Currently, all of my work involves designing some communication protocols, so I often need to observe the contents of packet transmission and reception. However, I have always used printk/printf methods to do this. I have also considered whether to make it more advanced and compatible with tcpdump/wireshark format, and then write a parser that looks cool. But the company’s cases come and go, many of which are one-time projects, so writing such things is not very cost-effective.
Recently, there is finally a case that has been going on for a long time to get, and the client will also need customization in the future, so I spent some time researching Wireshark parsing and capturing files, which will be more convenient to cooperate with customers.
Wireshark packet parsing
This article is based on this reference, but modified to suit your needs. It does not delve too deeply into the details, and focuses mainly on application. This article only uses some of the functions, if you have more complex requirements, you can refer to Wireshark’s documentation or search for “Wireshark dissector lua” on Google. The original reference article mentions bool field, which is also worth referring to.
Wireshark supports packet dissectors written in Lua scripting language. The following is my program.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 |
do local p_vxlan = Proto("siml1", "SimL1"); local f_cmd = ProtoField.string("siml1.cmd", "cmd") local f_src = ProtoField.uint32("siml1.src", "src", base.OCT) local f_dst = ProtoField.uint32("siml1.dst", "dst", base.OCT) local f_msgtype = ProtoField.uint32("siml1.msgtype", "msgtype", base.OCT) local f_data_len = ProtoField.uint32("siml1.data_len", "data_len") local f_data_txpwr = ProtoField.uint32("siml1.data_txpwr", "data_txpwr") local f_data_snr = ProtoField.uint32("siml1.data_snr", "data_snr") local f_data_map1 = ProtoField.uint8("siml1.data_map1", "data_snr", base.OCT, {"desc1","desc2"}, 0x0F) local f_data_map2 = ProtoField.uint8("siml1.data_map2", "data_snr", base.OCT, {"desc1","desc2"}, 0xF0) local f_data_blob = ProtoField.bytes("siml1.data_blob", "data_blob") p_vxlan.fields = { f_cmd, f_src, f_dst, f_msgtype, f_data_len, f_data_txpwr, f_data_snr} table.insert(p_vxlan.fields, f_data_map1) table.insert(p_vxlan.fields, f_data_map2) table.insert(p_vxlan.fields, f_data_blob) function p_vxlan.dissector(buf, pinfo, root) local t = root:add(p_vxlan, buf(0,25)) local buflen = buf:len() t:add_le(f_src, buf(0,4)) t:add_le(f_dst, buf(4,4)) t:add_le(f_msgtype, buf(8,4)) t:add_le(f_data_len, buf(12,4)) t:add_le(f_data_txpwr, buf(16,4)) t:add_le(f_data_snr, buf(20,4)) t:add_le(f_data_map1, buf(24,1)) t:add_le(f_data_map2, buf(24,1)) t:add(f_data_blob, buf(25,buflen-25)) --[[ local eth_dis = Dissector.get("eth_withoutfcs") eth_dis:call(buf(12):tvb(), pinfo, root) --]] local msgtype = buf(8,4):le_uint() if (msgtype == 0) then t:append_text(", DATA") elseif(msgtype == 1) then t:append_text(", PING") elseif(msgtype == 2) then t:append_text(", PONG") end end local udp_encap_table = DissectorTable.get("udp.port") udp_encap_table:add(1234, p_vxlan) end |
In Wireshark, we use the built-in function “Proto()” to create an analysis object named “p_vxlan” to store other settings. The first parameter of Proto() is the filter name and the second parameter is the description.
“L4~L14”: Define field names and types in the protocol. The position is not specified here. After ProtoField.*, it follows the nature of the field, such as uint32, uint8. All lists can be referred to in the official document’s explanation of ProtoField at 11.3.7.2. For ProtoFile.*(), the first one is the sub-name of its filter, the second one is the description, and the third one is the display format (decimal, hexadecimal). L12,13 use masks at the end, indicating that they are bit fields. map1 and map2 take the upper and lower nibbles respectively.
“L16-L19: Define these fields in p_vxlan. They can be specified directly or by using the insert method. In actual use, not all of them need to be used, and their positions can also be specified separately.”
“L21~50”: Is the judgment function called when packets come in. The rest is declarations or registrations, which are longer and will be explained later.
Register this filter to perform filtering on UDP port 1234.
Field processing
The content above is preferring the type and processing target declaration, the next step is to process and judge the exact location. The so-called analysis is implemented on Wireshark by printing the fields. Therefore, what you see on Wireshark is an additional description field.。
The content above refers to parsing and determining the exact location. In Wireshark, parsing involves printing out fields. As a result, when using Wireshark, you will see an additional description field.
欄位
“L22: Generate a root node for this filter and all subsequent explanations will be attached under it.”
Get the length of the incoming buf to print out the undecoded content at the end.
“L24~32: Add fields defined in L4~L14. add_le() means to add the field in little endian format, followed by the specified data offset. L30 and L31 occupy the same position because they are both 4 bits. The last part of bytes is the remaining data fields listed as a list.”
“L34~37: This is to overwrite the display data of eth, but it is not needed here, so just comment it out.”
“L38~48: Display additional text next to the root node “t” based on the msgtype. If necessary, additional text can be displayed in a similar way next to each field.”
Generate PCAP capture file
The above explains how to parse and extract packets. How can we generate files that comply with the format? One way is to actually generate entities like the ones described above, and another way is to generate fake packets and write them into files for parsing. This article describes the pcap file format and refers to LibpcapFileFormat.
The content of PCAP can be divided into three parts, and the last two packet headers and contents will keep repeating.
