Wireshark中文使用教程(開發版)新協議和分析器的功能
本章中的類和函數允許Lua腳本為Wireshark創建新協議。Proto協議對象可以具有首選項、可在詳細信息視圖樹中顯示的可篩選值的ProtoField字段、用于剖析新協議的函數等。
可以通過DissectorTable將解析函數掛鉤到現有協議表中,以便新的協議解析函數由該協議調用,并且新的解析函數本身可以通過檢索和調用解析對象來調用其他已經存在的協議解析函數。Proto解析器也可以用作后期解析器,在每個幀的解析器結束時使用,或者作為啟發式解析器使用。
Dissector
Dissector.get(name)
Obtains a dissector reference by name.
Arguments
name
The name of the dissector.
Returns
The Dissectorreference.
Dissector.list()
Gets a Lua array table of all registered Dissector names.
Note: This is an expensive operation, and should only be used for troubleshooting.
Returns
The array table of registered dissector names.
dissector:call(tvb, pinfo, tree)
Calls a dissector against a given packet (or part of it).
Arguments
tvb
The buffer to dissect.
pinfo
The packet info.
tree
The tree on which to add the protocol items.
Returns
Number of bytes dissected. Note that some dissectors always return number of bytes in incoming buffer, so be aware.
dissector:__call(tvb, pinfo, tree)
Calls a dissector against a given packet (or part of it).
Arguments
tvb
The buffer to dissect.
pinfo
The packet info.
tree
The tree on which to add the protocol items.
dissector:__tostring()
Gets the Dissector’s protocol short name.
Returns
A string of the protocol’s short name.
DissectorTable
A table of subdissectors of a particular protocol (e.g. TCP subdissectors like http, smtp, sip are added to table “tcp.port”).
Useful to add more dissectors to a table so that they appear in the “Decode As…?” dialog.
DissectorTable.new(tablename, [uiname], [type], [base], [proto])
通過名稱獲取解析器參考。
Arguments
tablename
The short name of the table. Use lower-case alphanumeric, dot, and/or underscores (e.g., “ansi_map.tele_id” or “udp.port”).
uiname (optional)
The name of the table in the user interface. Defaults to the name given in tablename, but can be any string.
type (optional)
One of ftypes.UINT8, ftypes.UINT16, ftypes.UINT24, ftypes.UINT32, or ftypes.STRING. Defaults to ftypes.UINT32.
base (optional)
One of base.NONE, base.DEC, base.HEX, base.OCT, base.DEC_HEX or base.HEX_DEC. Defaults to base.DEC.
proto (optional)
The Proto object that uses this dissector table.
Returns
The newly created DissectorTable.
DissectorTable.list()
獲取所有DissectorTable名稱的Lua數組表-即,可用于DissectorTable.get()第一個參數的字符串名稱。
返回值:已注冊DissectorTable名稱的數組表。
DissectorTable.heuristic_list()
獲取所有啟發式列表名稱的Lua數組表-即,可用于Proto:register_heuristic()中第一個參數的字符串名稱。
返回值:注冊的heuristic列表名稱的數組表
DissectorTable.get(tablename)
Obtain a reference to an existing dissector table.
Arguments
tablename
The short name of the table.
Returns
The DissectorTable.
dissectortable:add(pattern, dissector)
將帶有分析器函數的PROTO或Dissector對象添加到分析器表中。
Arguments
pattern
The pattern to match (either an integer, a integer range or a string depending on the table’s type).
dissector
The dissector to add (either a Proto or a Dissector).
dissectortable:set(pattern, dissector)
從表中清除所有現有分析器,然后添加一個新分析器或一系列新分析器。
Arguments
pattern
The pattern to match (either an integer, a integer range or a string depending on the table’s type).
dissector
The dissector to add (either a Proto or a Dissector).
dissectortable:remove(pattern, dissector)
從表中刪除解剖器或一系列解析器。
Arguments
pattern
The pattern to match (either an integer, a integer range or a string depending on the table’s type).
dissector
The dissector to remove
dissectortable:remove_all(dissector)
從表中刪除所有解析器。
Arguments
dissector
The dissector to remove
dissectortable:try(pattern, tvb, pinfo, tree)
Try to call a dissector from a table.
Arguments
pattern
The pattern to be matched (either an integer or a string depending on the table’s type).
tvb
The Tvb to dissect.
pinfo
The packet’s Pinfo.
tree
The TreeItem on which to add the protocol items.
Returns
Number of bytes dissected. Note that some dissectors always return number of bytes in incoming buffer, so be aware.
dissectortable:get_dissector(pattern)
Try to obtain a dissector from a table.
Arguments
pattern
The pattern to be matched (either an integer or a string depending on the table’s type).
Returns
The Dissector handle if found, otherwise nil
dissectortable:add_for_decode_as(proto)
將給定文件添加Proto到此DissectorTable的“解碼為…”列表中。傳入Proto對象的dissector()功能用于解析。
dissectortable:__tostring()
獲取有關的一些調試信息DissectorTable。
返回值:有關的調試信息字符串DissectorTable。
Pref
Pref.bool(label, default, descr)
創建一個布爾首選項以添加到Proto.prefsLua表中。
例:
– create a Boolean preference named “bar” for Foo Protocol
– (assuming Foo doesn’t already have a preference named “bar”)
proto_foo.prefs.bar = Pref.bool( “Bar”, true, “Baz and all the rest” )
##### Argumentslabel
The Label (text in the right side of the preference input) for this preference.
default
The default value for this preference.
descr
A description of this preference.
Pref.uint(label, default, descr)
Arguments
label
The Label (text in the right side of the preference input) for this preference.
default
The default value for this preference.
descr
A description of what this preference is.
Pref.string(label, default, descr)
Arguments
label
The Label (text in the right side of the preference input) for this preference.
default
The default value for this preference.
descr
A description of what this preference is.
Pref.enum(label, default, descr, enum, radio)
例:
local OUTPUT_DEBUG = 1 local OUTPUT_INFO = 2 local OUTPUT_WARN = 3 local OUTPUT_ERROR = 4 local output_tab = { { 1, "Off" , OUTPUT_OFF }, { 2, "Debug" , OUTPUT_DEBUG }, { 3, "Information" , OUTPUT_INFO }, { 4, "Warning" , OUTPUT_WARN }, { 5, "Error" , OUTPUT_ERROR }, } -- Create enum preference that shows as Combo Box under -- Foo Protocol's preferences proto_foo.prefs.outputlevel = Pref.enum( "Output Level", -- label OUTPUT_INFO, -- default value "Verbosity of log output", -- description output_tab, -- enum table false -- show as combo box ) -- Then, we can query the value of the selected preference. -- This line prints "Output Level: 3" assuming the selected -- output level is _INFO. debug( "Output Level: " .. proto_foo.prefs.outputlevel )
Arguments
label
The Label (text in the right side of the preference input) for this preference.
default
The default value for this preference.
descr
A description of what this preference is.
enum
An enum Lua table.
radio
Radio button (true) or Combobox (false).
Pref.range(label, default, descr, max)
創建要添加到Proto.prefsLua表的范圍(數字文本輸入)首選項。
Arguments
label
The Label (text in the right side of the preference input) for this preference.
default
The default value for this preference, e.g., “53”, “10-30”, or “10-30,53,55,100-120”.
descr
A description of what this preference is.
max
The maximum value.
Pref.statictext(label, descr)
創建一個靜態文本字符串以添加到Proto.prefsLua表中。
Arguments
label
The static text.
descr
The static text description.
Prefs
prefs:__newindex(name, pref)
創建一個新的首選項。
Arguments
name
The abbreviation of this preference.
pref
A valid but still unassigned Pref object.
Errors
- Unknown Pref type
prefs:__index(name)
獲取首選項設置的值。
例:-- print the value of Foo's preference named "bar" debug( "bar = " .. proto_foo.prefs.bar )Arguments
name
The abbreviation of this preference.
Returns
The current value of the preference.
Errors
- Unknown Pref type
Proto
Wireshark中的一個新協議。協議有多種用途。主要目的是剖析協議,但它們也可以是用于注冊首選項以用于其他目的的虛擬對象。
Proto.new(name, desc)
創建一個新的proto對象
Arguments
name
The name of the protocol.
desc
A Long Text description of the protocol (usually lowercase).
