应用程序发送的数据报都是流式的,IP不保证同一个一个应用数据包会被抓包后在同一个IP数据包中,因此对于使用自制dissector的时候需要考虑这种情况。

Lua Dissector相关资料可以见:http://wiki.wireshark.org/Lua/Dissectors

Lua脚本书写wireshark dissector非常方便,使用Lua合并tcp数据报进行分析的样例如下,其实就是多了一个条件分支,所谓难者不会,会者不难:

 local slicer = Proto("slicer","Slicer")
function slicer.dissector(tvb, pinfo, tree)
local offset = pinfo.desegment_offset or local len = get_len() -- for tests i used a constant, but can be taken from tvb while true do
local nxtpdu = offset + len if nxtpdu > tvb:len() then
pinfo.desegment_len = nxtpdu - tvb:len()
pinfo.desegment_offset = offset
return

end tree:add(slicer, tvb(offset, len)) offset = nxtpdu if nxtpdu == tvb:len() then
return
end
end
end
local tcp_table = DissectorTable.get("tcp.port")
tcp_table:add(, slicer)

对于Lua Dissector脚本使用方法如下:

tshark

tshark -X lua_script:slicer.lua -i lo0 -f "tcp port 2506" -O aa -V

Wireshark

On OSX

Copy slicer.lua to ~/.wireshark

Add dofile(USER_DIR.."slicer.lua") to the end of /Applications/Wireshark.app/Contents/Resources/share/wireshark/init.lua

在wireshark的C语言版本中,有针对tcp合并报的相关函数,packet-tcp.c 具体见下:

