From b166e14c2bf79f4a61cbcd01ca92a2c418ac9550 Mon Sep 17 00:00:00 2001 From: Peter Wu Date: Thu, 12 Oct 2023 11:52:57 +0200 Subject: exportpdu.py: update PDU tags, register DLT Updated the PDU tags based on Wireshark v4.1.0rc0-197-ge5951765d8 with: grep -Pe '#define EXP_PDU_TAG\S+?(? len(x): - # XXX error? - return - tag_data, x = x[:tag_len], x[tag_len:] - return[tag_type, tag_data] +# For backwards compatibility, since Wireshark v4.1.0rc0-197-ge5951765d8. +EXP_PDU_TAG_PROTO_NAME = EXP_PDU_TAG_DISSECTOR_NAME +EXP_PDU_TAG_HEUR_PROTO_NAME = EXP_PDU_TAG_HEUR_DISSECTOR_NAME - def i2m(self, pkt, x): - tag_type, tag_data = x - tag_len = len(tag_data) - return struct.pack('!HH', tag_type, tag_len) + tag_data class TagsField(StrField): islist = 1 @@ -69,6 +60,15 @@ class TagsField(StrField): def _convert_data(self, tag_type, tag_data): if type(tag_data) is int: return struct.pack('!I', tag_data) + # Wireshark pads some strings to align them at four bytes. Although not + # strictly necessary for use in Wireshark, replicate it. See + # https://gitlab.com/wireshark/wireshark/-/issues/19284 + tag_len = len(tag_data) + if tag_type in (EXP_PDU_TAG_DISSECTOR_NAME, + EXP_PDU_TAG_HEUR_DISSECTOR_NAME, + EXP_PDU_TAG_DISSECTOR_TABLE_NAME) and (tag_len & 3): + pad_len = 4 - (tag_len & 3) + tag_data += pad_len * b'\0' return tag_data def i2m(self, pkt, x): @@ -85,6 +85,9 @@ class WiresharkUpperPdu(Packet): name = "WiresharkUpperPdu" fields_desc = [ TagsField("tags", []) ] +DLT_WIRESHARK_UPPER_PDU = 252 +conf.l2types.register(DLT_WIRESHARK_UPPER_PDU, WiresharkUpperPdu) + udp_bootp = WiresharkUpperPdu(tags = [ (EXP_PDU_TAG_DISSECTOR_TABLE_NAME, b'udp.port'), #(EXP_PDU_TAG_PORT_TYPE, 3), # UDP (3) @@ -101,7 +104,7 @@ ip_udp = WiresharkUpperPdu(tags = [ def make_pcap(filename, pkt): # Link Type: Wireshark Upper PDU export (252) - wrpcap(filename, pkt, linktype=252) + wrpcap(filename, pkt, linktype=DLT_WIRESHARK_UPPER_PDU) parser = argparse.ArgumentParser() parser.add_argument("filename") -- cgit v1.2.1