如何用Wireshark lua編寫的協議解析器,檢視HTTP包的URI/URL的Query String裡的引數
阿新 • • 發佈:2019-01-04
Wireshark解析HTTP GET方法不會解析URI裡Query字串裡的引數(通常由GET方式提交form資料),本文介紹用lua編寫一個簡單的協議解析器,讓這些引數解析出來,並顯示在wireshark協議解析窗口裡。
首先編寫以下解析器lua指令碼(用文字編輯器編輯即可),取檔名為my_http_querystring_decoder.lua:
- -- Decode param=value from query string of http request uri (http.request.uri)
-
-- Author: Huang Qiangxiong ([email protected]
- -- change log:
- -- 2010-07-01
- -- Just can play.
- ------------------------------------------------------------------------------------------------
- do
- local querystring_decoder_proto = Proto("my_http_querystring_decoder",
-
"Decoded HTTP URI Query String [HQX's plugins]"
- ---- url decode (from www.lua.org guide)
- function unescape (s)
- s = string.gsub(s, "+", " ")
- s = string.gsub(s, "%%(%x%x)", function (h)
- return string.char(tonumber(h, 16))
- end)
- return s
- end
-
---- convert string to hex string
- function string2hex (s)
- local hex = "";
- for i=1, #s, 1 do
- hex = hex .. string.format("%x", s:byte(i))
- end
- return hex
- end
- local f_http_uri = Field.new("http.request.uri")
- ---- my dissector
- function querystring_decoder_proto.dissector(tvb, pinfo, tree)
- local http_uri = f_http_uri()
- -- ignore packages without "http.request.uri"
- ifnot http_uri then return end
- -- begin build my tree
- local content = http_uri.value
- local idx = content:find("?")
- ifnot idx then return end -- not include query string, so stop parsing
- local tab = ByteArray.new(string2hex(content)):tvb("Decoded HTTP URI Query String")
- local tab_range = tab()
- -- add proto item to tree
- local subtree = tree:add(querystring_decoder_proto, tab_range)
- -- add raw data to tree
- subtree:add(tab_range, "[HTTP Request URI] (" .. tab_range:len() .. " bytes)"):add(tab_range, content)
- -- add param value pair to tree
- local pairs_tree = subtree:add(tab_range, "[Decoded Query String]")
- local si = 1
- local ei = idx
- local count = 0
- while ei do
- si = ei + 1
- ei = string.find(content, "&", si)
- local xlen = (ei and (ei - si)) or (content:len() - si + 1)
- if xlen > 0 then
- pairs_tree:add(tab(si-1, xlen), unescape(content:sub(si, si+xlen-1)))
- count = count + 1
- end
- end
- pairs_tree:append_text(" (" .. count .. ")")
- end
- -- register this dissector
- register_postdissector(querystring_decoder_proto)
- end
然後修改wireshark安裝目錄下的init.lua檔案:
(1)把disable_lua = true; do return end;這行註釋掉:在前面加“--”
(2)然後在init.lua檔案最後面加一句:dofile("my_http_querystring_decoder.lua")
OK大功告成,開啟HTTP抓包,若其請求中URI帶QueryString,則介面如下:
可以看到,在協議解析樹上新增了Decoded HTTP URI Query String ... 節點。看該節點下[HTTP Request URI]為原始HTTP Request URI,[Decoded Query String]下為解開後的一個個引數(經過url decode)。而且在wireshark的“Packet Bytes”窗口裡新增了一個“Decoded HTTP URI Query String”的資料tab,專門顯示HTTP URI內容,用於顯示引數在URL裡的原始形式。