Tshark-如何仅使用tshark显示tcp播放负载的解剖树？

Posted 2021-04-28

我正在编写一个wireshark解剖器。我想在控制台中显示“解剖树”。

所以我尝试了：

tshark -V

它将显示类似：

Frame 105: 69 bytes on wire (552 bits)...
    ...
Ethernet II, Src: Giga-Byt_97:b3:26 (e0:d5:5e:97:b3:26), Dst: Cradlepo_68:04:37 (00:e0:1c:68:04:37)
    ...
Internet Protocol Version 4, Src: 192.168.1.153, Dst: 192.168.1.99
    ...
Transmission Control Protocol, Src Port: 7555, Dst Port: 50555, Seq: 10182, Ack: 485, Len: 15
    ....
erlang term
    PackageLength: 11
    compressFlag: 0
    m_system_hb_toc(2) [SmallTuple: 2]
        time: 1589549432 [Int]

但是只有最后一部分是我需要的：

erlang term
    PackageLength: 11
    compressFlag: 0
    m_system_hb_toc(2) [SmallTuple: 2]
        time: 1589549432 [Int]

我尝试使用'-T字段'和-e选项，但是找不到任何帮助。

这是我解剖员的代码：

local tcpPortLs = {7555}

local SIZE_LEN = 4
local pErlangExt = Proto("ErlangExt", "erlang term")
local fLen = ProtoField.uint32("ErlangExt.len", "PackageLength", base.DEC)
local fCompressFlag = ProtoField.string("ErlangExt.compressFlag", "compressFlag", base.ASCII)
local fBytes = ProtoField.bytes("ErlangExt.data", "PackageData", base.COLON)

pErlangExt.fields = {
    fLen,
    fBytes,
    fCompressFlag,
}

local function msg_pdu_length(buf, pkt, offset)
    local size_tvbr = buf:range(offset, SIZE_LEN)
    local size = size_tvbr:uint()
    return size + SIZE_LEN
end

local function _headBytes(n, dataBuf)
    local head = dataBuf(0, n)
    if dataBuf:len() == n then
        return head, nil
    end
    local tailDataBuf = dataBuf(n, dataBuf:len() - n)
    return head, tailDataBuf
end

local function _addToGroup()
    -- ...
end

local function _calcMainTree()
    -- ...
end

local function msg_proto_dissector(buf, pkt, root)
    local dataLenBuf, metaAndDataBytes = _headBytes(SIZE_LEN, buf)
    local detail = root:add(pErlangExt, buf)
    local dataLen = dataLenBuf:uint()
    detail:add(fLen, dataLenBuf, dataLen)
    local zlibFlagBuf, tupleDataBuf = _headBytes(1, metaAndDataBytes)
    local zlibFlag = zlibFlagBuf:uint()
    detail:add(fCompressFlag, zlibFlagBuf, zlibFlag)
    local dataRoot = detail:add(fBytes, tupleDataBuf)
    pkt.cols.protocol = "ErlangExt"
    local tree = _calcMainTree(tupleDataBuf, zlibFlag)
    _addToGroup(dataRoot, tree)
end

function pErlangExt.dissector(buf, pkt, root)
    local pktLen = buf:len()
    if pktLen ~= buf:reported_len() then
        return 0
    end
    dissect_tcp_pdus(buf, root, 4, msg_pdu_length, msg_proto_dissector)
    return pktLen
end

local tcp_encap_table = DissectorTable.get("tcp.port")
for _, port in pairs(tcpPortLs) do
    tcp_encap_table:add(port, pErlangExt)
end

并且捕获的数据为https://github.com/cmingjian/testData/blob/master/stage.pcapng

如何仅显示所需数据？谢谢。

答案

也许tshark -O ErlangExt将为您提供所需的结果？您仍将获得所有较低层（以太网，IP，TCP）的摘要行，但仅扩展您的ErlangExt数据。

从tshark man page：

-O < protocols > Similar to the -V option, but causes TShark to only show a detailed view of the comma-separated list of protocols specified, and show only the top-level detail line for all other protocols, rather than a detailed view of all protocols. Use the output of "tshark -G protocols" to find the abbreviations of the protocols you can specify.