Returns
The newly created Proto object.
proto:__call(name, desc)
創建一個新的proto對象
Arguments
name
The name of the protocol.
desc
A Long Text description of the protocol (usually lowercase).
Returns
The new Protoobject.
proto:register_heuristic(listname, func)
為給定的啟發式列表名稱注冊此Proto協議的啟發式分析器函數。
以后調用時,將傳遞傳入的函數:
- 一個
Tvb對象 - 一個
Pinfo對象 - 一
TreeItem對象
如果 payload 用于該函數,則該函數必須返回true,否則返回false。
函數應該盡可能多地進行驗證,以確保payload 是用于它的,并且只有在payload 是用于它的情況下,才會對數據包進行解析(包括設置TreeItem信息等),然后才返回true或false。
從1.99.1版開始,該函數還接受解析器對象作為第二個參數,以允許重用與函數Proto.dissector(…)相同的LUA代碼。?)。在這種情況下,分析器必須返回消耗/解析的字節數的Lua數:如果返回0,將被視為啟發式的False返回;如果返回正數或負數,則將被視為啟發式的TRUE返回,這意味著數據包用于此協議,不會嘗試其他啟發式。
Arguments
listname
The heuristic list name this function is a heuristic for (e.g., “udp” or “infiniband.payload”).
func
A Lua function that will be invoked for heuristic dissection.
proto.dissector
模式:檢索或分配。
協議的分析器,一個您定義的函數。
稍后調用時,將給出該函數:
模式:檢索或分配。
proto.prefs_changed
模式:僅分配.
首選項更改了這個分析器的例程,這是您定義的Lua函數。
proto.init
模式:僅分配。
此分析器的初始化例程,這是您定義的函數。
沒有向被調用的init函數傳遞任何參數。
proto.name
Mode: Retrieve only.
The name given to this dissector.
proto.description
Mode: Retrieve only.
The description given to this dissector.
proto.fields
Mode: Retrieve or assign.
The ProtoFields Lua table of this dissector.
proto.experts
Mode: Retrieve or assign.
The expert info Lua table of this Proto.
ProtoExpert
A Protocol expert info field, to be used when adding items to the dissection tree.
ProtoExpert.new(abbr, text, group, severity)
Creates a new ProtoExpert object to be used for a protocol’s expert information notices.
Arguments
abbr
Filter name of the expert info field (the string that is used in filters).
text
The default text of the expert field.
group
Expert group type: one of: expert.group.CHECKSUM, expert.group.SEQUENCE, expert.group.RESPONSE_CODE, expert.group.REQUEST_CODE, expert.group.UNDECODED, expert.group.REASSEMBLE, expert.group.MALFORMED, expert.group.DEBUG, expert.group.PROTOCOL, expert.group.SECURITY, expert.group.COMMENTS_GROUP or expert.group.DECRYPTION.
severity
Expert severity type: one of: expert.severity.COMMENT, expert.severity.CHAT, expert.severity.NOTE, expert.severity.WARN, or expert.severity.ERROR.
Returns
The newly created ProtoExpert object.
protoexpert:__tostring()
Returns a string with debugging information about a ProtoExpert object.
ProtoField
A Protocol field (to be used when adding items to the dissection tree).
ProtoField.new(name, abbr, type, [valuestring], [base], [mask], [descr])
Creates a new ProtoField object to be used for a protocol field.
Arguments
name
Actual name of the field (the string that appears in the tree).
abbr
Filter name of the field (the string that is used in filters).
type
Field Type: one of: ftypes.BOOLEAN, ftypes.CHAR, ftypes.UINT8, ftypes.UINT16, ftypes.UINT24, ftypes.UINT32, ftypes.UINT64, ftypes.INT8, ftypes.INT16, ftypes.INT24, ftypes.INT32, ftypes.INT64, ftypes.FLOAT, ftypes.DOUBLE , ftypes.ABSOLUTE_TIME, ftypes.RELATIVE_TIME, ftypes.STRING, ftypes.STRINGZ, ftypes.UINT_STRING, ftypes.ETHER, ftypes.BYTES, ftypes.UINT_BYTES, ftypes.IPv4, ftypes.IPv6, ftypes.IPXNET, ftypes.FRAMENUM, ftypes.PCRE, ftypes.GUID, ftypes.OID, ftypes.PROTOCOL, ftypes.REL_OID, ftypes.SYSTEM_ID, ftypes.EUI64 or ftypes.NONE.
