我知道如何通过查看十六进制转储来手动完成它。如何自动获得相同的结果?我需要使用API吗?我同时拥有Wireshark和Microsoft网络监视器。
使用Lua协议分析器可以轻松实现此操作,它会将HTTP头字段添加到数据包树中,使您可以进行过滤,如下图所示:
将此 Lua 脚本复制到您的插件目录中(例如,${WIRESHARK_HOME}/plugins/1.4.6/http_extra.lua
),然后重新启动 Wireshark(如果已在运行中)。
do
local http_wrapper_proto = Proto("http_extra", "Extra analysis of the HTTP protocol");
http_wrapper_proto.fields.hdr_len = ProtoField.uint32("http.hdr_len", "Header length (bytes)")
-- HTTP frames that contain a header usually include the HTTP
-- request method or HTTP response code, so declare those here
-- so we can check for them later in the dissector.
local f_req_meth = Field.new("http.request.method")
local f_resp_code = Field.new("http.response.code")
local original_http_dissector
function http_wrapper_proto.dissector(tvbuffer, pinfo, treeitem)
-- We've replaced the original http dissector in the dissector table,
-- but we still want the original to run, especially because we need
-- to read its data. Let's wrap the call in a pcall in order to catch
-- any unhandled exceptions. We'll ignore those errors.
pcall(
function()
original_http_dissector:call(tvbuffer, pinfo, treeitem)
end
)
-- if the request method or response code is present,
-- the header must be in this frame
if f_req_meth() or f_resp_code() then
-- find the position of the header terminator (two new lines),
-- which indicates the length of the HTTP header, and then add
-- the field to the tree (allowing us to filter for it)
local hdr_str = tvbuffer():string()
local hdr_len = string.find(hdr_str, "\r\n\r\n") or string.find(hdr_str, "\n\n\n\n")
if hdr_len ~= nil then
treeitem:add(http_wrapper_proto.fields.hdr_len, hdr_len):set_generated()
end
end
end
local tcp_dissector_table = DissectorTable.get("tcp.port")
original_http_dissector = tcp_dissector_table:get_dissector(80) -- save the original dissector so we can still get to it
tcp_dissector_table:add(80, http_wrapper_proto) -- and take its place in the dissector table
end
用户568493发布的代码对我来说根本不起作用,所以我将其改为了后处理器,并且它没有正确计算字节数。它还在计算IP和以太网字节。
这是我修改后的版本,适用于1.8.2:
local http_wrapper_proto = Proto("http_extra", "Extra analysis of the HTTP protocol");
http_wrapper_proto.fields.hdr_len = ProtoField.uint32("http.hdr_len", "HTTP Header length (bytes)")
-- HTTP frames that contain a header usually include the HTTP
-- request method or HTTP response code, so declare those here
-- so we can check for them later in the dissector.
local f_req_meth = Field.new("http.request.method")
local f_resp_code = Field.new("http.response.code")
local original_http_dissector
function http_wrapper_proto.dissector(tvbuffer, pinfo, treeitem)
-- if the request method or response code is present,
-- the header must be in this frame
if f_req_meth() or f_resp_code() then
local start_offset = 0
local end_offset = 0
-- find the position of the header terminator (two new lines),
-- which indicates the length of the HTTP header, and then add
-- the field to the tree (allowing us to filter for it)
local hdr_str = tvbuffer():string()
if f_req_meth() then
start_offset = string.find(hdr_str, "GET")
end_offset = string.find(hdr_str, "\r\n\r\n")
end
if f_resp_code() then
start_offset = string.find(hdr_str, "HTTP")
end_offset = string.find(hdr_str, "\r\n\r\n")
end
local hdr_len = end_offset - start_offset + 4
-- 4 Bytes because the \r\n\r\n are not part of the HTTP Payload, hence should be counted in the header length.
if hdr_len ~= nil then
treeitem:add(http_wrapper_proto.fields.hdr_len, hdr_len):set_generated()
end
end
end
register_postdissector(http_wrapper_proto)
有一些关于创建Wireshark插件的好资源,例如:
http://simeonpilgrim.com/blog/2008/04/29/how-to-build-a-wireshark-plug-in/
http://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html
http://www.codeproject.com/KB/IP/custom_dissector.aspx
这是一个视频,介绍如何将协议解码器公开的字段添加为自定义列:http://www.youtube.com/watch?v=XpUNXDkfkQg
事情是,您不想重新实现HTTP协议解码器。http.header_length
,就像现有的http.content_length
一样:
\n\n
或\r\n\r\n
)搜索TCP流。找到该位置的索引即为标头的长度。如果您希望在Wireshark中显示此内容,则需要开发插件或类似工具。如果您正在将数据转储到Excel表格或其他地方,则需要按照我所描述的计算长度。 - Tim Sylvester