wireshark插件,如何关联请求应答(如ping协议)?
缘起
最近工作中,接触的内部协议比较多(项目历史原因),于是想编写 wireshark plugin,来辅助分析业务报文, 从中寻找包含特定请求的报文。
遇到一个问题,如何对请求和应答进行关联,我知道 wireshark 解析 ping 协议,是支持ping-pong相互跳转的。
于是想自己写的协议插件,也具有这种功能,于是开始google。 在 wireshark 社区找到了sindy
大神的这段回答,很受启发。原文如下:
The dissector code has no access to pinfo of any other packet than the one currently dissected.
If some transaction ID exists in modbus which allows you to match requests and responses, you may use two global tables indexed by this transaction ID and store the frame.number of the currently dissected packet to the appropriate table (request{transactionId} or response{transactionId}) during the first pass of the dissector (after loading the file, all packets are dissected in sequence). Whenever you click a packet in the packet list, it is dissected again so that the dissectoon tree could be displayed in the dissection pane; whenever you change the display filter, the packets are dissected in sequence again to be able to match the dissected fields to the filter conditions. So while dissecting a response, you may check whether a matching request exists in the capture by looking to request{transactionId}, and vice versa.
Have a look here to see how to render that information into the dissection tree nicely.
尝试使用 lua 实现
简单看了下 lua dict 的使用,然后就实现了以下工具方法:
- 1 双 dict 缓存代码如下:
|
|
- 2 调用入口:
|
|
- 3 定义2个 framenum 字段
这两个字段具有超链接功能,可以跳转到指定的frame.number
。
|
|
总结
基于双dict缓存,构造一次会话相关的唯一id(即transaction_id); 然后在 wireshark 中就能很方便的在req/rsp 之间来回跳转。
更上一层楼
借助于 wireshark 强大的检索能力,还可以实现各种复杂的查询需求: