2018-03-17 07:00:24 +07:00
|
|
|
----------------------------------------
|
|
|
|
-- script-name: zk6_udp_dissector.lua
|
|
|
|
--
|
|
|
|
-- author: Arturo Hernandez
|
|
|
|
-- Copyright (c) 2018
|
|
|
|
-- This code is in the Public Domain, or the BSD (3 clause) license if Public Domain does not apply
|
|
|
|
-- in your country.
|
|
|
|
--
|
|
|
|
-- Version: 1.0
|
|
|
|
--
|
|
|
|
-- BACKGROUND:
|
|
|
|
-- based on the example dns_dissector.lua from Hadriel Kaplan
|
|
|
|
--
|
|
|
|
-- OVERVIEW:
|
|
|
|
-- This script creates an dissector for the UDP protocol on ZK products.
|
|
|
|
-- to the DNS protocol. That's OK. The goal isn't to fully dissect DNS properly - Wireshark already has a good
|
|
|
|
-- DNS dissector built-in. We don't need another one. We also have other example Lua scripts, but I don't think
|
|
|
|
-- they do a good job of explaining things, and the nice thing about this one is getting capture files to
|
|
|
|
-- run it against is trivial. (plus I uploaded one)
|
|
|
|
--
|
|
|
|
-- HOW TO RUN THIS SCRIPT:
|
|
|
|
-- Wireshark and Tshark support multiple ways of loading Lua scripts: through a dofile() call in init.lua,
|
|
|
|
-- through the file being in either the global or personal plugins directories, or via the command line.
|
|
|
|
-- See the Wireshark USer's Guide chapter on Lua (http://www.wireshark.org/docs/wsug_html_chunked/wsluarm.html).
|
|
|
|
-- Once the script is loaded, it creates a new protocol named "MyDNS" (or "MYDNS" in some places). If you have
|
|
|
|
-- a capture file with DNS packets in it, simply select one in the Packet List pane, right-click on it, and
|
|
|
|
-- select "Decode As ...", and then in the dialog box that shows up scroll down the list of protocols to one
|
|
|
|
-- called "MYDNS", select that and click the "ok" or "apply" button. Voila`, you're now decoding DNS packets
|
|
|
|
-- using the simplistic dissector in this script. Another way is to download the capture file made for
|
|
|
|
-- this script, and open that - since the DNS packets in it use UDP port 65333 (instead of the default 53),
|
|
|
|
-- and since the MyDNS protocol in this script has been set to automatically decode UDP port 65333, it will
|
|
|
|
-- automagically do it without doing "Decode As ...".
|
|
|
|
--
|
|
|
|
----------------------------------------
|
|
|
|
print("hello world!")
|
|
|
|
-- do not modify this table
|
|
|
|
local debug_level = {
|
|
|
|
DISABLED = 0,
|
|
|
|
LEVEL_1 = 1,
|
|
|
|
LEVEL_2 = 2
|
|
|
|
}
|
|
|
|
|
|
|
|
-- set this DEBUG to debug_level.LEVEL_1 to enable printing debug_level info
|
|
|
|
-- set it to debug_level.LEVEL_2 to enable really verbose printing
|
|
|
|
-- note: this will be overridden by user's preference settings
|
|
|
|
local DEBUG = debug_level.LEVEL_1
|
|
|
|
|
|
|
|
local default_settings = {
|
|
|
|
debug_level = DEBUG,
|
|
|
|
port = 4370,
|
|
|
|
heur_enabled = false,
|
|
|
|
}
|
|
|
|
|
|
|
|
-- for testing purposes, we want to be able to pass in changes to the defaults
|
|
|
|
-- from the command line; because you can't set lua preferences from the command
|
|
|
|
-- line using the '-o' switch (the preferences don't exist until this script is
|
|
|
|
-- loaded, so the command line thinks they're invalid preferences being set)
|
|
|
|
-- so we pass them in as command arguments insetad, and handle it here:
|
|
|
|
local args={...} -- get passed-in args
|
|
|
|
if args and #args > 0 then
|
|
|
|
for _, arg in ipairs(args) do
|
|
|
|
local name, value = arg:match("(.+)=(.+)")
|
|
|
|
if name and value then
|
|
|
|
if tonumber(value) then
|
|
|
|
value = tonumber(value)
|
|
|
|
elseif value == "true" or value == "TRUE" then
|
|
|
|
value = true
|
|
|
|
elseif value == "false" or value == "FALSE" then
|
|
|
|
value = false
|
|
|
|
elseif value == "DISABLED" then
|
|
|
|
value = debug_level.DISABLED
|
|
|
|
elseif value == "LEVEL_1" then
|
|
|
|
value = debug_level.LEVEL_1
|
|
|
|
elseif value == "LEVEL_2" then
|
|
|
|
value = debug_level.LEVEL_2
|
|
|
|
else
|
|
|
|
error("invalid commandline argument value")
|
|
|
|
end
|
|
|
|
else
|
|
|
|
error("invalid commandline argument syntax")
|
|
|
|
end
|
|
|
|
|
|
|
|
default_settings[name] = value
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
local dprint = function() end
|
|
|
|
local dprint2 = function() end
|
|
|
|
local function reset_debug_level()
|
|
|
|
if default_settings.debug_level > debug_level.DISABLED then
|
|
|
|
dprint = function(...)
