问题描述
我正在为Wireshark创建一个自定义解剖器.我将自己的解剖器添加到解剖器表中,就像这样...
I am creating a custom dissector for Wireshark. I am adding my dissector to the dissector table kind of like this...
udp_table = DissectorTable.get("udp.port")
udp_table:add(7777,my_proto)
但是,我不希望我的解剖器仅处理udp端口7777,而是希望它处理任何udp端口或至少处理很大的范围.
However, instead of my dissector handling just udp port 7777, I want it to handle ANY udp port or at least a really large range.
我该怎么做?
在文档中说,我可以替换7777(模式),但我不确定该语法是什么.
It says in the documentation, it says I can replace 7777 (the pattern) with a range, but I'm not sure what the syntax is for that.
谢谢!
推荐答案
理论上,使用Lua字符串为dissectortable:add()的第一个参数添加范围,其中该字符串是诸如"7777-8888"的范围.但是,可能有一个错误阻止了它的正常运行(请参阅此问题. wirehark.org线程).
In theory a range is added using a Lua string for the first argument to dissectortable:add(), where the string is a range such as "7777-8888". However, there may be a bug preventing that working right now (see this ask.wireshark.org thread).
无论如何,您都不应不使解剖器在每个 UDP端口上运行,因为它不是正确的,并且会与许多知名的UDP冲突端口使用(例如DNS,UPNP,SIP等),以及动态使用的端口(例如RTP和RTCP).
Regardless, you should not make your dissector operate on every UDP port, since it wouldn't be true and would collide with a whole bunch of well-known UDP port uses (e.g., DNS, UPNP, SIP, etc.), as well as dynamically used ones such as for RTP and RTCP.
也许您真正想做的是启发式解剖器?如果是这样,您可以使Lua解剖器成为启发式的,从Wireshark v1.11.3开始(以及更高版本)(最新的Wireshark版本为1.12rc2).请参阅 proto的API文档:register_heuristic ,以及示例 dissector.lua脚本 a href ="http://wiki.wireshark.org/Lua/Examples" rel ="nofollow">卢阿示例页面.
Perhaps what you really want to do is have a heuristic dissector? If so, you can make a Lua dissector be a heuristic one starting in wireshark v1.11.3 and beyond (the most recent wireshark version is 1.12rc2). See the API docs for proto:register_heuristic, and the example dissector.lua script at the top of the Lua examples page.
这篇关于Wireshark Dissector-如何使用带有ANY模式的dissectortable:add(pattern,dissector)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!