简体繁体 English

为Wireshark编写插件解剖器

[英]Writing plugin dissector for Wireshark

原文 2015-06-01 07:13:47 5 3 plugins/ wireshark/ wireshark-dissector

I have to write one wireshark Dissector as a plugin for a protocol. 我必须编写一个wireshark Dissector作为协议的插件。 I've one captured file having hexadecimal Bytes code input that is to be dissected through my Dissector/plugin . 我有一个捕获的文件，其中输入的十六进制字节代码将通过我的Dissector / plugin进行解析。

How to do it ? 怎么做？
I've built one basic wireshark plugin as per 我已经建立了一个基本的wireshark插件

https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html

and doc/README.plugins 和doc / README.plugins

so I know the basic steps to build the wireshark plugin (custom extension). 所以我知道构建Wireshark插件（自定义扩展名）的基本步骤。 But i don't know where to put that file to analyze and what are all the function needed to write in my packet-dissector.c ? 但是我不知道将文件放在何处进行分析，并且不知道要在我的packet-dissector.c中写入什么功能？
Any suggestions ? 有什么建议么？
Thanks. 谢谢。

3 个解决方案

There's a third-party plugin, the Wireshark Generic Dissector , which lets you dissect protocols without writing any code. 有一个第三方插件Wireshark Generic Dissector ，您可以在不编写任何代码的情况下剖析协议。 Binary versions of the plugin are available for Windows and at least some Linux distributions; 该插件的二进制版本可用于Windows和至少某些Linux发行版； source is available so that you can compile it for other platforms. 源代码可用，因此您可以将其编译为其他平台。 You might want to see whether that would make it easier. 您可能想看看是否会使它更容易。

There are a lot of packet-xxx.c files in the epan tree. epan树中有很多packet-xxx.c文件。 Depending on the base protocol (UDP/TCP/other) select one of the protocol dissectors and look what have been used to dissect the protocol. 根据基本协议（UDP / TCP / other），选择协议解析器之一，然后查看用于解析协议的内容。 This should be a good template for your dissector. 对于您的解剖器，这应该是一个很好的模板。

Further you should consider that a dissector can be sophisticated showing a lot of details, flow analysis, protocol violation indication, and so on. 此外，您应该考虑一个解剖器，它可以显示很多细节，流程分析，协议违规指示等，非常复杂。 What is really required depends on the expectation to the dissector and can't be answered in general. 真正需要什么取决于对解剖器的期望，通常无法回答。

If it's being created as plugin, add a new directory for your protocol in plugins folder . 如果它是作为插件创建的，请在plugins文件夹中为协议添加一个新目录。 Add needed files (makefile.am , cmakefile.txt , etc and your .c) in this directory. 在此目录中添加所需的文件（makefile.am，cmakefile.txt等和您的.c）。 Change the makefiles to compile and create dll for your new dissector. 更改makefile以为新解剖器编译并创建dll。 Look for gryphon plugin example and make similar changes for your dissector. 查找gryphon插件示例，并对解剖器进行类似的更改。

This should create the "yourproto.dll" in run directory , which means wireshark is ready to recognize your protocol. 这应该在运行目录中创建“ yourproto.dll”，这意味着wireshark已准备好识别您的协议。