local position_z = ProtoField.uint64("position.z", "Position Z", base.DEC)
local position_qx = ProtoField.uint32("position.qx", "Position QX", base.DEC)
local position_qy = ProtoField.uint32("position.qy", "Position QY", base.DEC)
local position_qz = ProtoField.uint32("position.qz", "Position QZ", base.DEC)
local position_qw = ProtoField.uint32("position.qw", "Position QW", base.DEC)
proto_position.fields = {timestamp, udp_sequence,
position_x, position_y, position_z,
position_qx, position_qy, position_qz, position_qw
}
-- the `dissector()` method is called by Wireshark when parsing our packets
-- `buffer` holds the UDP payload, all the bytes from our protocol
-- `tree` is the structure we see when inspecting/dissecting one particular packet
function proto_position.dissector(buffer, pinfo, tree)
-- Changing the value in the protocol column (the Wireshark pane that displays
-- a list of packets)
pinfo.cols.protocol = "Position Parser"
-- We label the entire UDP payload as being associated with our protocol
local payload_tree = tree:add(proto_position, buffer(), "Position Protocol Data")
payload_tree:add_le(timestamp, buffer(0, 8))
payload_tree:add_le(udp_sequence, buffer(8, 4))
payload_tree:add_le(position_x, buffer(12, 8))
payload_tree:add_le(position_y, buffer(20, 8))
payload_tree:add_le(position_z, buffer(28, 8))
payload_tree:add_le(position_qx, buffer(36, 4))
payload_tree:add_le(position_qy, buffer(40, 4))
payload_tree:add_le(position_qz, buffer(44, 4))
payload_tree:add_le(position_qw, buffer(48, 4))
end
-- register protocol on UDP port 8000
udp_table = DissectorTable.get("udp.port"):add(8000, proto_position)