| blob | c99aaa3a6a9b4372f936a4e4bddf087c828c7df3 |
1 -- pcap_file_reader.lua
2 --------------------------------------------------------------------------------
3 --[[
4 This is a Wireshark Lua-based pcap capture file reader.
5 Author: Hadriel Kaplan
7 This "capture file" reader reads pcap files - the old style ones. Don't expect this to
8 be as good as the real thing; this is a simplistic implementation to show how to
9 create such file readers, and for testing purposes.
11 This script requires Wireshark v1.12 or newer.
12 --]]
13 --------------------------------------------------------------------------------
15 -- do not modify this table
20 }
22 -- set this DEBUG to debug.LEVEL_1 to enable printing debug info
23 -- set it to debug.LEVEL_2 to enable really verbose printing
30 end
32 -- verify Wireshark is new enough
34 if major and tonumber(major) <= 1 and ((tonumber(minor) <= 10) or (tonumber(minor) == 11 and tonumber(micro) < 3)) then
35 error( "Sorry, but your " .. wireshark_name .. " version (" .. get_version() .. ") is too old for this script!\n" ..
37 end
39 -- verify we have the Struct library in wireshark
40 -- technically we should be able to do this with 'require', but Struct is a built-in
43 --------------------------------------------------------------------------------
44 -- early definitions
45 -- throughout most of this file I try to pre-declare things to help ease
46 -- reading it and following the logic flow, but some things just have to be done
47 -- before others, so this sections has such things that cannot be avoided
48 --------------------------------------------------------------------------------
50 -- first some variable declarations for functions we'll define later
53 -- these will be set inside of parse_file_header(), but we're declaring them up here
55 {
71 }
79 end
82 dprint2 = dprint
83 end
84 end
85 end
86 -- call it now
89 --------------------------------------------------------------------------------
90 -- file reader handling functions for Wireshark to use
91 --------------------------------------------------------------------------------
93 ----------------------------------------
94 -- The read_open() is called by Wireshark once per file, to see if the file is this reader's type.
95 -- Wireshark passes in (1) a File object and (2) CaptureInfo object to this function
96 -- It expects in return either nil or false to mean it's not our file type, or true if it is
97 -- In our case what this means is we figure out if the file has the magic header, and get the
98 -- endianess of the file, and the encapsulation type of its frames/records
108 -- save our state
111 -- if the file is for us, we MUST set the file position cursor to
112 -- where we want the first call to read() function to get it the next time
113 -- for example if we checked a few records to be sure it's or type
114 -- but in this simple example we only verify the file header (24 bytes)
115 -- and we want the file position to remain after that header for our read()
116 -- call, so we don't change it back
117 --file:seek("set",position)
119 -- these we can also set per record later during read operations
124 return true
125 end
129 -- if it's not for us, wireshark will reset the file position itself
131 return false
132 end
134 ----------------------------------------
135 -- Wireshark/tshark calls read() for each frame/record in the file
136 -- It passes in (1) a File, (2) CaptureInfo, and (3) FrameInfo object to this function
137 -- It expects in return the file offset position the record starts at,
138 -- or nil/false if there's an error or end-of-file is reached.
139 -- The offset position is used later: wireshark remembers it and gives
140 -- it to seek_read() at various random times
144 -- call our common reader function
148 -- this isn't' actually an error, because it might just mean we reached end-of-file
149 -- so let's test for that (read(0) is a special case in Lua, see Lua docs)
152 else
154 end
155 return false
156 end
160 -- return the position we got to (or nil if we hit EOF/error)
161 return position
162 end
164 ----------------------------------------
165 -- Wireshark/tshark calls seek_read() for each frame/record in the file, at random times
166 -- It passes in (1) a File, (2) CaptureInfo, (3) FrameInfo object, and the offset position number
167 -- It expects in return true for successful parsing, or nil/false if there's an error.
