我在ixia时间戳预告片中有数据包后有拖车数据的数据包。我正在尝试为Wireshark编写一个与ixia-packet_trailer插件完全相同的解剖器。 https://raw.githubusercontent.com/boundary/wireshark/master/epan/dissectors/packet-ixiatrailer.c
但是我想用Lua写,所以最容易改变。
我使用函数is_my_trailer(在Wireshark Lua dissector plugin table error中提出)启发了lua作为启发式,它现在停止在以太网树中显示预告片,所以我相信它识别模式0xae12,但它不显示我的“我的预告片”树
-- declare our protocol
local my_trailer_proto = Proto("my_trailer","my Trailer")
-- Header fields
local timestamp = ProtoField.uint64 ("my_trailer_proto.timestamp", "timestamp", base.HEX)
local proto_flag = ProtoField.uint8 ("my_trailer_proto.proto_flag", "protoFlag", base.HEX)
local msg_id = ProtoField.uint16("my_trailer_proto.msg_id" , "msdId" , base.HEX)
my_trailer_proto.fields = { timestamp, proto_flag, msg_id }
-- does this packet contains a trailer
local function is_my_trailer(buffer,pinfo,tree)
local length = buffer:len()
if length < 12 then return 1 end
local type = buffer(length-12, 2):uint()
if type == 0xae12 then return true end
return false
end
function my_trailer_proto.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local subtree = tree:add(my_trailer_proto, buffer(), "my trailer")
-- Header
subtree:add(timestamp, buffer(length-10,8))
subtree:add(proto_flag, buffer(length-3,1))
subtree:add(msg_id, buffer(length-2,2))
pinfo.cols.protocol = my_trailer_proto.name
pinfo.cols.protocol:set("proto_flag")
pinfo.cols.info:set("proto_flag: " .. proto_flag)
end
my_trailer_proto:register_heuristic("eth.trailer", is_my_trailer)
这是一个带有预告片https://transfernow.net/87kwt2k0dne7的pcap文件示例
你忘记了一行重要的代码:
if type == 0xae12 then return true end
return false
应该:
if type == 0xae12 then
my_trailer_proto.dissector(buffer, pinfo, tree)
return true
end
return false
你还有另一个bug。这一行是一个错误:
pinfo.cols.info:set("proto_flag: " .. proto_flag)
它应该是这样的:
pinfo.cols.info:set("proto_flag: " .. buffer(length-3,1):uint())