- 論壇徽章:
- 0
|
From:
http://www.luaer.cn/bbs/read-Lua-tid-27.html
一直用ethereal做一些網(wǎng)絡(luò)截包的工作,感嘆于ethereal強(qiáng)大的同時(shí)���,也為其無(wú)法如analsys捕獲工具的netpdl語(yǔ)言一般擴(kuò)展而感到不便����,自己寫(xiě)解析器又覺(jué)得麻煩����,現(xiàn)在ethereal由了0.99.0版本(一個(gè)跟前一個(gè)版本跳躍很大的版本號(hào)),支持lua擴(kuò)展�,真是福音。
當(dāng)然做法就是采用lua擴(kuò)展�,把一些基本功能變成lua可以調(diào)用的庫(kù),然后在啟動(dòng)的時(shí)候把lua腳本作為參數(shù)傳遞進(jìn)去�����。用lua腳本可以做三種方式的事情:
tap:一種從每一幀中提取數(shù)據(jù)的方式����,可以用顯示過(guò)濾器定義���,下面是一個(gè)例子:
一個(gè)簡(jiǎn)單的tap,可以用于tethereal,用于統(tǒng)計(jì)通過(guò)10.0.0.1得http和dns包:
-- this is going to be our counter
http_packets = 0
-- this is going to be our tap
tap_http = nil
-- first we declare the tap called "http tap" with the filter it is going to use
tap_http = new_tap("mytap","ip.addr == 10.0.1.3 && http")
-- then we define a function to (re)initialize our counter
-- this one is going to be called every time the capture restarts (2)
function tap_http.init()
http_packets = 0
end
-- this function will get called at the end(3) of the capture to print the summary
function tap_http.draw()
print("http packets:",http_packets)
end
-- this function is going to be called once each time the filter of the tap matches
function tap_http.packet()
http_packets = http_packets + 1
-- We return true to have ethereal printing a report every few seconds
-- if we returned false ethereal would call the draw function never
return true
end
GUI方式
-- text_window_tap.lua
-- an example of a tap that registers a menu
-- and prints to a text window
instances = 0 -- number of instances of the tap created so far
function mytap_menu()
instances = instances + 1
local td = {}
-- the tap data, passed to every function of the tap
-- beware not to use a global for taps with multiple instances or you might
-- find it been written by more instances of the tap, not what we want.
td.win = TextWindow.new("My Tap " .. instances) -- the window we'll use
td.text = "" -- the text of the tap
td.instance = instances -- the instance number of this tap
-- this tap will be local to the menu_function that called it
-- it's called mytap
-- has no filter (filter = nil)
-- and we pass to it the tap data so that it gets passed to the tap's functions
local tap = new_tap("mytap"..instances,nil, td)
-- make sure the tap doesn't hang arround after the window was closed
td.win:at_close(remove_tap,tap)
-- this function will be called for every packet
function tap.packet(pinfo,tvb,tapdata)
local text = "packet " .. pinfo.number
tapdata.text = tapdata.text .. "\n" .. text
-- print("packet " .. pinfo.number, tapdata.instance)
end
-- this function will be called once every few seconds to redraw the window
function tap.draw(tapdata)
tapdata.win:set(tapdata.text)
-- print("draw", tapdata.instance)
end
-- this function will be called before every run of the tap
function tap.init(tapdata)
tapdata.text = ""
-- print("init", tapdata.instance)
end
end
-- last we register the menu
-- the first arg is the menu name
-- the 2nd arg is the function to be called
-- the third argument (defaults to false) tells to re-run the capture once the function is run
register_menu("Lua Tap Test",mytap_menu,true)
-- print("registered")
dissectors:解析器
解析器用與分析包的數(shù)據(jù),類(lèi)似C解析器��,可以注冊(cè)lua寫(xiě)的解析器來(lái)某個(gè)協(xié)議��,ethereal會(huì)將一個(gè)數(shù)據(jù)緩沖區(qū)和一個(gè)包信息傳遞給lua處理函數(shù)
-- trivial protocol example
-- declare our protocol
trivial_proto = Protocol("trivial","TRIVIAL","Trivial Protocol")
-- create a function to dissect it
function trivial_proto.dissector(buffer,pinfo,tree)
pinfo.cols.protocol = "TRIVIAL"
local subtree = tree:add_item(trivial_proto,buffer(),"Trivial Protocol Data"):add_subtree()
subtree:add_item(buffer(0,2),"The first two bytes: " .. buffer(0,2):uint())
end
-- load the udp.port table
udp_table = DissectorTable.get("udp.port")
-- register our protocol to handle udp port 7777
udp_table:add(7777,trivial_proto)
postdissectors 后解析器:
一個(gè)后解析器是在其他解析器已經(jīng)被調(diào)用后才調(diào)用的解析器���,由于所有的域已經(jīng)被解析��,所以這種類(lèi)型的解析器可以存取所有域并且能加域到解析樹(shù)中:
-- trivial postdissector example
-- declare some Fields to be read
ip_src_f = Field("ip.src")
ip_dst_f = Field("ip.dst")
tcp_src_f = Field("tcp.srcport")
tcp_dst_f = Field("tcp.dstport")
-- declare our (pseudo) protocol
trivial_proto = Protocol("trivial","TRIVIAL","Trivial Postdissector")
-- create the fields for our "protocol"
src_F = ProtoField.string("trivial.src","Source");
dst_F = ProtoField.string("trivial.dst","Destination");
conv_F = ProtoField.string("trivial.conv","Conversation","A Conversation");
-- add the field to the protocol
trivial_proto.fields = ProtoFieldArray.new(src_F, dst_F, conv_F)
-- create a function to "postdissect" each frame
function trivial_proto.dissector(buffer,pinfo,tree)
-- obtain the current values the protocol fields
local tcp_src = tcp_src_f()
local tcp_dst = tcp_dst_f()
local ip_src = ip_src_f()
local ip_dst = ip_dst_f()
if tcp_src then
local subtree = tree:add_item(trivial_proto,"Trivial Protocol Data"):add_subtree()
local src = ip_src .. ":" .. tcp_src
local dst = ip_dst .. ":" .. tcp_dst
local conv = src .. "->" .. dst
subtree:add_item(src_F,src)
subtree:add_item(dst_F,dst)
subtree:add_item(conv_F,conv)
end
end
-- register our protocol as a postdissector
register_postdissector(trivial_proto)
本文來(lái)自ChinaUnix博客���,如果查看原文請(qǐng)點(diǎn):http://blog.chinaunix.net/u2/79955/showart_1974466.html |
|
免費(fèi)注冊(cè)
發(fā)表于 2009-06-23 15:13