171 -- first move to the right position in the file
176 return false
177 end
179 return true
180 end
182 ----------------------------------------
183 -- Wireshark/tshark calls read_close() when it's closing the file completely
184 -- It passes in (1) a File and (2) CaptureInfo object to this function
185 -- this is a good opportunity to clean up any state you may have created during
186 -- file reading. (in our case there's no real state)
189 -- we don't really have to reset anything, because we used the
190 -- capture.private_table and wireshark clears it for us after this function
191 return true
192 end
194 ----------------------------------------
195 -- An often unused function, Wireshark calls this when the sequential walk-through is over
196 -- (i.e., no more calls to read(), only to seek_read()).
197 -- It passes in (1) a File and (2) CaptureInfo object to this function
198 -- This gives you a chance to clean up any state you used during read() calls, but remember
199 -- that there will be calls to seek_read() after this (in Wireshark, though not Tshark)
202 return true
203 end
205 ----------------------------------------
206 -- ok, so let's create a FileHandler object
207 local fh = FileHandler.new("Lua-based PCAP reader", "lua_pcap", "A Lua-based file reader for PCAP-type files","rms")
209 -- set above functions to the FileHandler
217 -- and finally, register the FileHandler!
222 --------------------------------------------------------------------------------
223 -- ok now for the boring stuff that actually does the work
224 --------------------------------------------------------------------------------
226 ----------------------------------------
227 -- in Lua, we have access to encapsulation types in the 'wtap_encaps' table, but
228 -- those numbers don't actually necessarily match the numbers in pcap files
229 -- for the encapsulation type, because the namespace got screwed up at some
230 -- point in the past (blame LBL NRG, not wireshark for that)
231 -- but I'm not going to create the full mapping of these two namespaces
232 -- instead we'll just use this smaller table to map them
233 -- these are taken from wiretap/pcap-common.c
266 }
268 -- we can use the above to directly map very quickly
269 -- but to map it backwards we'll use this, because I'm lazy:
273 return k
274 end
275 end
277 end
279 ----------------------------------------
280 -- here are the "structs" we're going to parse, of the various records in a pcap file
281 -- these pattern string gets used in calls to Struct.unpack()
282 --
283 -- we will prepend a '<' or '>' later, once we figure out what endian-ess the files are in
284 --
285 -- this is a constant for minimum we need to read before we figure out the filetype
287 -- a pcap file header struct
288 -- this is: magic, version_major, version_minor, timezone, sigfigs, snaplen, encap type
290 -- it's too bad Struct doesn't have a way to get the number of vars the pattern holds
291 -- another thing to add to my to-do list?
294 -- these will hold the '<'/'>' prepended version of above
295 --local file_header, rec_header
297 -- snaplen/caplen can't be bigger than this
300 ----------------------------------------
301 -- different pcap file types have different magic values
302 -- we need to know various things about them for various functions
303 -- in this script, so this table holds all the info
304 --
305 -- See default_settings table above for the defaults used if this table
306 -- doesn't override them.
307 --
308 -- Arguably, these magic types represent different "Protocols" to dissect later,
309 -- but this script treats them all as "pcapfile" protocol.
310 --
311 -- From this table, we'll auto-create a value-string table for file header magic field
313 {
314 normal =
315 {
318 },
319 swapped =
320 {
324 },
325 modified =
326 {
327 -- this is for a ss991029 patched format only
333 },
334 swapped_modified =
335 {
336 -- this is for a ss991029 patched format only
343 },
344 nsecs =
345 {
349 },
350 swapped_nsecs =
351 {
356 },
357 }
359 -- create a magic-to-spell entry table from above magic_spells table
360 -- so we can find them faster during file read operations
361 -- we could just add them right back into spells table, but this is cleaner
365 end
367 -- the function which makes a copy of the default settings per file
373 end
374 return file_settings
375 end
377 -- set the file_settings that the magic value defines in magic_values
382 return false
383 end
387 -- the magic_values/spells table uses the same key names, so this is easy
390 end
392 -- based on endianess, set the file_header and rec_header
393 -- and determine corrected_magic
398 else
403 end
407 return file_settings
408 end
410 ----------------------------------------
411 -- internal functions declared previously
412 ----------------------------------------
414 ----------------------------------------
