summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPeter Wu <peter@lekensteyn.nl>2023-10-12 11:52:57 +0200
committerPeter Wu <peter@lekensteyn.nl>2023-10-12 11:52:57 +0200
commitb166e14c2bf79f4a61cbcd01ca92a2c418ac9550 (patch)
tree4ef34be160f0df541e451e32cf813df6ec212a21
parent278ca860093c3a1c5c9d9171e8c2532f94b20902 (diff)
downloadwireshark-notes-master.tar.gz
exportpdu.py: update PDU tags, register DLTHEADmaster
Updated the PDU tags based on Wireshark v4.1.0rc0-197-ge5951765d8 with: grep -Pe '#define EXP_PDU_TAG\S+?(?<!_LEN)\s+\d+' wsutil/exported_pdu_tlvs.h | awk '{print $2, $3}' | column -t Register the Data Link Type (DLT) to fix a warning during wrpcap: WARNING: Inconsistent linktypes detected! The resulting file might contain invalid packets. Remove unusd TagField structure.
-rwxr-xr-xexportpdu.py45
1 files changed, 24 insertions, 21 deletions
diff --git a/exportpdu.py b/exportpdu.py
index cb910d7..62c3fb0 100755
--- a/exportpdu.py
+++ b/exportpdu.py
@@ -1,18 +1,19 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
import argparse
import struct
# So slow... let's import what we need.
#from scapy.all import *
+from scapy.config import conf
from scapy.fields import StrField
from scapy.packet import Packet
from scapy.utils import wrpcap
-# From epan/exported_pdu.h
+# From wsutil/exported_pdu_tlvs.h (used in epan/exported_pdu.h)
EXP_PDU_TAG_END_OF_OPT = 0
EXP_PDU_TAG_OPTIONS_LENGTH = 10
EXP_PDU_TAG_LINKTYPE = 11
-EXP_PDU_TAG_PROTO_NAME = 12
-EXP_PDU_TAG_HEUR_PROTO_NAME = 13
+EXP_PDU_TAG_DISSECTOR_NAME = 12
+EXP_PDU_TAG_HEUR_DISSECTOR_NAME = 13
EXP_PDU_TAG_DISSECTOR_TABLE_NAME = 14
EXP_PDU_TAG_IPV4_SRC = 20
EXP_PDU_TAG_IPV4_DST = 21
@@ -27,24 +28,14 @@ EXP_PDU_TAG_ORIG_FNO = 30
EXP_PDU_TAG_DVBCI_EVT = 31
EXP_PDU_TAG_DISSECTOR_TABLE_NAME_NUM_VAL = 32
EXP_PDU_TAG_COL_PROT_TEXT = 33
+EXP_PDU_TAG_TCP_INFO_DATA = 34
+EXP_PDU_TAG_P2P_DIRECTION = 35
+EXP_PDU_TAG_COL_INFO_TEXT = 36
-class TagField(StrField):
- def __init__(self, name, default):
- StrField.__init__(self, name, default)
-
- def m2i(self, pkt, x):
- tag_type, tag_len = struct.unpack_from('!HH', x)
- x = x[4:]
- if tag_len > len(x):
- # XXX error?
- return
- tag_data, x = x[:tag_len], x[tag_len:]
- return[tag_type, tag_data]
+# For backwards compatibility, since Wireshark v4.1.0rc0-197-ge5951765d8.
+EXP_PDU_TAG_PROTO_NAME = EXP_PDU_TAG_DISSECTOR_NAME
+EXP_PDU_TAG_HEUR_PROTO_NAME = EXP_PDU_TAG_HEUR_DISSECTOR_NAME
- def i2m(self, pkt, x):
- tag_type, tag_data = x
- tag_len = len(tag_data)
- return struct.pack('!HH', tag_type, tag_len) + tag_data
class TagsField(StrField):
islist = 1
@@ -69,6 +60,15 @@ class TagsField(StrField):
def _convert_data(self, tag_type, tag_data):
if type(tag_data) is int:
return struct.pack('!I', tag_data)
+ # Wireshark pads some strings to align them at four bytes. Although not
+ # strictly necessary for use in Wireshark, replicate it. See
+ # https://gitlab.com/wireshark/wireshark/-/issues/19284
+ tag_len = len(tag_data)
+ if tag_type in (EXP_PDU_TAG_DISSECTOR_NAME,
+ EXP_PDU_TAG_HEUR_DISSECTOR_NAME,
+ EXP_PDU_TAG_DISSECTOR_TABLE_NAME) and (tag_len & 3):
+ pad_len = 4 - (tag_len & 3)
+ tag_data += pad_len * b'\0'
return tag_data
def i2m(self, pkt, x):
@@ -85,6 +85,9 @@ class WiresharkUpperPdu(Packet):
name = "WiresharkUpperPdu"
fields_desc = [ TagsField("tags", []) ]
+DLT_WIRESHARK_UPPER_PDU = 252
+conf.l2types.register(DLT_WIRESHARK_UPPER_PDU, WiresharkUpperPdu)
+
udp_bootp = WiresharkUpperPdu(tags = [
(EXP_PDU_TAG_DISSECTOR_TABLE_NAME, b'udp.port'),
#(EXP_PDU_TAG_PORT_TYPE, 3), # UDP (3)
@@ -101,7 +104,7 @@ ip_udp = WiresharkUpperPdu(tags = [
def make_pcap(filename, pkt):
# Link Type: Wireshark Upper PDU export (252)
- wrpcap(filename, pkt, linktype=252)
+ wrpcap(filename, pkt, linktype=DLT_WIRESHARK_UPPER_PDU)
parser = argparse.ArgumentParser()
parser.add_argument("filename")