应用程序发送的数据报都是流式的,IP不保证同一个一个应用数据包会被抓包后在同一个IP数据包中,因此对于使用自制dissector的时候需要考虑这种情况。

Lua Dissector相关资料可以见:http://wiki.wireshark.org/Lua/Dissectors

Lua脚本书写wireshark dissector非常方便,使用Lua合并tcp数据报进行分析的样例如下,其实就是多了一个条件分支,所谓难者不会,会者不难:

 local slicer = Proto("slicer","Slicer")

 function slicer.dissector(tvb, pinfo, tree)

     local offset = pinfo.desegment_offset or 

     local len = get_len() -- for tests i used a constant, but can be taken from tvb

     while true do

         local nxtpdu = offset + len

         if nxtpdu > tvb:len() then

             pinfo.desegment_len = nxtpdu - tvb:len()

             pinfo.desegment_offset = offset

             return

         end

         tree:add(slicer, tvb(offset, len))

         offset = nxtpdu

         if nxtpdu == tvb:len() then

              return

         end

     end

 end

 local tcp_table = DissectorTable.get("tcp.port")

 tcp_table:add(, slicer)

对于Lua Dissector脚本使用方法如下:

tshark

tshark -X lua_script:slicer.lua -i lo0 -f "tcp port 2506" -O aa -V

Wireshark

On OSX

Copy slicer.lua to ~/.wireshark

Add dofile(USER_DIR.."slicer.lua") to the end of /Applications/Wireshark.app/Contents/Resources/share/wireshark/init.lua

在wireshark的C语言版本中,有针对tcp合并报的相关函数,packet-tcp.c 具体见下:

/*

2152     * Loop for dissecting PDUs within a TCP stream; assumes that a PDU

2153     * consists of a fixed-length chunk of data that contains enough information

2154     * to determine the length of the PDU, followed by rest of the PDU.

2155     *

2156     * The first three arguments are the arguments passed to the dissector

2157     * that calls this routine.

2158     *

2159     * "proto_desegment" is the dissector's flag controlling whether it should

2160     * desegment PDUs that cross TCP segment boundaries.

2161     *

2162     * "fixed_len" is the length of the fixed-length part of the PDU.

2163     *

2164     * "get_pdu_len()" is a routine called to get the length of the PDU from

2165     * the fixed-length part of the PDU; it's passed "pinfo", "tvb" and "offset".

2166     *

2167     * "dissect_pdu()" is the routine to dissect a PDU.

2168     */

    void

    tcp_dissect_pdus(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,

                     gboolean proto_desegment, guint fixed_len,

                     guint (*get_pdu_len)(packet_info *, tvbuff_t *, int),

                     dissector_t dissect_pdu)

    {

        volatile int offset = ;

        int offset_before;

        guint length_remaining;

        guint plen;

        guint length;

        tvbuff_t *next_tvb;

        proto_item *item=NULL;

        void *pd_save;

        while (tvb_reported_length_remaining(tvb, offset) != ) {

            /*

2186             * We use "tvb_ensure_length_remaining()" to make sure there actually

2187             * *is* data remaining.  The protocol we're handling could conceivably

2188             * consists of a sequence of fixed-length PDUs, and therefore the

2189             * "get_pdu_len" routine might not actually fetch anything from

2190             * the tvbuff, and thus might not cause an exception to be thrown if

2191             * we've run past the end of the tvbuff.

2192             *

2193             * This means we're guaranteed that "length_remaining" is positive.

2194             */

            length_remaining = tvb_ensure_length_remaining(tvb, offset);

            /*

2198             * Can we do reassembly?

2199             */

            if (proto_desegment && pinfo->can_desegment) {

                /*

2202                 * Yes - is the fixed-length part of the PDU split across segment

2203                 * boundaries?

2204                 */

                if (length_remaining < fixed_len) {

                    /*

2207                     * Yes.  Tell the TCP dissector where the data for this message

2208                     * starts in the data it handed us and that we need "some more

2209                     * data."  Don't tell it exactly how many bytes we need because

2210                     * if/when we ask for even more (after the header) that will

2211                     * break reassembly.

2212                     */

2213                    pinfo->desegment_offset = offset;

2214                    pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;

                    return;

                }

            }

            /*

2220             * Get the length of the PDU.

2221             */

            plen = (*get_pdu_len)(pinfo, tvb, offset);

            if (plen < fixed_len) {

                /*

2225                 * Either:

2226                 *

2227                 *  1) the length value extracted from the fixed-length portion

2228                 *     doesn't include the fixed-length portion's length, and

2229                 *     was so large that, when the fixed-length portion's

2230                 *     length was added to it, the total length overflowed;

2231                 *

2232                 *  2) the length value extracted from the fixed-length portion

2233                 *     includes the fixed-length portion's length, and the value

2234                 *     was less than the fixed-length portion's length, i.e. it

2235                 *     was bogus.

