diff options
-rwxr-xr-x | exportpdu.py | 45 |
1 files changed, 24 insertions, 21 deletions
diff --git a/exportpdu.py b/exportpdu.py index cb910d7..62c3fb0 100755 --- a/exportpdu.py +++ b/exportpdu.py @@ -1,18 +1,19 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 import argparse import struct # So slow... let's import what we need. #from scapy.all import * +from scapy.config import conf from scapy.fields import StrField from scapy.packet import Packet from scapy.utils import wrpcap -# From epan/exported_pdu.h +# From wsutil/exported_pdu_tlvs.h (used in epan/exported_pdu.h) EXP_PDU_TAG_END_OF_OPT = 0 EXP_PDU_TAG_OPTIONS_LENGTH = 10 EXP_PDU_TAG_LINKTYPE = 11 -EXP_PDU_TAG_PROTO_NAME = 12 -EXP_PDU_TAG_HEUR_PROTO_NAME = 13 +EXP_PDU_TAG_DISSECTOR_NAME = 12 +EXP_PDU_TAG_HEUR_DISSECTOR_NAME = 13 EXP_PDU_TAG_DISSECTOR_TABLE_NAME = 14 EXP_PDU_TAG_IPV4_SRC = 20 EXP_PDU_TAG_IPV4_DST = 21 @@ -27,24 +28,14 @@ EXP_PDU_TAG_ORIG_FNO = 30 EXP_PDU_TAG_DVBCI_EVT = 31 EXP_PDU_TAG_DISSECTOR_TABLE_NAME_NUM_VAL = 32 EXP_PDU_TAG_COL_PROT_TEXT = 33 +EXP_PDU_TAG_TCP_INFO_DATA = 34 +EXP_PDU_TAG_P2P_DIRECTION = 35 +EXP_PDU_TAG_COL_INFO_TEXT = 36 -class TagField(StrField): - def __init__(self, name, default): - StrField.__init__(self, name, default) - - def m2i(self, pkt, x): - tag_type, tag_len = struct.unpack_from('!HH', x) - x = x[4:] - if tag_len > len(x): - # XXX error? - return - tag_data, x = x[:tag_len], x[tag_len:] - return[tag_type, tag_data] +# For backwards compatibility, since Wireshark v4.1.0rc0-197-ge5951765d8. +EXP_PDU_TAG_PROTO_NAME = EXP_PDU_TAG_DISSECTOR_NAME +EXP_PDU_TAG_HEUR_PROTO_NAME = EXP_PDU_TAG_HEUR_DISSECTOR_NAME - def i2m(self, pkt, x): - tag_type, tag_data = x - tag_len = len(tag_data) - return struct.pack('!HH', tag_type, tag_len) + tag_data class TagsField(StrField): islist = 1 @@ -69,6 +60,15 @@ class TagsField(StrField): def _convert_data(self, tag_type, tag_data): if type(tag_data) is int: return struct.pack('!I', tag_data) + # Wireshark pads some strings to align them at four bytes. Although not + # strictly necessary for use in Wireshark, replicate it. See + # https://gitlab.com/wireshark/wireshark/-/issues/19284 + tag_len = len(tag_data) + if tag_type in (EXP_PDU_TAG_DISSECTOR_NAME, + EXP_PDU_TAG_HEUR_DISSECTOR_NAME, + EXP_PDU_TAG_DISSECTOR_TABLE_NAME) and (tag_len & 3): + pad_len = 4 - (tag_len & 3) + tag_data += pad_len * b'\0' return tag_data def i2m(self, pkt, x): @@ -85,6 +85,9 @@ class WiresharkUpperPdu(Packet): name = "WiresharkUpperPdu" fields_desc = [ TagsField("tags", []) ] +DLT_WIRESHARK_UPPER_PDU = 252 +conf.l2types.register(DLT_WIRESHARK_UPPER_PDU, WiresharkUpperPdu) + udp_bootp = WiresharkUpperPdu(tags = [ (EXP_PDU_TAG_DISSECTOR_TABLE_NAME, b'udp.port'), #(EXP_PDU_TAG_PORT_TYPE, 3), # UDP (3) @@ -101,7 +104,7 @@ ip_udp = WiresharkUpperPdu(tags = [ def make_pcap(filename, pkt): # Link Type: Wireshark Upper PDU export (252) - wrpcap(filename, pkt, linktype=252) + wrpcap(filename, pkt, linktype=DLT_WIRESHARK_UPPER_PDU) parser = argparse.ArgumentParser() parser.add_argument("filename") |