valuestring (optional)
A table containing the text that corresponds to the values, or a table containing tables of range string values that corresponds to the values ({min, max, “string”}) if the base is base.RANGE_STRING, or a table containing unit name for the values if base is base.UNIT_STRING, or one of frametype.NONE, frametype.REQUEST, frametype.RESPONSE, frametype.ACK or frametype.DUP_ACK if field type is ftypes.FRAMENUM.
base (optional)
The representation, one of: base.NONE, base.DEC, base.HEX, base.OCT, base.DEC_HEX, base.HEX_DEC, base.UNIT_STRING or base.RANGE_STRING.
mask (optional)
The bitmask to be used.
descr (optional)
The description of the field.
Returns
The newly created ProtoField object.
ProtoField.char(abbr, [name], [base], [valuestring], [mask], [desc])
Creates a ProtoField of an 8-bit ASCII character.
Arguments
abbr
Abbreviated name of the field (the string used in filters).
name (optional)
Actual name of the field (the string that appears in the tree).
base (optional)
One of base.NONE, base.HEX, base.OCT or base.RANGE_STRING.
valuestring (optional)
A table containing the text that corresponds to the values, or a table containing tables of range string values that correspond to the values ({min, max, “string”}) if the base is base.RANGE_STRING.
mask (optional)
Integer mask of this field.
desc (optional)
Description of the field.
Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.
ProtoField.uint8(abbr, [name], [base], [valuestring], [mask], [desc])
Creates a ProtoField of an unsigned 8-bit integer (i.e., a byte).
Arguments
abbr
Abbreviated name of the field (the string used in filters).
name (optional)
Actual name of the field (the string that appears in the tree).
base (optional)
One of base.DEC, base.HEX or base.OCT, base.DEC_HEX, base.HEX_DEC, base.UNIT_STRING or base.RANGE_STRING.
valuestring (optional)
包含與值對應的文本的表,或包含與值({min,max,“string”})對應的范圍字符串值的表(如果base為base.RANGE_STRING}),或包含值的單位名稱的表(如果base為base.UNIT_STRING)。
mask (optional)
Integer mask of this field.
desc (optional)
Description of the field.
Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.
ProtoField.uint16(abbr, [name], [base], [valuestring], [mask], [desc])
Creates a ProtoField of an unsigned 16-bit integer.
Arguments
abbr
Abbreviated name of the field (the string used in filters).
name (optional)
Actual name of the field (the string that appears in the tree).
base (optional)
One of base.DEC, base.HEX, base.OCT, base.DEC_HEX, base.HEX_DEC, base.UNIT_STRING or base.RANGE_STRING.
valuestring (optional)
A table containing the text that corresponds to the values, or a table containing tables of range string values that correspond to the values ({min, max, “string”}) if the base is base.RANGE_STRING, or a table containing unit name for the values if base is base.UNIT_STRING.
mask (optional)
Integer mask of this field.
desc (optional)
Description of the field.
Returns
A ProtoField object to be added to a table set to the Proto.fieldsattribute.
ProtoField.uint24(abbr, [name], [base], [valuestring], [mask], [desc])
Creates a ProtoField of an unsigned 24-bit integer.
Arguments
abbr
Abbreviated name of the field (the string used in filters).
name (optional)
Actual name of the field (the string that appears in the tree).
base (optional)
One of base.DEC, base.HEX, base.OCT, base.DEC_HEX, base.HEX_DEC, base.UNIT_STRING, or base.RANGE_STRING.
valuestring (optional)
A table containing the text that corresponds to the values, or a table containing tables of range string values that correspond to the values ({min, max, “string”}) if the base is base.RANGE_STRING, or a table containing the unit name for the values if base is base.UNIT_STRING.
mask (optional)
Integer mask of this field.
desc (optional)
Description of the field.
Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.
ProtoField.uint32(abbr, [name], [base], [valuestring], [mask], [desc])
Creates a ProtoFieldof an unsigned 32-bit integer.
