Sdrop Wireshark Lua Plugin

发表于 | 分类于

  • exported packet payload format

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    <?xml version="1.0" encoding="ISO-8859-1"?>
    <dropPacket>
        <model version="1.0" author="ConnetOS"/>
        <metaData>
            <ingressPhysicalPort>te-1/1/1</ingressPhysicalPort>
            <egressPhysicalPort>NA</egressPhysicalPort>
            <vlanId>52</vlanId>
            <dropReason>2</dropReason>
            <dropReasonString>Tag Vlan Not Exist</dropReasonString>
            <timeStamp>2017-04-07 20:07:41</timeStamp>
            <packetSize>157</packetSize>
            <dataSize>128</dataSize>
        </metaData>
        <data>
            2C600C7BC1FB000000BBBB44810000340800450C0087000040004006B605373737140B0B0B0A2410008000000000000000005000FFFF8B6F000001010008010200000000123000001231000012320000123300001234000012300000123000001230000012310000123200001233000012340000123100001232000012330000
        </data>
    </dropPacket>

  • Put the lua plugin into the direcotry of wireshark plugin.

  • Find the init.lua file, add the line below.

    1
    dofile(sdrop.lua)

    or

    1
    dofile(DATA_DIR.."sdrop.lua")

With the first way, you don’t need to put the sdrop.lua into to DATA_DIR, you can just put in the same directory with the pcap files.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
do
    local p_sdrop = Proto("sdrop", "Streaming drop packet and drop reason");

    local sdrop_protocol_type = ProtoField.string("sdrop.prototype", "Protocol type",base.NONE)
    local sdrop_version = ProtoField.string("sdrop.version", "Model version", base.NONE)
    local sdrop_meta_ingress_port = ProtoField.string("sdrop.inport", "Ingress physical port", base.NONE)
    local sdrop_meta_egress_port = ProtoField.string("sdrop.outport", "Egress physical port", base.NONE)
    local sdrop_meta_vlan_id = ProtoField.string("sdrop.vlanid", "Vlan id", base.DEC)
    local sdrop_meta_drop_reason = ProtoField.string("sdrop.stamp", "Drop reason", base.NONE)
    local sdrop_meta_drop_reason_str = ProtoField.string("sdrop.stamp", "Drop reason string", base.NONE)
    local sdrop_meta_time_stamp = ProtoField.string("sdrop.stamp", "Last detect time", base.NONE)
    local sdrop_meta_packet_size = ProtoField.string("sdrop.pktsize", "Oringinal packet length", base.DEC)
    local sdrop_meta_data_size = ProtoField.string("sdrop.datasize", "Data length", base.DEC)

    p_sdrop.fields = {
        sdrop_protocol_type,
        sdrop_meta_ingress_port,
        sdrop_meta_egress_port,
        sdrop_meta_vlan_id,
        sdrop_meta_drop_reason,
		sdrop_meta_drop_reason_str,
        sdrop_meta_time_stamp,
        sdrop_meta_packet_size,
        sdrop_meta_data_size,
    }

    local function get_element(str, key)
        local pattern = "<"..key..">(.*)</"..key..">"
        for w in string.gmatch(str, pattern) do
            return w
        end
    end

    function p_sdrop.dissector(buf, pinfo, root)
        local payload = buf(0, buf:len() - 1)
	local raw_pkt = get_element(payload:string(), "data")
	local datasize = get_element(payload:string(), "dataSize")
        local pktsize = get_element(payload:string(), "packetSize")
        local timestamp = get_element(payload:string(), "timeStamp")
        local dropreason = get_element(payload:string(), "dropReason")
	local dropreasonstr = get_element(payload:string(), "dropReasonString")
        local vlanid = get_element(payload:string(), "vlanId")
        local inport = get_element(payload:string(), "ingressPhysicalPort")
        local outport = get_element(payload:string(), "egressPhysicalPort")

	local s1,s2 = string.find(payload:string(), "<data>")
	local e1,e2 = string.find(payload:string(), "</data>")

        local sdrop_tree = root:add(p_sdrop, buf:range(offset, s1))
        sdrop_tree:add(sdrop_protocol_type, "SDrop")
        sdrop_tree:add(sdrop_meta_ingress_port, inport)
        sdrop_tree:add(sdrop_meta_egress_port, outport)
        sdrop_tree:add(sdrop_meta_vlan_id, vlanid)
        sdrop_tree:add(sdrop_meta_drop_reason, dropreason)
	sdrop_tree:add(sdrop_meta_drop_reason_str, dropreasonstr)
        sdrop_tree:add(sdrop_meta_time_stamp, timestamp)
        sdrop_tree:add(sdrop_meta_packet_size, pktsize)

	local eth_dis = Dissector.get("eth_withoutfcs")
	local b = ByteArray.new(raw_pkt)
	local buf_frame = ByteArray.tvb(b, "Raw Payload")
	eth_dis:call(buf_frame, pinfo, root)
    end

    local udp_encap_table = DissectorTable.get("udp.port")
    udp_encap_table:add(32768, p_sdrop)
end