From bad766a9ef81f7267cdb8e4f82db692a83ba2f9a Mon Sep 17 00:00:00 2001 From: Peter Wu Date: Wed, 21 Dec 2016 11:38:50 +0100 Subject: file-zip: start of a Zip Archive file dissector for Wireshark Implemented a template for opening a file and making it available to dissectors. For this, a FileHandler has been implemented which then links with the MIME encapsulation type. The "seek_read" issue mentioned in the comments should be fixed with https://code.wireshark.org/review/19366 --- lua/file-zip.lua | 95 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) create mode 100644 lua/file-zip.lua (limited to 'lua') diff --git a/lua/file-zip.lua b/lua/file-zip.lua new file mode 100644 index 0000000..aec8ac0 --- /dev/null +++ b/lua/file-zip.lua @@ -0,0 +1,95 @@ +-- +-- Zip Archive dissector +-- Author: Peter Wu + +-- +-- Dissection of Zip file contents +-- + +local proto_zip = Proto.new("zip_archive", "Zip Archive") + +function proto_zip.dissector(tvb, pinfo, tree) + pinfo.cols.protocol = "zip" + --pinfo.cols.info = "" +end + +function zip_heur(tvb, pinfo, tree) + if tvb:raw(0, 2) ~= "PK" then + return false + end + + proto_zip.dissector(tvb, pinfo, tree) + return true +end + +-- Register MIME types in case a Zip file appears over HTTP. +DissectorTable.get("media_type"):add("application/zip", proto_zip) +DissectorTable.get("media_type"):add("application/java-archive", proto_zip) + +-- Ensure that files can directly be opened (after any FileHandler has accepted +-- it, see below). +proto_zip:register_heuristic("wtap_file", zip_heur) + + +-- +-- File handler (for directly interpreting opening a Zip file in Wireshark) +-- Actually, all it does is recognizing a Zip file and passing one packet to the +-- MIME dissector. +-- + +local zip_fh = FileHandler.new("Zip", "zip", "Zip archive file reader", "rms") + +-- Check if file is really a zip file (return true if it is) +function zip_fh.read_open(file, cinfo) + -- XXX improve heuristics? + if file:read(2) ~= "PK" then + return false + end + + -- Find end of file and rewind. + local endpos, err = file:seek("end") + if not endpos then error("Error while finding end! " .. err) end + local ok, err = file:seek("set", 0) + if not ok then error("Non-seekable file! " .. err) end + + cinfo.encap = wtap_encaps.MIME + cinfo.private_table = { + endpos = endpos, + } + + return true +end + +-- Read next packet (returns begin offset or false on error) +local function zip_fh_read(file, cinfo, finfo) + local p = cinfo.private_table + local curpos = file:seek("cur") + + -- Fal on EOF + if curpos >= p.endpos then return false end + + finfo.original_length = p.endpos - curpos + finfo.captured_length = p.endpos - curpos + + if not finfo:read_data(file, finfo.captured_length) then + -- Partial read? + print("Hmm, partial read, curpos=" .. curpos .. ", len: " .. finfo.captured_length) + return false + end + + return curpos +end +zip_fh.read = zip_fh_read + +-- Reads packet at offset (returns true on success and false on failure) +function zip_fh.seek_read(file, cinfo, finfo, offset) + file:seek("set", offset) + -- Return a boolean since WS < 2.4 has an undocumented "feature" where + -- strings (including numbers) are treated as data. + return zip_fh_read(file, cinfo, finfo) ~= false +end + +-- Hints for when to invoke this dissector. +zip_fh.extensions = "zip;jar" + +register_filehandler(zip_fh) -- cgit v1.2.1