Arguments
abbr
Abbreviated name of the field (the string used in filters).
name (optional)
Actual name of the field (the string that appears in the tree).
base (optional)
One of base.DEC, base.HEX, base.OCT, base.DEC_HEX, base.HEX_DEC, base.UNIT_STRING, or base.RANGE_STRING.
valuestring (optional)
A table containing the text that corresponds to the values, or a table containing tables of range string values that correspond to the values ({min, max, “string”}) if the base is base.RANGE_STRING, or a table containing the unit name for the values if base is base.UNIT_STRING.
mask (optional)
Integer mask of this field.
desc (optional)
Description of the field.
Returns
A ProtoFieldobject to be added to a table set to the Proto.fields attribute.
ProtoField.uint64(abbr, [name], [base], [valuestring], [mask], [desc])
Creates a ProtoField of an unsigned 64-bit integer.
Arguments
abbr
Abbreviated name of the field (the string used in filters).
name (optional)
Actual name of the field (the string that appears in the tree).
base (optional)
One of base.DEC, base.HEX, base.OCT, base.DEC_HEX, base.HEX_DEC, base.UNIT_STRING, or base.RANGE_STRING.
valuestring (optional)
A table containing the text that corresponds to the values, or a table containing tables of range string values that correspond to the values ({min, max, “string”}) if the base is base.RANGE_STRING, or a table containing the unit name for the values if base is base.UNIT_STRING.
mask (optional)
Integer mask of this field.
desc (optional)
Description of the field.
Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.
ProtoField.int8(abbr, [name], [base], [valuestring], [mask], [desc])
Creates a ProtoField of a signed 8-bit integer (i.e., a byte).
Arguments
abbr
Abbreviated name of the field (the string used in filters).
name (optional)
Actual name of the field (the string that appears in the tree).
base (optional)
One of base.DEC, base.UNIT_STRING, or base.RANGE_STRING.
valuestring (optional)
A table containing the text that corresponds to the values, or a table containing tables of range string values that correspond to the values ({min, max, “string”}) if the base is base.RANGE_STRING, or a table containing unit name for the values if base is base.UNIT_STRING.
mask (optional)
Integer mask of this field.
desc (optional)
Description of the field.
Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.
ProtoField.int16(abbr, [name], [base], [valuestring], [mask], [desc])
Creates a ProtoField of a signed 16-bit integer.
Arguments
abbr
Abbreviated name of the field (the string used in filters).
name (optional)
Actual name of the field (the string that appears in the tree).
base (optional)
One of base.DEC, base.UNIT_STRING, or base.RANGE_STRING.
valuestring (optional)
A table containing the text that corresponds to the values, or a table containing tables of range string values that correspond to the values ({min, max, “string”}) if the base is base.RANGE_STRING, or a table containing unit name for the values if base is base.UNIT_STRING.
mask (optional)
Integer mask of this field.
desc (optional)
Description of the field.
Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.
ProtoField.int24(abbr, [name], [base], [valuestring], [mask], [desc])
Creates a ProtoField of a signed 24-bit integer.
Arguments
abbr
Abbreviated name of the field (the string used in filters).
name (optional)
Actual name of the field (the string that appears in the tree).
base (optional)
One of base.DEC, base.UNIT_STRING, or base.RANGE_STRING.
valuestring (optional)
A table containing the text that corresponds to the values, or a table containing tables of range string values that correspond to the values ({min, max, “string”}) if the base is base.RANGE_STRING, or a table containing unit name for the values if base is base.UNIT_STRING.
mask (optional)
Integer mask of this field.
desc (optional)
Description of the field.
Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.
ProtoField.int32(abbr, [name], [base], [valuestring], [mask], [desc])
Creates a ProtoField of a signed 32-bit integer.
Arguments
abbr
Abbreviated name of the field (the string used in filters).
name (optional)
Actual name of the field (the string that appears in the tree).
base (optional)
One of base.DEC, base.UNIT_STRING, or base.RANGE_STRING.
valuestring (optional)
A table containing the text that corresponds to the values, or a table containing tables of range string values that correspond to the values ({min, max, “string”}) if the base is base.RANGE_STRING, or a table containing unit name for the values if base is base.UNIT_STRING.
mask (optional)
Integer mask of this field.
desc (optional)
Description of the field.
Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.
ProtoField.int64(abbr, [name], [base], [valuestring], [mask], [desc])
Creates a ProtoField of a signed 64-bit integer.