|
|
|
|
print(table.concat({"Lua:", ...}," "))
|
|
|
|
end
|
|
|
|
|
|
|
|
if default_settings.debug_level > debug_level.LEVEL_1 then
|
|
|
|
dprint2 = dprint
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
-- call it now
|
|
|
|
reset_debug_level()
|
|
|
|
|
|
|
|
dprint2("Wireshark version = ", get_version())
|
|
|
|
dprint2("Lua version = ", _VERSION)
|
|
|
|
|
|
|
|
----------------------------------------
|
|
|
|
-- Unfortunately, the older Wireshark/Tshark versions have bugs, and part of the point
|
|
|
|
-- of this script is to test those bugs are now fixed. So we need to check the version
|
|
|
|
-- end error out if it's too old.
|
|
|
|
local major, minor, micro = get_version():match("(%d+)%.(%d+)%.(%d+)")
|
|
|
|
if major and tonumber(major) <= 1 and ((tonumber(minor) <= 10) or (tonumber(minor) == 11 and tonumber(micro) < 3)) then
|
|
|
|
error( "Sorry, but your Wireshark/Tshark version ("..get_version()..") is too old for this script!\n"..
|
|
|
|
"This script needs Wireshark/Tshark version 1.11.3 or higher.\n" )
|
|
|
|
end
|
|
|
|
|
|
|
|
-- more sanity checking
|
|
|
|
-- verify we have the ProtoExpert class in wireshark, as that's the newest thing this file uses
|
|
|
|
assert(ProtoExpert.new, "Wireshark does not have the ProtoExpert class, so it's too old - get the latest 1.11.3 or higher")
|
|
|
|
|
|
|
|
----------------------------------------
|
|
|
|
|
|
|
|
|
|
|
|
----------------------------------------
|
|
|
|
-- creates a Proto object, but doesn't register it yet
|
|
|
|
local zk = Proto("zk6","ZK600 UDP Protocol")
|
2018-04-27 03:40:57 +07:00
|
|
|
local zk_tcp = Proto("zk8","ZK800 TCP Protocol")
|
|
|
|
|
|
|
|
local rfct = {
|
|
|
|
[1] = "FCT_ATTLOG",
|
|
|
|
[8] = "FCT_WORKCODE",
|
|
|
|
[2] = "FCT_FINGERTMP",
|
|
|
|
[4] = "FCT_OPLOG",
|
|
|
|
[5] = "FCT_USER",
|
|
|
|
[6] = "FCT_SMS",
|
|
|
|
[7] = "FCT_UDATA"
|
|
|
|
}
|
2018-03-17 07:00:24 +07:00
|
|
|
|
|
|
|
local rcomands = {
|
|
|
|
[7] = "CMD_DB_RRQ",
|
|
|
|
[8] = "CMD_USER_WRQ",
|
|
|
|
[9] = "CMD_USERTEMP_RRQ",
|
|
|
|
[10] = "CMD_USERTEMP_WRQ",
|
|
|
|
[11] = "CMD_OPTIONS_RRQ",
|
|
|
|
[12] = "CMD_OPTIONS_WRQ",
|
|
|
|
[13] = "CMD_ATTLOG_RRQ",
|
|
|
|
[14] = "CMD_CLEAR_DATA",
|
|
|
|
[15] = "CMD_CLEAR_ATTLOG",
|
|
|
|