2236                 *

2237                 * Report this as a bounds error.

2238                 */

                show_reported_bounds_error(tvb, pinfo, tree);

                return;

            }

            /*

2244             * Do not display the the PDU length if it crosses the boundary of the

2245             * packet and no more packets are available.

2246             *

2247             * XXX - we don't necessarily know whether more packets are

2248             * available; we might be doing a one-pass read through the

2249             * capture in TShark, or we might be doing a live capture in

2250             * Wireshark.

2251             */

    #if 0

            if (length_remaining >= plen || there are more packets)

            {

    #endif

                    /*

2257                     * Display the PDU length as a field

2258                     */

                    item=proto_tree_add_uint(pinfo->tcp_tree, hf_tcp_pdu_size,

                                             tvb, offset, plen, plen);

                    PROTO_ITEM_SET_GENERATED(item);

    #if 0

            } else {

                    item = proto_tree_add_text(pinfo->tcp_tree, tvb, offset, -,

                        "PDU Size: %u cut short at %u",plen,length_remaining);

                    PROTO_ITEM_SET_GENERATED(item);

            }

    #endif

            /* give a hint to TCP where the next PDU starts

2272             * so that it can attempt to find it in case it starts

2273             * somewhere in the middle of a segment.

2274             */

            if(!pinfo->fd->flags.visited && tcp_analyze_seq) {

                guint remaining_bytes;

                remaining_bytes=tvb_reported_length_remaining(tvb, offset);

                if(plen>remaining_bytes) {

                    pinfo->want_pdu_tracking=;

                    pinfo->bytes_until_next_pdu=plen-remaining_bytes;

                }

            }

            /*

2285             * Can we do reassembly?

2286             */

            if (proto_desegment && pinfo->can_desegment) {

                /*

2289                 * Yes - is the PDU split across segment boundaries?

2290                 */

                if (length_remaining < plen) {

                    /*

2293                     * Yes.  Tell the TCP dissector where the data for this message

2294                     * starts in the data it handed us, and how many more bytes we

2295                     * need, and return.

2296                     */

                    pinfo->desegment_offset = offset;

                    pinfo->desegment_len = plen - length_remaining;

                    return;

                }

            }

            /*

2304             * Construct a tvbuff containing the amount of the payload we have

2305             * available.  Make its reported length the amount of data in the PDU.

2306             *

2307             * XXX - if reassembly isn't enabled. the subdissector will throw a

2308             * BoundsError exception, rather than a ReportedBoundsError exception.

2309             * We really want a tvbuff where the length is "length", the reported

2310             * length is "plen", and the "if the snapshot length were infinite"

2311             * length is the minimum of the reported length of the tvbuff handed

2312             * to us and "plen", with a new type of exception thrown if the offset

2313             * is within the reported length but beyond that third length, with

2314             * that exception getting the "Unreassembled Packet" error.

2315             */

            length = length_remaining;

            if (length > plen)

                length = plen;

            next_tvb = tvb_new_subset(tvb, offset, length, plen);

            /*

2322             * Dissect the PDU.

2323             *

2324             * Catch the ReportedBoundsError exception; if this particular message

2325             * happens to get a ReportedBoundsError exception, that doesn't mean

2326             * that we should stop dissecting PDUs within this frame or chunk of

2327             * reassembled data.

2328             *

2329             * If it gets a BoundsError, we can stop, as there's nothing more to

2330             * see, so we just re-throw it.

2331             */

            pd_save = pinfo->private_data;

            TRY {

                (*dissect_pdu)(next_tvb, pinfo, tree);

            }

            CATCH(BoundsError) {

                RETHROW;

            }

            CATCH(ReportedBoundsError) {

                /*  Restore the private_data structure in case one of the

2341                 *  called dissectors modified it (and, due to the exception,

2342                 *  was unable to restore it).

2343                 */

                pinfo->private_data = pd_save;

                show_reported_bounds_error(tvb, pinfo, tree);

            }

            ENDTRY;

            /*

2350             * Step to the next PDU.

2351             * Make sure we don't overflow.

2352             */

            offset_before = offset;

            offset += plen;

            if (offset <= offset_before)

                break;

        }

    }

Wireshark lua dissector 对TCP消息包合并分析的更多相关文章

  1. Wireshark Lua: 一个从RTP抓包里导出H.264 Payload,变成264裸码流文件(xxx.264)的Wireshark插件

    Wireshark Lua: 一个从RTP抓包里导出H.264 Payload,变成264裸码流文件(xxx.264)的Wireshark插件 在win7-64, wireshark Version ...

