diff options
author | Peter Wu <peter@lekensteyn.nl> | 2016-12-21 11:38:50 +0100 |
---|---|---|
committer | Peter Wu <peter@lekensteyn.nl> | 2016-12-21 11:38:50 +0100 |
commit | bad766a9ef81f7267cdb8e4f82db692a83ba2f9a (patch) | |
tree | b5bd38e534bafa59ab8e0be9de3a770ec21d65c5 /lua/file-zip.lua | |
parent | e85348e74e0fe8b107eead773c768361b12b7e2f (diff) | |
download | wireshark-notes-bad766a9ef81f7267cdb8e4f82db692a83ba2f9a.tar.gz |
file-zip: start of a Zip Archive file dissector for Wireshark
Implemented a template for opening a file and making it available to
dissectors. For this, a FileHandler has been implemented which then
links with the MIME encapsulation type.
The "seek_read" issue mentioned in the comments should be fixed with
https://code.wireshark.org/review/19366
Diffstat (limited to 'lua/file-zip.lua')
-rw-r--r-- | lua/file-zip.lua | 95 |
1 files changed, 95 insertions, 0 deletions
diff --git a/lua/file-zip.lua b/lua/file-zip.lua new file mode 100644 index 0000000..aec8ac0 --- /dev/null +++ b/lua/file-zip.lua @@ -0,0 +1,95 @@ +-- +-- Zip Archive dissector +-- Author: Peter Wu <peter@lekensteyn.nl> + +-- +-- Dissection of Zip file contents +-- + +local proto_zip = Proto.new("zip_archive", "Zip Archive") + +function proto_zip.dissector(tvb, pinfo, tree) + pinfo.cols.protocol = "zip" + --pinfo.cols.info = "" +end + +function zip_heur(tvb, pinfo, tree) + if tvb:raw(0, 2) ~= "PK" then + return false + end + + proto_zip.dissector(tvb, pinfo, tree) + return true +end + +-- Register MIME types in case a Zip file appears over HTTP. +DissectorTable.get("media_type"):add("application/zip", proto_zip) +DissectorTable.get("media_type"):add("application/java-archive", proto_zip) + +-- Ensure that files can directly be opened (after any FileHandler has accepted +-- it, see below). +proto_zip:register_heuristic("wtap_file", zip_heur) + + +-- +-- File handler (for directly interpreting opening a Zip file in Wireshark) +-- Actually, all it does is recognizing a Zip file and passing one packet to the +-- MIME dissector. +-- + +local zip_fh = FileHandler.new("Zip", "zip", "Zip archive file reader", "rms") + +-- Check if file is really a zip file (return true if it is) +function zip_fh.read_open(file, cinfo) + -- XXX improve heuristics? + if file:read(2) ~= "PK" then + return false + end + + -- Find end of file and rewind. + local endpos, err = file:seek("end") + if not endpos then error("Error while finding end! " .. err) end + local ok, err = file:seek("set", 0) + if not ok then error("Non-seekable file! " .. err) end + + cinfo.encap = wtap_encaps.MIME + cinfo.private_table = { + endpos = endpos, + } + + return true +end + +-- Read next packet (returns begin offset or false on error) +local function zip_fh_read(file, cinfo, finfo) + local p = cinfo.private_table + local curpos = file:seek("cur") + + -- Fal on EOF + if curpos >= p.endpos then return false end + + finfo.original_length = p.endpos - curpos + finfo.captured_length = p.endpos - curpos + + if not finfo:read_data(file, finfo.captured_length) then + -- Partial read? + print("Hmm, partial read, curpos=" .. curpos .. ", len: " .. finfo.captured_length) + return false + end + + return curpos +end +zip_fh.read = zip_fh_read + +-- Reads packet at offset (returns true on success and false on failure) +function zip_fh.seek_read(file, cinfo, finfo, offset) + file:seek("set", offset) + -- Return a boolean since WS < 2.4 has an undocumented "feature" where + -- strings (including numbers) are treated as data. + return zip_fh_read(file, cinfo, finfo) ~= false +end + +-- Hints for when to invoke this dissector. +zip_fh.extensions = "zip;jar" + +register_filehandler(zip_fh) |