1. 首頁
  2. 問答
  3. 當寫作wireshark lua鏈接HTTP解析器時得到http有效載荷

當寫作wireshark lua鏈接HTTP解析器時得到http有效載荷

2016-02-14 97 views
1

我的協議基於HTTP,我需要解析器來分析HTTP有效載荷。如何在解析函數中獲得http有效載荷?當寫作wireshark lua鏈接HTTP解析器時得到http有效載荷

鏈式剝離的樣子:

local original_http_dissector = DissectorTable.get("tcp.port"):get_dissector(80) 

local function my_dissector(buf, pkt, root) 
    -- 'buf' here contains all tcp data, 
    -- including the http header 
    -- How to get the http payload only(skip http header)? 
    local b = buf 
end 
function p_MM.dissector(buf, pkt, root) 
    if original_http_dissector:call(buf, pkt, root) then 
     my_dissector(buf, pkt, root) 
    end 
end

來源

2016-02-14 aj3423

回答

1

我有點掙扎,試圖做類似。下面的內容(基於http://www.example.com/ https://wiki.wireshark.org/Lua/Dissector)將http內容放入一個新的數據標籤中,然後進行一些非常基本的處理(帶有0xA5的xor,其結果是有點差的)並在第二個標籤中顯示。

do 
    local http_proto = Proto("http_extra", "Further process HTTP traffic"); 
    local f_http_data = Field.new("http.file_data") 
    local original_http_dissector 

    -- simple function to XOR data against 0xA5 to show some processing 
    -- it turns out it's actually quite hard to reconstruct a tvb for display 
    -- as you need it in hex string format 
    function xorf(data) 
    data = data:raw() 
    local d = {} 

    for i = 1, data:len() do 
     local x = bit32.bxor(data:byte(i), 0xA5) 
     local c = string.format("%02x", x) 
     table.insert(d, c) 
    end 

    return table.concat(d, "") 
    end 

    function http_proto.dissector(tvbuffer, pinfo, treeitem) 
    -- we've replaced the original http dissector in the 
    -- dissector table, but we still want the original to run, 
    -- especially because we need to read its data 
    original_http_dissector:call(tvbuffer, pinfo, treeitem) 

    -- validate packet length is adequate, otherwise quit 
    if tvbuffer:len() == 0 then return end 

    local a=f_http_data() 
    if a then 
     -- get the (whole) subset as a tvbrange 
     local tvbrange = a.range() 
     -- get a ByteArray composed of the bytes in the TvbRange 
     local data = tvbrange:bytes() 

     -- create a new tab 
     local tvc = ByteArray.tvb(data, "http.file_data") 

     -- process the http.file_data to change it 
     local tvy = ByteArray.tvb(ByteArray.new(xorf(data)), "xor'ed")  
    end 
    end 

    local tcp_dissector_table = DissectorTable.get("tcp.port") 
    -- save the original dissector so we can still get to it 
    original_http_dissector = tcp_dissector_table:get_dissector(443) 
    -- and take its place in the dissector table 
    tcp_dissector_table:add(443, http_proto) 
end

來源

2016-10-22 19:51:18 Mat

相關問題

 相關問題