  2. PowerShell收发TCP消息包

    PowerShell收发TCP消息包 https://www.cnblogs.com/fuhj02/archive/2012/10/16/2725609.html 在上篇文章中,我们在PSNet包中创 ...

  3. TCP粘包问题分析和解决(全)

    TCP通信粘包问题分析和解决(全) 在socket网络程序中,TCP和UDP分别是面向连接和非面向连接的.因此TCP的socket编程,收发两端(客户端和服务器端)都要有成对的socket,因此,发送 ...

  4. 【转载】TCP粘包问题分析和解决(全)

    TCP通信粘包问题分析和解决(全) 在socket网络程序中,TCP和UDP分别是面向连接和非面向连接的.因此TCP的socket编程,收发两端(客户端和服务器端)都要有成对的socket,因此,发送 ...

  5. tcp粘包情况分析

    1 什么是粘包现象 TCP粘包是指发送方发送的若干包数据到接收方接收时粘成一包,从接收缓冲区看,后一包数据的头紧接着前一包数据的尾.在tcp长连接时,发送端发到buffer里面,接收端也有个buffe ...

  6. tcp抓包 Wireshark 使用

    fidder主要是针对http(s)协议进行抓包分析的,所以类似wireshark/tcpdump这种工作在tcp/ip层上的抓包工具不太一样,这种工具一般在chrome/firefox的开发者工具下 ...

  7. Wireshark抓包介绍和TCP三次握手分析

    wireshark介绍 wireshark的官方下载网站: http://www.wireshark.org/ wireshark是非常流行的网络封包分析软件,功能十分强大.可以截取各种网络封包,显示 ...

  8. 如何利用wireshark对TCP消息进行分析

    原文:https://www.cnblogs.com/studyofadeerlet/p/7485298.html 如何利用wireshark对TCP消息进行分析   (1) 几个概念介绍 1 seq ...

  9. WireShark抓包时TCP数据包出现may be caused by ip checksum offload

    最近用WireShark抓包时发现TCP数据包有报错:IP Checksum Offload,经过查阅资料终于找到了原因 总结下来就是wireshark抓到的数据包提示Checksum错误,是因为它截 ...

随机推荐

  1. Codeforces Round #521 (Div. 3) D. Cutting Out 【二分+排序】

    任意门:http://codeforces.com/contest/1077/problem/D D. Cutting Out time limit per test 3 seconds memory ...

  2. 【转】JS gzip加密字符串并base64输出

    http://blog.csdn.net/zunwei/article/details/49886115 最近开发中遇到一些问题,关于js怎么给一个字符串进行字节流加密.下面就详细说下做法. 首先引入 ...

  3. js中json对象取键和值

    1.json中输出各个键值: var ohp = {"星期一":18,"星期二":16,"星期三":19,"星期四":1 ...

  4. 转载 【MySql】Update批量更新与批量更新多条记录的不同值实现方法

    批量更新 mysql更新语句很简单,更新一条数据的某个字段,一般这样写: UPDATE mytable SET myfield = 'value' WHERE other_field = 'other ...

  5. visual assist x vs2012不智能提示

    今天装了visual assist x,但是在vs2012里不智能提示,在哪里看了看.找到了开关. 我英文不好.... 默认的话是不选中的.

  6. 运用Xdebug调试和优化PHP程序

    什么是Xdebug? Xdebug是一个开放源代码的PHP程序调试器(即一个Debug工具),可以用来跟踪,调试和分析PHP程序的运行状况.Xdebug现在的最新版本是xdebug 2.0.0beta ...

  7. T4Toolbox简单了解

    使用T4模板,最令人喜欢的就是T4Toolbox了,他可以帮助我们生成多文件,并且直接包含在项目中. 环境:vs2017 T4代码高亮插件:Devart T4 Editor 插件地址:T4 Toolb ...

  8. bzoj3895: 取石子(博弈论,记忆化搜索)

    3895: 取石子 Time Limit: 1 Sec  Memory Limit: 512 MBSubmit: 361  Solved: 177[Submit][Status][Discuss] D ...

  9. Flask模拟实现CSRF攻击

    CSRF CSRF全拼为Cross Site Request Forgery,译为跨站请求伪造. CSRF指攻击者盗用了你的身份,以你的名义发送恶意请求. 包括:以你名义发送邮件,发消息,盗取你的账号 ...

  10. Windows下安装最新版的MongoDB

    最近学习爬虫需要用到MongoDB来存储数据,在安装过程遇到了一些坑,在这里总结一些. 安装环境:Windows 10 安装步骤: 1.下载安装文件 下载地址:https://www.mongodb. ...