1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
|
--
-- Tar dissector
-- Author: Peter Wu <peter@lekensteyn.nl>
--
-- Information about the file format:
-- https://www.gnu.org/software/tar/manual/html_node/Standard.html
-- https://en.wikipedia.org/wiki/Tar_(computing)
--
-- Requires at least Wireshark 2.4 (due to the use of ftypes.CHAR)
--
--
-- Dissection of Tar file contents
--
--[[
// From https://www.gnu.org/software/tar/manual/html_node/Standard.html
struct posix_header
{ /* byte offset */
char name[100]; /* 0 */
char mode[8]; /* 100 */
char uid[8]; /* 108 */
char gid[8]; /* 116 */
char size[12]; /* 124 */
char mtime[12]; /* 136 */
char chksum[8]; /* 148 */
char typeflag; /* 156 */
char linkname[100]; /* 157 */
char magic[6]; /* 257 */
char version[2]; /* 263 */
char uname[32]; /* 265 */
char gname[32]; /* 297 */
char devmajor[8]; /* 329 */
char devminor[8]; /* 337 */
char prefix[155]; /* 345 */
/* 500 */
};
# Convert above headers to <name> <offset> <length>
fields=$(xsel | sed -re 's# *char ([a-z]+)\[([0-9]+)\]; */\* +([0-9]+) *\*/#\1 \3 \2#' -e 's# *char ([a-z]+); */\* +([0-9]+) *\*/#\1 \2 1#')
# Convert to hf definitions (and fixup mtime and typeflag)
echo "$fields" | awk '{ printf " %-12s= ProtoField.string(\"tar.%s\", \"%s\"),\n", $1, $1, $1 }'
# Convert to dissection calls.
echo "$fields" | awk '{ printf " htree:add(hf.%-10s tvb(offset + %d, %d))\n", $1",", $2, $3 }'
--]]
local typeflag_values = {
[0] = "Regular file",
[string.byte("0")] = "Regular file",
[string.byte("1")] = "Hard link",
[string.byte("2")] = "Symbolic link",
[string.byte("3")] = "Character special",
[string.byte("4")] = "Block special",
[string.byte("5")] = "Directory",
[string.byte("6")] = "FIFO special",
[string.byte("7")] = "Reserved",
[string.byte("g")] = "Global extended header",
[string.byte("x")] = "Extended header",
}
local proto_tar = Proto.new("tar_archive", "Tar Archive")
local hf = {
header = ProtoField.none("tar.header", "POSIX header"),
file_data = ProtoField.bytes("tar.file_data", "File data"),
-- posix_header
name = ProtoField.string("tar.name", "name"),
mode = ProtoField.string("tar.mode", "mode"),
uid = ProtoField.string("tar.uid", "uid"),
gid = ProtoField.string("tar.gid", "gid"),
size = ProtoField.string("tar.size", "size"),
--mtime = ProtoField.string("tar.mtime", "mtime"),
mtime = ProtoField.absolute_time("tar.mtime", "mtime", base.UTC),
chksum = ProtoField.string("tar.chksum", "chksum"),
typeflag = ProtoField.new("typeflag", "tar.typeflag", ftypes.CHAR, typeflag_values),
linkname = ProtoField.string("tar.linkname", "linkname"),
magic = ProtoField.string("tar.magic", "magic"),
version = ProtoField.string("tar.version", "version"),
uname = ProtoField.string("tar.uname", "uname"),
gname = ProtoField.string("tar.gname", "gname"),
devmajor = ProtoField.string("tar.devmajor", "devmajor"),
devminor = ProtoField.string("tar.devminor", "devminor"),
prefix = ProtoField.string("tar.prefix", "prefix"),
}
proto_tar.fields = hf
local function dissect_one(tvb, offset, pinfo, tree)
local htree = tree:add(hf.header, tvb(offset, 500))
htree:add(hf.name, tvb(offset + 0, 100))
local name = tvb:raw(offset, 100):gsub("\0+$", "")
htree:append_text(string.format(" %s", name))
htree:add(hf.mode, tvb(offset + 100, 8))
htree:add(hf.uid, tvb(offset + 108, 8))
htree:add(hf.gid, tvb(offset + 116, 8))
htree:add(hf.size, tvb(offset + 124, 12))
local mtime = tonumber(tvb:raw(offset + 136, 12):gsub("\0+$", ""), 8)
htree:add(hf.mtime, tvb(offset + 136, 12), NSTime(mtime))
