如何改进创建基于 Lua 的 Wireshark 解析器的工作流程

发布于 2024-09-17 20:01:42 字数 380 浏览 12 评论 0原文

我终于在 Lua for Wireshark,但工作流程实在是太可怕了。它包括在编辑器中编辑自定义 Lua 文件,然后双击示例捕获文件以启动 Wireshark 以查看更改。如果出现错误,Wireshark 会通过对话框或“树分析”子窗格中的红线通知我。然后,我重新编辑自定义 Lua 文件,然后关闭该 Wireshark 实例,然后再次双击我的示例捕获文件。这就像编译一个 C 文件,一次只看到一个编译器错误。

有没有更好(更快)的方法来查看我的更改,而不必一直重新启动 Wireshark?

当时,我使用的是 Wireshark 1.2.9 for Windows,并且启用了 Lua。

I've finally created a Dissector for my UDP protocol in Lua for Wireshark, but the work flow is just horrendous. It consists of editing my custom Lua file in my editor, then double-clicking my example capture file to launch Wireshark to see the changes. If there was an error, Wireshark informs me via dialogs or a red line in the Tree analysis sub-pane. I then re-edit my custom Lua file and then close that Wireshark instance, then double-click my example capture file again. It's like compiling a C file and only seeing one compiler error at a time.

Is there a better (faster) way of looking at my changes, without having to restart Wireshark all the time?

At the time, I was using Wireshark 1.2.9 for Windows with Lua enabled.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

一刻暧昧 2024-09-24 20:01:42

自动化此操作的最佳方法是使用命令行。是的,使用 tshark 而不是加载 gui 的东西。

如果您的 lua 脚本名为“proto.lua”,并且它定义了一个名为“MyProto”的协议,该协议使用端口 8888,您可以使用以下命令测试您的解析器:

tshark -X lua_script:proto.lua -O MyProto -V -f "port 8888"
  • -V 选项使 tshark 打印所有协议的所有信息。
  • -O 选项过滤 -V 选项,使其仅显示列出的 (CSV) 协议上的所有信息。
  • -f 选项过滤所有不符合规则的数据包。在这种情况下,任何数据包都不是来自正确的端口。

The best way to automate this is by using command line. Yep, use tshark instead of loading gui thingy.

If your lua script is called "proto.lua" and it defines an protocol called "MyProto" that uses port 8888, you can test your dissector using:

tshark -X lua_script:proto.lua -O MyProto -V -f "port 8888"
  • -V option makes tshark print all the info of all protocols.
  • -O option filters the -V option to make it show all the info only on the listed(CSV) protocols.
  • -f option filters all packets that doesn't conform to the rule. In this case any packet that is not from the right port.
银河中√捞星星 2024-09-24 20:01:42

最新的 Wireshark 版本附带了一个用于运行 lua 脚本的原始控制台。它可以在“工具”->“工具”下找到。卢阿->评价。从那里,您应该能够通过运行 dofile() 来重新加载解析器。您还必须删除以前版本的解析器。

这是基于 TCP 的解析器的示例。

local tcp_dissector_table = DissectorTable.get("tcp.port")
tcp_dissector_table:remove(pattern, yourdissector)
yourdissector = nil

dofile("c:/path/to/dissector.lua")

我建议将此代码放在文件内的函数中。

现在这个答案有一个问题:如果你的脚本创建了一个 Proto 对象,那么你似乎无法使用相同的 id 再次创建它。 Proto 类的构造函数调用 C 函数 proto_register_protocol()(请参阅 epan/wslua/wslua_proto.c)。我找不到任何可以注销协议的 lua 函数。事实上,我什至找不到一个 C 函数来注销它。

The latest Wireshark release comes with a primitive console for running lua script. It can be found under Tools -> Lua -> Evaluate. From there, you should be able to reload your dissector by running dofile(). You'll also have to remove the previous version of your dissector.

Here's an example for a TCP-based dissector.

local tcp_dissector_table = DissectorTable.get("tcp.port")
tcp_dissector_table:remove(pattern, yourdissector)
yourdissector = nil

dofile("c:/path/to/dissector.lua")

I recommend placing this code in a function inside your file.

Now there's a problem with this answer: If your script created a Proto object, it seems that you can't create it again with the same id. The constructor for the Proto class calls the C function proto_register_protocol() (see epan/wslua/wslua_proto.c). I can't find any lua function that will unregister the protocol. In fact, I can't even find a C function to unregister it.

帅哥哥的热头脑 2024-09-24 20:01:42

您也许可以编写一个 Wireshark 加载的简单包装函数,并让它仅从磁盘加载真实文件(例如通过 dofile())。这可能会“欺骗”Wireshark 始终重新加载您的 Lua 代码,直到您对它更加满意并可以删除此 hack。

You might be able to write a trivial wrapper function that Wireshark loads, and have it just load the real file from disk (e.g. via dofile()). This could probably "trick" Wireshark into always reloading your Lua code until you're more comfortable with it and can remove this hack.

自此以后,行同陌路 2024-09-24 20:01:42

我已经面临同样的问题很长一段时间了,所以我决定创建一个工具来帮助我简化“可怕的工作流程”。有问题的工具是 Wirebait。它旨在让您在不​​使用 Wireshark 编写 Lua 解析器时运行它们。

它的安装和使用非常快速且简单。您所要做的就是加载 Wirebait 模块并在解析器脚本顶部添加一个五行片段。然后,如果您使用 ZeroBrane Studio 等 IDE,Wirebait 允许您即时编写和调试代码,无需使用wireshark。如果您甚至没有 pcap 文件,您可以使用十六进制字符串来表示您要剖析的数据。

I've been facing the same problem for quite a while, so I have decided to create a tool that would help me streamline that "horrendous workflow". The tool in question is Wirebait. It is designed to let you run your Lua dissectors as you write them without Wireshark.

It is very quick and easy to install and use. All you have to do is load the Wirebait module and add a five liner snippet on top of your dissector script. Then if you use an IDE such as ZeroBrane Studio, Wirebait allows you to literally write and debug your code on the fly, no need for wireshark. If you don't even have a pcap file, you can use a hexadecimal string representing the data you want to dissect.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文