415 -- used by read_open(), this parses the file header
419 -- by default, file:read() gets the next "string", meaning ending with a newline \n
420 -- but we want raw byte reads, so tell it how many bytes to read
423 -- it's ok for us to not be able to read it, but we need to tell wireshark the
424 -- file's not for us, so return false
429 -- let's peek at the magic int32, assuming it's big-endian
436 return false
437 end
439 -- this is: magic, version_major, version_minor, timezone, sigfigs, snaplen, encap type
442 -- sanity check; also note that Struct.unpack() returns the fields plus
443 -- a number of where in the line it stopped reading (i.e., the end in this case)
444 -- so we got back number of fields + 1
446 -- this should never happen, since we already told file:read() to grab enough bytes
448 return nil
449 end
451 -- fields[1] is the magic, which we already parsed and saved before, but just to be sure
452 -- our endianess is set right, we validate what we got is what we expect now that
453 -- endianess has been corrected
457 return nil
458 end
467 -- wireshark only supports version 2.0 and later
470 return false
471 end
473 -- convert pcap file interface type to wtap number type
478 return false
479 end
484 end
496 --ok, it's a pcap file
498 return file_settings
499 end
501 ----------------------------------------
502 -- this is used by both read() and seek_read()
503 -- the calling function to this should have already set the file position correctly
507 -- get the state info
510 -- first parse the record header, which will set the FrameInfo fields
513 return false
514 end
518 -- now we need to get the packet bytes from the file record into the frame...
519 -- we *could* read them into a string using file:read(numbytes), and then
520 -- set them to frame.data so that wireshark gets it...
521 -- but that would mean the packet's string would be copied into Lua
522 -- and then sent right back into wireshark, which is gonna slow things
523 -- down; instead FrameInfo has a read_data() method, which makes
524 -- wireshark read directly from the file into the frame buffer, so we use that
527 return false
528 end
530 return true
531 end
533 ----------------------------------------
534 -- the function to parse individual records
540 -- it's ok for us to not be able to read it, if it's end of file
543 -- this is: time_sec, time_usec, capture_len, original_len
546 -- sanity check; also note that Struct.unpack() returns the fields plus
547 -- a number of where in the line it stopped reading (i.e., the end in this case)
548 -- so we got back number of fields + 1
552 return nil
553 end
561 end
567 -- sanity check, verify captured length isn't more than original length
570 -- swap them, a cool Lua ability
572 end
576 caplen = WTAP_MAX_PACKET_SIZE
577 end
587 return true
588 end
592 --------------------------------------------------------------------------------
593 -- file writer handling functions for Wireshark to use
594 --------------------------------------------------------------------------------
596 -- file encaps we can handle writing
605 -- etc., etc.
606 }
608 -- we can't reuse the variables we used in the reader, because this script might be used to both
609 -- open a file for reading and write it out, at the same time, so we cerate another file_settings
610 -- instance.
611 -- set the file_settings for the little-endian version in magic_spells
618 -- the magic_values/spells table uses the same key names, so this is easy
621 end
623 -- based on endianess, set the file_header and rec_header
624 -- and determine corrected_magic
629 else
634 end
638 return file_settings
639 end
641 ----------------------------------------
642 -- The can_write_encap() function is called by Wireshark when it wants to write out a file,
643 -- and needs to see if this file writer can handle the packet types in the window.
644 -- We need to return true if we can handle it, else false
648 end
655 -- write out file header
667 return false
668 end
674 return false
675 end
677 -- save settings
680 return true
681 end
686 -- get file settings
690 return false
691 end
693 -- write out record header: time_sec, time_usec, capture_len, original_len
695 -- first get times
698 -- pcap format is in usecs, but wireshark's internal is nsecs
705 end
709 nsecs,
715 return false
716 end
720 return false
721 end
723 -- we could write the packet data the same way, by getting frame.data and writing it out
724 -- but we can avoid copying those bytes into Lua by using the write_data() function
727 return false
728 end
730 return true
731 end
736 return true
737 end
739 -- ok, so let's create another FileHandler object
740 local fh2 = FileHandler.new("Lua-based PCAP writer", "lua_pcap2", "A Lua-based file writer for PCAP-type files","wms")
742 -- set above functions to the FileHandler
749 -- and finally, register the FileHandler!