[18] = "CMD_DELETE_USER",
|
|
|
|
[19] = "CMD_DELETE_USERTEMP",
|
|
|
|
[20] = "CMD_CLEAR_ADMIN",
|
|
|
|
[21] = "CMD_USERGRP_RRQ",
|
|
|
|
[22] = "CMD_USERGRP_WRQ",
|
|
|
|
[23] = "CMD_USERTZ_RRQ",
|
|
|
|
[24] = "CMD_USERTZ_WRQ",
|
|
|
|
[25] = "CMD_GRPTZ_RRQ",
|
|
|
|
[26] = "CMD_GRPTZ_WRQ",
|
|
|
|
[27] = "CMD_TZ_RRQ",
|
|
|
|
[28] = "CMD_TZ_WRQ",
|
|
|
|
[29] = "CMD_ULG_RRQ",
|
|
|
|
[30] = "CMD_ULG_WRQ",
|
|
|
|
[31] = "CMD_UNLOCK",
|
|
|
|
[32] = "CMD_CLEAR_ACC",
|
|
|
|
[33] = "CMD_CLEAR_OPLOG",
|
|
|
|
[34] = "CMD_OPLOG_RRQ",
|
|
|
|
[50] = "CMD_GET_FREE_SIZES",
|
|
|
|
[57] = "CMD_ENABLE_CLOCK",
|
|
|
|
[60] = "CMD_STARTVERIFY",
|
|
|
|
[61] = "CMD_STARTENROLL",
|
|
|
|
[62] = "CMD_CANCELCAPTURE",
|
|
|
|
[64] = "CMD_STATE_RRQ",
|
|
|
|
[66] = "CMD_WRITE_LCD",
|
|
|
|
[67] = "CMD_CLEAR_LCD",
|
|
|
|
[69] = "CMD_GET_PINWIDTH",
|
|
|
|
[70] = "CMD_SMS_WRQ",
|
|
|
|
[71] = "CMD_SMS_RRQ",
|
|
|
|
[72] = "CMD_DELETE_SMS",
|
|
|
|
[73] = "CMD_UDATA_WRQ",
|
|
|
|
[74] = "CMD_DELETE_UDATA",
|
|
|
|
[75] = "CMD_DOORSTATE_RRQ",
|
|
|
|
[76] = "CMD_WRITE_MIFARE",
|
|
|
|
[78] = "CMD_EMPTY_MIFARE",
|
|
|
|
[201] = "CMD_GET_TIME",
|
|
|
|
[202] = "CMD_SET_TIME",
|
|
|
|
[500] = "CMD_REG_EVENT",
|
|
|
|
[1000] = "CMD_CONNECT",
|
|
|
|
[1001] = "CMD_EXIT",
|
|
|
|
[1002] = "CMD_ENABLEDEVICE",
|
|
|
|
[1003] = "CMD_DISABLEDEVICE",
|
|
|
|
[1004] = "CMD_RESTART",
|
|
|
|
[1005] = "CMD_POWEROFF",
|
|
|
|
[1006] = "CMD_SLEEP",
|
|
|
|
[1007] = "CMD_RESUME",
|
|
|
|
[1009] = "CMD_CAPTUREFINGER",
|
|
|
|
[1011] = "CMD_TEST_TEMP",
|
|
|
|
[1012] = "CMD_CAPTUREIMAGE",
|
|
|
|
[1013] = "CMD_REFRESHDATA",
|
|
|
|
[1014] = "CMD_REFRESHOPTION",
|
|
|
|
[1017] = "CMD_TESTVOICE",
|
|
|
|
[1100] = "CMD_GET_VERSION",
|
|
|
|
[1101] = "CMD_CHANGE_SPEED",
|
|
|
|
[1102] = "CMD_AUTH",
|
|
|
|
[1500] = "CMD_PREPARE_DATA",
|
|
|
|
[1501] = "CMD_DATA",
|
|
|
|
[1502] = "CMD_FREE_DATA",
|
2018-04-27 03:40:57 +07:00
|
|
|
[1503] = "CMD_PREPARE_BUFFER",
|
|
|
|
[1504] = "CMD_READ_BUFFER",
|
2018-03-17 07:00:24 +07:00
|
|
|
[2000] = "CMD_ACK_OK",
|
|
|
|
[2001] = "CMD_ACK_ERROR",
|
|
|
|
[2002] = "CMD_ACK_DATA",
|
|
|
|
[2003] = "CMD_ACK_RETRY",
|
|
|
|
[2004] = "CMD_ACK_REPEAT",
|
|
|
|
[2005] = "CMD_ACK_UNAUTH",
|
|
|
|
[65535] = "CMD_ACK_UNKNOWN",
|
|
|
|