- Global header
- Packet header
- Package content.
Global header
|
1 2 3 4 5 6 7 8 9 |
typedef struct pcap_hdr_s { unsigned int magic_number; /* magic number */ unsigned short version_major; /* major version number */ unsigned short version_minor; /* minor version number */ signed int thiszone; /* GMT to local correction */ unsigned int sigfigs; /* accuracy of timestamps */ unsigned int snaplen; /* max length of captured packets, in octets */ unsigned int network; /* data link type */ } pcap_hdr_t; |
Please refer to the official WiKi page here. The format is the same as before and the initialization can be done with the following content.
|
1 2 3 4 5 6 7 8 |
pcap_hdr_t h; h.magic_number = 0xa1b2c3d4; h.version_major = 0x2; h.version_minor = 0x4; h.thiszone = 0; h.sigfigs = 0; h.snaplen = 0xFFFF; h.network = 0x01;//Ethernet |
The variable “magic_number” is responsible for both the functionality of a magic number and determining the endianness. If Wireshark detects that it is reversed, it means that the system captured and the system being parsed have opposite endianness. The remaining items should be filled in as shown in the table above, where network (1) refers to Ethernet, which currently does not seem to have many other practical options.
Packet header
|
1 2 3 4 5 6 |
typedef struct pcaprec_hdr_s { unsigned int ts_sec; /* timestamp seconds */ unsigned int ts_usec; /* timestamp microseconds */ unsigned int incl_len; /* number of octets of packet saved in file */ unsigned int orig_len; /* actual length of packet */ } pcaprec_hdr_t; |
The first two fields of the packet header are about the time of capture. The time of the first packet is 0, and the difference between consecutive packets needs to be calculated using gettimeofday() to get a time with usec included for more accurate representation.
The variable “incl_len” represents the actual length of the file contained in the packet, while “orig_len” represents the expected length of the packet. This distinction is made because sometimes we only want to capture the header and not the entire contents of the packet.
Package content
The packet content is just plain data and needs to be parsed by the parser.
Creating packet examples
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
#include <stdio.h> #include <stdlib.h> int main() { char buf[1000] = { 0xa1, 0xb2, 0xc3, 0xd4, 0x2, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0,0,0,0, 0xff, 0xff, 0xff, 0xff, 0,0,0,1, //proto type, 1=eth 0,0,0,0, 0,0,0,0, 0,0,0,60, //inc len 0,0,0,60, //net len //ethernet data start 0xff,0xff,0xff,0xff,0xff,0xff, //dst 0xff,0xff,0xff,0xff,0xff,0xff, //src 0x08,0x06, //proto, ethernet end 0,1,8,6,0, 6,4, 0,1,0xc8, 0x7f, 0x54, 0xe9, 0xd7, 0x14, 0xc0, 0xa8, 0x01, 0xa9, 0,0,0,0,0,0, 0xc0, 0xa8, 1, 6 }; int i; for(i=0;i<sizeof(buf);i++) { printf("%c", buf[i] & 0xFF); } } |
The above code is an incomplete ARP packet generation program, but it is sufficient for Wireshark to parse its contents. Below is a more complete Linux program that can encapsulate at the UDP layer.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 |
#include <stdlib.h> #include <stdio.h> #include <linux/ip.h> #include <linux/if_ether.h> #include <linux/udp.h> typedef struct { unsigned int magic_number; unsigned short version_major; unsigned short version_minor; signed int thiszone; unsigned int sigfigs; unsigned int snaplen; unsigned int network; } __attribute__((__packed__)) pcap_hdr_t; typedef struct { unsigned int ts_sec; unsigned int ts_usec; unsigned int incl_len; unsigned int orig_len; } __attribute__((__packed__)) pcaprec_hdr_t; int main() { FILE *fp; fp = fopen("/tmp/out.pcap", "w"); pcap_hdr_t h; struct timeval tim; unsigned long long start; unsigned long long now ; int i; int len = 4; int _data = 0; char *data = (char *)&_data; gettimeofday(&tim, NULL); start = tim.tv_sec; start *= 1000000; start += tim.tv_usec; h.magic_number = 0xa1b2c3d4; h.version_major = 2; h.version_minor = 4; h.thiszone = 0; h.sigfigs = 0; h.snaplen = 0xFFFF; h.network = 1; fwrite(&h, 1, sizeof(h), fp); for(i=0;i<10;i++) { _data++; usleep(1000*100); gettimeofday(&tim, NULL); now = tim.tv_sec; now *= 1000000; now += tim.tv_usec; hdr.ts_sec = (now - start) / 1000000; hdr.ts_usec = (now - start) % 1000000; hdr.incl_len = len + sizeof(eth) + sizeof(ip) + sizeof(udp); hdr.orig_len = len + sizeof(eth) + sizeof(ip) + sizeof(udp); fwrite(&hdr, 1, sizeof(hdr), fp); eth.h_proto = htons(0x0800); fwrite(ð, 1, sizeof(eth), fp); ip.version = 4; ip.ihl = 5; ip.tot_len = htons(sizeof(udp)+ len + sizeof(ip)) ; ip.frag_off = 0; ip.protocol = 17; fwrite(&ip, 1, sizeof(ip), fp); udp.source = htons(1234); udp.dest = htons(5678); udp.len = htons(len + sizeof(udp)); udp.check = 0; fwrite(&udp, 1, sizeof(udp), fp); fwrite(data, 1, len, fp); fflush(fp); } fclose(fp); } |
Conclusion
A topic that is useful but not very useful, depending on whether your need is long-lasting enough.