Arguments
abbr
Abbreviated name of the field (the string used in filters).
name (optional)
Actual name of the field (the string that appears in the tree).
base (optional)
One of base.DEC, base.UNIT_STRING, orbase.RANGE_STRING.
valuestring (optional)
A table containing the text that corresponds to the values, or a table containing tables of range string values that correspond to the values ({min, max, “string”}) if the base is base.RANGE_STRING, or a table containing unit name for the values if base is base.UNIT_STRING.
mask (optional)
Integer mask of this field.
desc (optional)
Description of the field.
Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.
ProtoField.framenum(abbr, [name], [base], [frametype], [mask], [desc])
Creates a ProtoField for a frame number (for hyperlinks between frames).
Arguments
abbr
Abbreviated name of the field (the string used in filters).
name (optional)
Actual name of the field (the string that appears in the tree).
base (optional)
Only base.NONE is supported for framenum.
frametype (optional)
One of frametype.NONE, frametype.REQUEST, frametype.RESPONSE, frametype.ACK or frametype.DUP_ACK.
mask (optional)
Integer mask of this field, which must be 0 for framenum.
desc (optional)
Description of the field.
Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.
ProtoField.bool(abbr, [name], [display], [valuestring], [mask], [desc])
Creates a ProtoField for a boolean true/false value.
Arguments
abbr
Abbreviated name of the field (the string used in filters).
name (optional)
Actual name of the field (the string that appears in the tree).
display (optional)
How wide the parent bitfield is (base.NONE is used for NULL-value).
valuestring (optional)
A table containing the text that corresponds to the values.
mask (optional)
Integer mask of this field.
desc (optional)
Description of the field.
Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.
ProtoField.absolute_time(abbr, [name], [base], [desc])
Creates a ProtoField of a time_t structure value.
Arguments
abbr
Abbreviated name of the field (the string used in filters).
name (optional)
Actual name of the field (the string that appears in the tree).
base (optional)
One of base.LOCAL, base.UTC or base.DOY_UTC.
desc (optional)
Description of the field.
Returns
A ProtoField object to be added to a table set to the Proto.fieldsattribute.
ProtoField.relative_time(abbr, [name], [desc])
Creates a ProtoField of a time_t structure value.
Arguments
abbr
Abbreviated name of the field (the string used in filters).
name (optional)
Actual name of the field (the string that appears in the tree).
desc (optional)
Description of the field.
Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.
ProtoField.float(abbr, [name], [valuestring], [desc])
Creates a ProtoField of a floating point number (4 bytes).
Arguments
abbr
Abbreviated name of the field (the string used in filters).
name (optional)
Actual name of the field (the string that appears in the tree).
valuestring (optional)
A table containing unit name for the values.
desc (optional)
Description of the field.
Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.
ProtoField.double(abbr, [name], [valuestring], [desc])
Creates a ProtoField of a double-precision floating point (8 bytes).
Arguments
abbr
Abbreviated name of the field (the string used in filters).
name (optional)
Actual name of the field (the string that appears in the tree).
valuestring (optional)
A table containing unit name for the values.
desc (optional)
Description of the field.
Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.
ProtoField.string(abbr, [name], [display], [desc])
Creates a ProtoField of a string value.
Arguments
abbr
Abbreviated name of the field (the string used in filters).
name (optional)
Actual name of the field (the string that appears in the tree).
display (optional)
One of base.ASCII or base.UNICODE.
desc (optional)
Description of the field.
Returns
A ProtoFieldobject to be added to a table set to the Proto.fields attribute.
ProtoField.stringz(abbr, [name], [display], [desc])
Creates a ProtoField of a zero-terminated string value.
Arguments
abbr
Abbreviated name of the field (the string used in filters).
name (optional)
Actual name of the field (the string that appears in the tree).
display (optional)
One of base.ASCII or base.UNICODE.
desc (optional)
Description of the field.
Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.
ProtoField.bytes(abbr, [name], [display], [desc])
Creates a ProtoField for an arbitrary number of bytes.
Arguments
abbr
Abbreviated name of the field (the string used in filters).
name (optional)
Actual name of the field (the string that appears in the tree).
display (optional)
One of base.NONE, base.DOT, base.DASH, base.COLON or base.SPACE.
desc (optional)
Description of the field.
Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.