htree:add(hf.chksum, tvb(offset + 148, 8))
htree:add(hf.typeflag, tvb(offset + 156, 1))
local ftype = typeflag_values[tvb(offset + 156, 1):uint()]
if ftype then htree:append_text(string.format(" (%s)", ftype)) end
htree:add(hf.linkname, tvb(offset + 157, 100))
htree:add(hf.magic, tvb(offset + 257, 6))
htree:add(hf.version, tvb(offset + 263, 2))
htree:add(hf.uname, tvb(offset + 265, 32))
htree:add(hf.gname, tvb(offset + 297, 32))
htree:add(hf.devmajor, tvb(offset + 329, 8))
htree:add(hf.devminor, tvb(offset + 337, 8))
htree:add(hf.prefix, tvb(offset + 345, 155))
local size = tonumber(tvb:raw(offset + 124, 12):gsub("\0+$", ""), 8)
offset = offset + 512
if size and size > 0 then
htree:append_text(string.format(" (%d bytes)", size))
tree:add(hf.file_data, tvb(offset, size))
offset = offset + size
end
if offset % 512 ~= 0 then
offset = offset - (offset % 512) + 512
end
-- Detect end of archive (at least two consecutive zero-filled records).
while offset + 512 <= tvb:len() and tvb:raw(offset, 500):match("^\0+$") do
offset = offset + 512
end
return offset
end
function proto_tar.dissector(tvb, pinfo, tree)
pinfo.cols.protocol = "tar"
--pinfo.cols.info = ""
local next_offset = 0
while next_offset and next_offset < tvb:len() do
next_offset = dissect_one(tvb, next_offset, pinfo, tree)
end
return next_offset
end
local function tar_heur(tvb, pinfo, tree)
if tvb:len() < 512 or tvb:raw(257, 6) ~= "ustar\0" then
return false
end
proto_tar.dissector(tvb, pinfo, tree)
return true
end
-- Register MIME types in case a Tar file appears over HTTP.
DissectorTable.get("media_type"):add("application/x-tar", proto_tar)
-- Ensure that files can directly be opened (after any FileHandler has accepted
-- it, see below).
proto_tar:register_heuristic("wtap_file", tar_heur)
--
-- File handler (for directly interpreting opening a Tar file in Wireshark)
-- Actually, all it does is recognizing a Tar file and passing one packet to the
-- MIME dissector.
--
local tar_fh = FileHandler.new("Tar", "tar", "Tar archive file reader", "rms")
-- Check if file is really a tar file (return true if it is)
function tar_fh.read_open(file, cinfo)
-- Detect UStar format
if not (file:seek("set", 257) and file:read(6) == "ustar\0") then
return false
end
-- Find end of file and rewind.
local endpos, err = file:seek("end")
if not endpos then error("Error while finding end! " .. err) end
local ok, err = file:seek("set", 0)
if not ok then error("Non-seekable file! " .. err) end
cinfo.encap = wtap_encaps.MIME
cinfo.private_table = {
endpos = endpos,
}
return true
end
-- Read next packet (returns begin offset or false on error)
local function tar_fh_read(file, cinfo, finfo)
local p = cinfo.private_table
local curpos = file:seek("cur")
-- Fal on EOF
if curpos >= p.endpos then return false end
finfo.original_length = p.endpos - curpos
finfo.captured_length = p.endpos - curpos
if not finfo:read_data(file, finfo.captured_length) then
-- Partial read?
print("Hmm, partial read, curpos=" .. curpos .. ", len: " .. finfo.captured_length)
return false
end
return curpos
end
tar_fh.read = tar_fh_read
-- Reads packet at offset (returns true on success and false on failure)
function tar_fh.seek_read(file, cinfo, finfo, offset)
file:seek("set", offset)
-- Return a boolean since WS < 2.4 has an undocumented "feature" where
-- strings (including numbers) are treated as data.
return tar_fh_read(file, cinfo, finfo) ~= false
end
-- Hints for when to invoke this dissector.
tar_fh.extensions = "tar"
register_filehandler(tar_fh)
|
