The final effect is as follows:
Reference document: https://mika-s.github.io/topics/
The 7 examples in this reference document teach us how to write lua scripts to identify our customized Agreement
Install Wireshark
Just download the installation package from https://www.wireshark.org/ and install it. My installation path isD:\Install\Wireshark
, and the installation location is found in the Wireshark menu: Help->About-> folder:
protocol to parse
The protocol to be parsed this time is the UDP protocol, which encapsulates an application layer protocol based on UDP. The details of the agreement are as follows:
Several objects that need to be clarified before writing a script
-
Proto: protocol object, has an attribute
name
, which is passed in as the first parameter of the constructor, which determines what is displayed here (cooperating with the assignment in the function)Official Documents
-
ProtoField: Protocol field, with the following methods. Official Documents
- uint8/int8(filter_string,display_name,display_type)
- uint16/int16(filter_string,display_name,display_type)
- uint32/int32(filter_string,display_name,display_type)
-
buffer:tvb object Official document
Write plug-in scripts
There are two locations where the lua file can be placed:
- Any position, at this time you need to add the lua file in
init.lua
dofile
- plugins folder, wireshark will be automatically executed when it starts. Press
Ctr+Shift+L
to reload
We use the second method< a i=3> Create a new file in Add the following code to the lua script:D:\Install\Wireshark\plugins
test.lua
--协议对象 构造函数第一个参数:显示在协议列,第二个参数:协议描述
local my_request=Proto('myrequst','my custom request')
-- 要显示的字段,构造函数第一个参数:用于上方搜索栏过滤的 第二个参数:显示在下方协议中的字段 第三个字段:显示十进制还是十六进制
local time_second=ProtoField.uint8("myrequst.time_second","秒",base.HEX)
local time_minute=ProtoField.uint8("myrequst.time_minute","分",base.HEX)
local time_hour=ProtoField.uint8("myrequst.time_hour","时",base.HEX)
local time_day=ProtoField.uint8("myrequst.time_day","天",base.HEX)
local time_month=ProtoField.uint8("myrequst.time_month","月",base.HEX)
local time_year=ProtoField.uint8("myrequst.time_year","年",base.HEX)
local group=ProtoField.uint8("myrequst.group","组",base.HEX)
local cmd=ProtoField.uint16("myrequst.cmd","命令",base.DEC)
local len=ProtoField.uint32("myrequst.length","body长度",base.DEC)
-- 将字段添加到协议对象
my_request.fields={
time_second,time_minute,time_hour,time_day,time_month,time_year,group,cmd,len}
-- 此方法返回bool,返回true表示自定义的协议验证通过,会传入三个参数
-- buffer:包,去掉继承协议之后的内容。比如继承udp,那udp的报文就被去掉了,buffer只表示udp的应用层内容
-- pinfo:显示抓包内容列表的信息。赋值协议名称时会用到
-- tree:下方的树结构
local function checker(buffer,pinfo,tree)
local length=buffer:len()
if length<26 then
return false
end
-- 头判断
if buffer(0,1):uint()~=0x48 or
buffer(1,1):uint()~=0x54 or
buffer(2,1):uint()~=0x56 or
buffer(3,1):uint()~=0x58 or
buffer(4,1):uint()~=0x41 or
buffer(5,1):uint()~=0x58 or
buffer(6,1):uint()~=0x42 or
buffer(7,1):uint()~=0x58 or
buffer(8,1):uint()~=0x49 or
buffer(9,1):uint()~=0x58 then
return false
end
-- 赋值协议列
pinfo.cols.protocol=my_request.name
--字段解析
local subtree=tree:add(my_request,buffer(),"我自定义的请求")
subtree:add(time_second,buffer(10,1))
subtree:add(time_minute,buffer(11,1))
subtree:add(time_hour,buffer(12,1))
subtree:add(time_day,buffer(13,1))
subtree:add(time_month,buffer(15,1))
subtree:add(time_year,buffer(16,1))
subtree:add(group,buffer(18,1))
subtree:add_le(cmd,buffer(19,1))
subtree:add(len,buffer(21,4))
return true
end
-- 注册,让wireshark解析包的时候会调用checker
my_request:register_heuristic("udp",checker)
After saving the Lua script, pressCtr+Shift+L
to see the effect