Wireshark的一些使用经验

在Wireshark可以使用wireshark支持的lua语言进行定制或扩充。 注：本文所测试脚本以Wireshar2.0.4为准 # 工作中经常会遇到需要将某些UDP报文固定解析为RTP协议，这个操作通过在init.lua中扩充分析器 local rtp_dissector  = Dissector.get("rtp") DissectorTable.get("udp.port"):add(40002,rtp_dissector) 对于某些优先生效的解析协议，需要通过wireshar首选项里面的协议配置进行修改，以避免此段配置脚本不生效 如果固定将rtp协议中某些payload解析为某些协议，则可以进一步扩充DissectorTable.get("rtp.pt") #监听器listner 在wireshark的帮助文档里面有如何使用lua写一个监听器的模板。监听器可以根据过滤报文采取某些动作。例如，将需要将报文流，写入到文件中，则可以依据此模板文件进行扩充 -- This program will register a menu that will open a window with a count of occurrences -- of every address in the capture local function menuable_tap() -- Declare the window we will use local tw = TextWindow.new("Address Counter") -- This will contain a hash of counters of appearances of a certain address local ips = {} --customized get the input filter content.取得和过滤显示报文一样的条件，以适应变化 local filter = "rtp" if string.len(get_filter()) > 0 then    filter = get_filter() end   -- for get field info from each packet     local udp_data  = Field.new("udp") -- this is our tap local tap = Listener.new("ip",filter); function remove() -- this way we remove the listener that otherwise will remain running indefinitely tap:remove(); end -- we tell the window to call the remove() function when closed tw:set_atclose(remove) -- this function will be called once for each packet function tap.packet(pinfo,tvb) local src = ips[tostring(pinfo.src)] or 0 local dst = ips[tostring(pinfo.dst)] or 0 ips[tostring(pinfo.src)] = src + 1 ips[tostring(pinfo.dst)] = dst + 1 --customized each packet to write,get field data pinfo是包的一些信息 tvb是报文数据信息.获得udp信息域获得一些基础偏移量，以利于计算 local udpFieldInfo   = udp_data()  local offset         = udpFieldInfo.offset --根据应用协议所需要的偏移进行偏移计算，以取到相应的数据 local wirte_content = tvb:raw(offset) --根据某些规则写入 end -- this function will be called once every few seconds to update our window function tap.draw(t) tw:clear() for ip,num in pairs(ips) do tw:append(ip .. "\t" .. num .. "\n"); end end -- this function will be called whenever a reset is needed -- e.g. when reloading the capture file function tap.reset() tw:clear() ips = {} end end -- using this function we register our function -- to be called when the user selects the Tools->Test->Packets menu register_menu("Test/Packets", menuable_tap, MENU_TOOLS_UNSORTED)