ProtoField.ubytes(abbr, [name], [display], [desc])
Creates a ProtoField for an arbitrary number of unsigned bytes.
Arguments
abbr
Abbreviated name of the field (the string used in filters).
name (optional)
Actual name of the field (the string that appears in the tree).
display (optional)
One of base.NONE, base.DOT, base.DASH, base.COLON or base.SPACE.
desc (optional)
Description of the field.
Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.
ProtoField.none(abbr, [name], [desc])
Creates a ProtoField of an unstructured type.
Arguments
abbr
Abbreviated name of the field (the string used in filters).
name (optional)
Actual name of the field (the string that appears in the tree).
desc (optional)
Description of the field.
Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.
ProtoField.ipv4(abbr, [name], [desc])
Creates a ProtoField of an IPv4 address (4 bytes).
Arguments
abbr
Abbreviated name of the field (the string used in filters).
name (optional)
Actual name of the field (the string that appears in the tree).
desc (optional)
Description of the field.
Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.
ProtoField.ipv6(abbr, [name], [desc])
Creates a ProtoField of an IPv6 address (16 bytes).
Arguments
abbr
Abbreviated name of the field (the string used in filters).
name (optional)
Actual name of the field (the string that appears in the tree).
desc (optional)
Description of the field.
Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.
ProtoField.ether(abbr, [name], [desc])
Creates a ProtoField of an Ethernet address (6 bytes).
Arguments
abbr
Abbreviated name of the field (the string used in filters).
name (optional)
Actual name of the field (the string that appears in the tree).
desc (optional)
Description of the field.
Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.
ProtoField.guid(abbr, [name], [desc])
Creates a ProtoField for a Globally Unique IDentifier (GUID).
ProtoField.oid(abbr, [name], [desc])
Creates a ProtoFieldfor an ASN.1 Organizational IDentified (OID).
ProtoField.protocol(abbr, [name], [desc])
Creates a ProtoField for a sub-protocol.
ProtoField.rel_oid(abbr, [name], [desc])
Creates a ProtoField for an ASN.1 Relative-OID.
ProtoField.systemid(abbr, [name], [desc])
Creates a ProtoField for an OSI System ID.
ProtoField.eui64(abbr, [name], [desc])
Creates a ProtoField for an EUI64.
protofield:__tostring()
Returns a string with info about a protofield (for debugging purposes).
全局功能
register_postdissector(proto, [allfields])
Make a Proto protocol (with a dissector function) a post-dissector. It will be called for every frame after dissection.
Arguments
proto
The protocol to be used as post-dissector.
allfields (optional)
Whether to generate all fields. Note: This impacts performance (default=false).
dissect_tcp_pdus(tvb, tree, min_header_size, get_len_func, dissect_func, [desegment])
使TCP層為TCP段中的每個PDU調用給定的Lua剖析函數,長度為給定的get_len_func函數返回的長度。
對于在TCP上運行且長度始終固定或具有最小大小且在該最小部分內編碼了長度字段以標識其全長的協議,此函數非常有用。對于這樣的協議,它們的協議解析器函數可以調用這個dissect_tcp_pdu()函數來使其更容易處理對它們的協議的消息(即,它們的協議數據單元(PDU))的解析。此功能不應用于不能從固定的最小部分確定PDU長度的協議,如HTTP或Telnet。
Arguments
tvb
The Tvb buffer to dissect PDUs from.
tree
The Tvb buffer to dissect PDUs from.
min_header_size
The number of bytes in the fixed-length part of the PDU.
get_len_func
A Lua function that will be called for each PDU, to determine the full length of the PDU. The called function will be given (1) the Tvb object of the whole Tvb (possibly reassembled), (2) the Pinfo object, and (3) an offset number of the index of the first byte of the PDU (i.e., its first header byte). The Lua function must return a Lua number of the full length of the PDU.
dissect_func
A Lua function that will be called for each PDU, to dissect the PDU. The called function will be given (1) the Tvb object of the PDU’s Tvb (possibly reassembled), (2) the Pinfo object, and (3) the TreeItem object. The Lua function must return a Lua number of the number of bytes read/handled, which would typically be the Tvb:len().
desegment (optional)
Whether to reassemble PDUs crossing TCP segment boundaries or not. (default=true)
推薦文章: