问题
I am creating a custom dissector for Wireshark. I am adding my dissector to the dissector table kind of like this...
udp_table = DissectorTable.get("udp.port")
udp_table:add(7777,my_proto)
However, instead of my dissector handling just udp port 7777, I want it to handle ANY udp port or at least a really large range.
How can I do this?
It says in the documentation, it says I can replace 7777 (the pattern) with a range, but I'm not sure what the syntax is for that.
Thank you!
回答1:
In theory a range is added using a Lua string for the first argument to dissectortable:add(), where the string is a range such as "7777-8888". However, there may be a bug preventing that working right now (see this ask.wireshark.org thread).
Regardless, you should not make your dissector operate on every UDP port, since it wouldn't be true and would collide with a whole bunch of well-known UDP port uses (e.g., DNS, UPNP, SIP, etc.), as well as dynamically used ones such as for RTP and RTCP.
Perhaps what you really want to do is have a heuristic dissector? If so, you can make a Lua dissector be a heuristic one starting in wireshark v1.11.3 and beyond (the most recent wireshark version is 1.12rc2). See the API docs for proto:register_heuristic, and the example dissector.lua script at the top of the Lua examples page.
来源:https://stackoverflow.com/questions/24375030/wireshark-dissector-how-to-use-dissectortableaddpattern-dissector-with-any