diff options
| author | Nardi Ivan <nardi.ivan@gmail.com> | 2024-06-25 09:37:51 +0200 |
|---|---|---|
| committer | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-06-25 16:39:45 +0200 |
| commit | f44832cc51400f7ede9343cb1847f4c242c5ddc9 (patch) | |
| tree | 9e626cfbdf1ef62e61e5c4f9b773acac540f5568 | |
| parent | 3f0ea18866ee4e3ab5cc1b3530365828c8b2f655 (diff) | |
wireshark: lua: filtering and trailer dissection work with tshark, too
```
ivan@ivan-Latitude-E6540:~/$ tshark -C "nDPI extcap" -i ndpi -o extcap.ndpi.i:/home/ivan/svnrepos/nDPI/tests/pcap/anydesk.pcapng -Y "ndpi.protocol.name contains DNS"
Capturing on 'nDPI interface: ndpi'
62 22635386.425683 192.168.1.187 DNS.AnyDesk 192.168.1.1 128 Standard query 0xec22 A relay-3185a847.net.anydesk.com
63 22635386.439540 192.168.1.1 DNS.AnyDesk 192.168.1.187 144 Standard query response 0xec22 A relay-3185a847.net.anydesk.com A 37.61.223.15
64 22635386.721277 192.168.1.187 DNS.AnyDesk 192.168.1.1 128 Standard query 0xea89 A relay-9b6827f2.net.anydesk.com
65 22635386.732444 192.168.1.1 DNS.AnyDesk 192.168.1.187 144 Standard query response 0xea89 A relay-9b6827f2.net.anydesk.com A 138.199.36.115
4 packets captured
```
| -rw-r--r-- | wireshark/ndpi.lua | 35 |
1 files changed, 20 insertions, 15 deletions
diff --git a/wireshark/ndpi.lua b/wireshark/ndpi.lua index 24ec87c11..3b10418c1 100644 --- a/wireshark/ndpi.lua +++ b/wireshark/ndpi.lua @@ -198,6 +198,8 @@ local debug = false local dump_timeseries = false +local dissect_ndpi_trailer = true + local dump_file = "/tmp/wireshark-influx.txt" local file @@ -1027,11 +1029,11 @@ end -- the dissector function callback function ndpi_proto.dissector(tvb, pinfo, tree) - -- Wireshark dissects the packet twice. We ignore the first - -- run as on that step the packet is still undecoded - -- The trick below avoids to process the packet twice + -- Wireshark dissects the packet twice. General rule: + -- * proto fields must be add in both cases (to be compatible with tshark) + -- * statistics should be gather onl on first pass - if(pinfo.visited == true) then + if(dissect_ndpi_trailer) then local eth_trailer = {f_eth_trailer()} local vlan_trailer = {f_vlan_trailer()} @@ -1068,15 +1070,17 @@ function ndpi_proto.dissector(tvb, pinfo, tree) flow_score = trailer_tvb(16, 2):int() if (flow_risk ~= UInt64(0, 0)) then - local rev_key = getstring(pinfo.dst)..":"..getstring(pinfo.dst_port).." - "..getstring(pinfo.src)..":"..getstring(pinfo.src_port) + if(pinfo.visited == false) then + local rev_key = getstring(pinfo.dst)..":"..getstring(pinfo.dst_port).." - "..getstring(pinfo.src)..":"..getstring(pinfo.src_port) - if(flows_with_risks[rev_key] == nil) then - local key = getstring(pinfo.src)..":"..getstring(pinfo.src_port).." - "..getstring(pinfo.dst)..":"..getstring(pinfo.dst_port) + if(flows_with_risks[rev_key] == nil) then + local key = getstring(pinfo.src)..":"..getstring(pinfo.src_port).." - "..getstring(pinfo.dst)..":"..getstring(pinfo.dst_port) - if(flows_with_risks[key] == nil) then - flows_with_risks[key] = flow_score - end - end + if(flows_with_risks[key] == nil) then + flows_with_risks[key] = flow_score + end + end + end for i=0,63 do if flow_risks[i] ~= nil then @@ -1109,7 +1113,7 @@ function ndpi_proto.dissector(tvb, pinfo, tree) --print(network_protocol .. "/" .. application_protocol .. "/".. name) end - if(compute_flows_stats) then + if(compute_flows_stats and pinfo.visited == false) then ndpikey = tostring(slen(name)) if(ndpi_protos[ndpikey] == nil) then ndpi_protos[ndpikey] = 0 end @@ -1144,8 +1148,9 @@ function ndpi_proto.dissector(tvb, pinfo, tree) end end -- nDPI + -- These dissector add some proto fields latency_dissector(tvb, pinfo, tree) - tcp_dissector(tvb, pinfo, tree) + rpc_dissector(tvb, pinfo, tree) end -- ########################################### @@ -1172,7 +1177,8 @@ function ndpi_proto.dissector(tvb, pinfo, tree) if(dump_timeseries) then timeseries_dissector(tvb, pinfo, tree) end - + + tcp_dissector(tvb, pinfo, tree) mac_dissector(tvb, pinfo, tree) arp_dissector(tvb, pinfo, tree) vlan_dissector(tvb, pinfo, tree) @@ -1180,7 +1186,6 @@ function ndpi_proto.dissector(tvb, pinfo, tree) http_dissector(tvb, pinfo, tree) dhcp_dissector(tvb, pinfo, tree) dns_dissector(tvb, pinfo, tree) - rpc_dissector(tvb, pinfo, tree) end register_postdissector(ndpi_proto) |