/*
2152 * Loop for dissecting PDUs within a TCP stream; assumes that a PDU
2153 * consists of a fixed-length chunk of data that contains enough information
2154 * to determine the length of the PDU, followed by rest of the PDU.
2155 *
2156 * The first three arguments are the arguments passed to the dissector
2157 * that calls this routine.
2158 *
2159 * "proto_desegment" is the dissector's flag controlling whether it should
2160 * desegment PDUs that cross TCP segment boundaries.
2161 *
2162 * "fixed_len" is the length of the fixed-length part of the PDU.
2163 *
2164 * "get_pdu_len()" is a routine called to get the length of the PDU from
2165 * the fixed-length part of the PDU; it's passed "pinfo", "tvb" and "offset".
2166 *
2167 * "dissect_pdu()" is the routine to dissect a PDU.
2168 */
void
tcp_dissect_pdus(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
gboolean proto_desegment, guint fixed_len,
guint (*get_pdu_len)(packet_info *, tvbuff_t *, int),
dissector_t dissect_pdu)
{
volatile int offset = ;
int offset_before;
guint length_remaining;
guint plen;
guint length;
tvbuff_t *next_tvb;
proto_item *item=NULL;
void *pd_save; while (tvb_reported_length_remaining(tvb, offset) != ) {
/*
2186 * We use "tvb_ensure_length_remaining()" to make sure there actually
2187 * *is* data remaining. The protocol we're handling could conceivably
2188 * consists of a sequence of fixed-length PDUs, and therefore the
2189 * "get_pdu_len" routine might not actually fetch anything from
2190 * the tvbuff, and thus might not cause an exception to be thrown if
2191 * we've run past the end of the tvbuff.
2192 *
2193 * This means we're guaranteed that "length_remaining" is positive.
2194 */
length_remaining = tvb_ensure_length_remaining(tvb, offset); /*
2198 * Can we do reassembly?
2199 */
if (proto_desegment && pinfo->can_desegment) {
/*
2202 * Yes - is the fixed-length part of the PDU split across segment
2203 * boundaries?
2204 */
if (length_remaining < fixed_len) {
/*
2207 * Yes. Tell the TCP dissector where the data for this message
2208 * starts in the data it handed us and that we need "some more
2209 * data." Don't tell it exactly how many bytes we need because
2210 * if/when we ask for even more (after the header) that will
2211 * break reassembly.
2212 */
2213 pinfo->desegment_offset = offset;
2214 pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
return;
}
} /*
2220 * Get the length of the PDU.
2221 */
plen = (*get_pdu_len)(pinfo, tvb, offset);
if (plen < fixed_len) {
/*
2225 * Either:
2226 *
2227 * 1) the length value extracted from the fixed-length portion
2228 * doesn't include the fixed-length portion's length, and
2229 * was so large that, when the fixed-length portion's
2230 * length was added to it, the total length overflowed;
2231 *
2232 * 2) the length value extracted from the fixed-length portion
2233 * includes the fixed-length portion's length, and the value
2234 * was less than the fixed-length portion's length, i.e. it
2235 * was bogus.
2236 *
2237 * Report this as a bounds error.
2238 */
show_reported_bounds_error(tvb, pinfo, tree);
return;
} /*
2244 * Do not display the the PDU length if it crosses the boundary of the
2245 * packet and no more packets are available.
2246 *
2247 * XXX - we don't necessarily know whether more packets are
2248 * available; we might be doing a one-pass read through the
2249 * capture in TShark, or we might be doing a live capture in
2250 * Wireshark.
2251 */
#if 0
if (length_remaining >= plen || there are more packets)
{
#endif
/*
2257 * Display the PDU length as a field
2258 */
item=proto_tree_add_uint(pinfo->tcp_tree, hf_tcp_pdu_size,
tvb, offset, plen, plen);
PROTO_ITEM_SET_GENERATED(item);
#if 0
} else {
item = proto_tree_add_text(pinfo->tcp_tree, tvb, offset, -,
"PDU Size: %u cut short at %u",plen,length_remaining);
PROTO_ITEM_SET_GENERATED(item);
}
#endif /* give a hint to TCP where the next PDU starts
2272 * so that it can attempt to find it in case it starts
2273 * somewhere in the middle of a segment.
2274 */
if(!pinfo->fd->flags.visited && tcp_analyze_seq) {
guint remaining_bytes;
remaining_bytes=tvb_reported_length_remaining(tvb, offset);
if(plen>remaining_bytes) {
pinfo->want_pdu_tracking=;
pinfo->bytes_until_next_pdu=plen-remaining_bytes;
}
} /*
2285 * Can we do reassembly?
2286 */
if (proto_desegment && pinfo->can_desegment) {
/*
2289 * Yes - is the PDU split across segment boundaries?
2290 */
if (length_remaining < plen) {
/*
2293 * Yes. Tell the TCP dissector where the data for this message
2294 * starts in the data it handed us, and how many more bytes we
2295 * need, and return.
2296 */
pinfo->desegment_offset = offset;
pinfo->desegment_len = plen - length_remaining;
return;
}
} /*
2304 * Construct a tvbuff containing the amount of the payload we have
2305 * available. Make its reported length the amount of data in the PDU.
2306 *
2307 * XXX - if reassembly isn't enabled. the subdissector will throw a
2308 * BoundsError exception, rather than a ReportedBoundsError exception.
2309 * We really want a tvbuff where the length is "length", the reported
2310 * length is "plen", and the "if the snapshot length were infinite"
2311 * length is the minimum of the reported length of the tvbuff handed
2312 * to us and "plen", with a new type of exception thrown if the offset
2313 * is within the reported length but beyond that third length, with
2314 * that exception getting the "Unreassembled Packet" error.
2315 */
length = length_remaining;
if (length > plen)
length = plen;
next_tvb = tvb_new_subset(tvb, offset, length, plen); /*
2322 * Dissect the PDU.
2323 *
2324 * Catch the ReportedBoundsError exception; if this particular message
2325 * happens to get a ReportedBoundsError exception, that doesn't mean
2326 * that we should stop dissecting PDUs within this frame or chunk of
2327 * reassembled data.
2328 *
2329 * If it gets a BoundsError, we can stop, as there's nothing more to
2330 * see, so we just re-throw it.
2331 */
pd_save = pinfo->private_data;
TRY {
(*dissect_pdu)(next_tvb, pinfo, tree);
}
CATCH(BoundsError) {
RETHROW;
}
CATCH(ReportedBoundsError) {
/* Restore the private_data structure in case one of the
2341 * called dissectors modified it (and, due to the exception,
2342 * was unable to restore it).
2343 */
pinfo->private_data = pd_save;
show_reported_bounds_error(tvb, pinfo, tree);
}
ENDTRY; /*
2350 * Step to the next PDU.
2351 * Make sure we don't overflow.
2352 */
offset_before = offset;
offset += plen;
if (offset <= offset_before)
break;
}
}

Wireshark lua dissector 对TCP消息包合并分析的更多相关文章

  1. Wireshark Lua: 一个从RTP抓包里导出H.264 Payload,变成264裸码流文件(xxx.264)的Wireshark插件

    Wireshark Lua: 一个从RTP抓包里导出H.264 Payload,变成264裸码流文件(xxx.264)的Wireshark插件 在win7-64, wireshark Version ...

  2. PowerShell收发TCP消息包

    PowerShell收发TCP消息包 https://www.cnblogs.com/fuhj02/archive/2012/10/16/2725609.html 在上篇文章中,我们在PSNet包中创 ...

  3. TCP粘包问题分析和解决(全)

    TCP通信粘包问题分析和解决(全) 在socket网络程序中,TCP和UDP分别是面向连接和非面向连接的.因此TCP的socket编程,收发两端(客户端和服务器端)都要有成对的socket,因此,发送 ...

  4. 【转载】TCP粘包问题分析和解决(全)

    TCP通信粘包问题分析和解决(全) 在socket网络程序中,TCP和UDP分别是面向连接和非面向连接的.因此TCP的socket编程,收发两端(客户端和服务器端)都要有成对的socket,因此,发送 ...

  5. tcp粘包情况分析

    1 什么是粘包现象 TCP粘包是指发送方发送的若干包数据到接收方接收时粘成一包,从接收缓冲区看,后一包数据的头紧接着前一包数据的尾.在tcp长连接时,发送端发到buffer里面,接收端也有个buffe ...

  6. tcp抓包 Wireshark 使用

    fidder主要是针对http(s)协议进行抓包分析的,所以类似wireshark/tcpdump这种工作在tcp/ip层上的抓包工具不太一样,这种工具一般在chrome/firefox的开发者工具下 ...

  7. Wireshark抓包介绍和TCP三次握手分析

    wireshark介绍 wireshark的官方下载网站: http://www.wireshark.org/ wireshark是非常流行的网络封包分析软件,功能十分强大.可以截取各种网络封包,显示 ...

  8. 如何利用wireshark对TCP消息进行分析

    原文:https://www.cnblogs.com/studyofadeerlet/p/7485298.html 如何利用wireshark对TCP消息进行分析   (1) 几个概念介绍 1 seq ...

  9. WireShark抓包时TCP数据包出现may be caused by ip checksum offload

    最近用WireShark抓包时发现TCP数据包有报错:IP Checksum Offload,经过查阅资料终于找到了原因 总结下来就是wireshark抓到的数据包提示Checksum错误,是因为它截 ...

随机推荐

  1. JavaScript内存管理

    低级语言,比如C,有低级的内存管理基元,想malloc(),free().另一方面,JavaScript的内存基元在变量(对象,字符串等等)创建时分配,然后在他们不再被使用时"自动" ...

  2. c++ 虚基类应用

    多重继承存在二义性,为了消除二义性在访问相同名称的属性时需要加上类名,加以区分.虽然这样可以解决二义性,但是相同的属性出现在多个基类中,为了解决数据冗余,c++引入了虚基类. 虚基类定义:class ...

  3. A Year in Computer Vision

    A Year in Computer Vision http://themtank.org/

  4. Java基础——XML复习

    XML                 SGML : 标准通用置标语言    Standard Generailzed    Markup Language XML                   ...

  5. 序列(Sequence)创建、使用、修改和删除

    序列(Sequence)是用来生成连续的整数数据的对象.序列常常用来作为主键中增长列,序列中的可以升序生成,也可以降序生成. 语法结构:创建序列 CREATE SEQUENCE sequence_na ...

  6. 解决问题的思路(如故事版里面有东西,却不见了)(swift里面开发比较多)

    解决问题的思路(如故事版里面有东西,却不见了) 正确效果图: 真机效果图: 内容:不见了 解决步骤:(重点讲解方法1) 1.把背景图隐藏了,如果能出现内容,说明背景图把内容遮住了.那怎么办呢,背景图是 ...

  7. socket手写一个简单的web服务端

    直接进入正题吧,下面的代码都是我在pycharm中写好,再粘贴上来的 import socket server = socket.socket() server.bind(('127.0.0.1', ...

  8. vue入门:实现图片点击切换

    1.实现功能 2.目录结构 3.代码 <!DOCTYPE html> <html lang="en"> <head> <meta char ...

  9. HDU 6330--Visual Cube(构造,计算)

    Visual Cube 将这个立方体分块,分成上中下三个部分,利用长宽高计算行列,最后输出即可. 每个部分都分成奇偶行来输出,总共有\(2*(b+c)+1\)行,共\(2*(a+b)+1\)列.设当前 ...

  10. 第13届景驰-埃森哲杯广东工业大学ACM程序设计大赛--F-等式

    链接:https://www.nowcoder.com/acm/contest/90/F 来源:牛客网 1.题目描述 给定n,求1/x + 1/y = 1/n (x<=y)的解数.(x.y.n均 ...