[65533] = "CMD_ACK_ERROR_CMD",
|
|
|
|
[65532] = "CMD_ACK_ERROR_INIT",
|
|
|
|
[65531] = "CMD_ACK_ERROR_DATA"
|
|
|
|
}
|
2018-04-27 03:40:57 +07:00
|
|
|
local rmachines = {
|
|
|
|
[20560] = "MACHINE_PREPARE_DATA_1",
|
|
|
|
[32130] = "MACHINE_PREPARE_DATA_2"
|
|
|
|
}
|
2018-03-17 07:00:24 +07:00
|
|
|
----------------------------------------
|
2018-04-27 03:40:57 +07:00
|
|
|
local pf_machine1 = ProtoField.new ("Machine Data 1", "zk8.machine1", ftypes.UINT16, rmachines, base.DEC)
|
|
|
|
local pf_machine2 = ProtoField.new ("Machine Data 2", "zk8.machine2", ftypes.UINT16, rmachines, base.DEC)
|
|
|
|
local pf_length = ProtoField.new ("Length", "zk8.length", ftypes.UINT32, nil, base.DEC)
|
|
|
|
|
2018-03-17 07:00:24 +07:00
|
|
|
local pf_command = ProtoField.new ("Command", "zk6.command", ftypes.UINT16, rcomands, base.DEC)
|
|
|
|
local pf_checksum = ProtoField.new ("CheckSum", "zk6.checksum", ftypes.UINT16, nil, base.HEX)
|
|
|
|
local pf_sesion_id = ProtoField.uint16("zk6.session_id", "ID session", base.HEX)
|
|
|
|
local pf_reply_id = ProtoField.uint16("zk6.reply_id", "ID Reply")
|
2018-04-27 03:40:57 +07:00
|
|
|
local pf_commkey = ProtoField.new ("Communication key", "zk6.commkey", ftypes.UINT32, nil, base.HEX)
|
2018-03-17 07:00:24 +07:00
|
|
|
local pf_data = ProtoField.new ("Data", "zk6.data", ftypes.BYTES, nil, base.DOT)
|
2018-04-27 03:40:57 +07:00
|
|
|
local pf_string = ProtoField.new ("Data", "zk6.string", ftypes.STRING)
|
2018-03-17 07:00:24 +07:00
|
|
|
local pf_time = ProtoField.new ("Time", "zk6.time", ftypes.UINT32, nil)
|
2018-04-27 03:40:57 +07:00
|
|
|
local pf_start = ProtoField.new ("Data offset", "zk6.start", ftypes.UINT32, nil)
|
|
|
|
local pf_size = ProtoField.new ("Data Size", "zk6.size", ftypes.UINT32, nil)
|
|
|
|
local pf_psize = ProtoField.new ("Packet Size", "zk6.psize", ftypes.UINT32, nil)
|
|
|
|
local pf_fsize0 = ProtoField.new ("null #1", "zk6.fsize0", ftypes.UINT32, nil)
|
|
|
|
local pf_fsize1 = ProtoField.new ("null #2", "zk6.fsize1", ftypes.UINT32, nil)
|
|
|
|
local pf_fsize2 = ProtoField.new ("null #3", "zk6.fsize2", ftypes.UINT32, nil)
|
|
|
|
local pf_fsize3 = ProtoField.new ("null #4", "zk6.fsize3", ftypes.UINT32, nil)
|
|
|
|
local pf_fsizeu = ProtoField.new ("users", "zk6.fsizeu", ftypes.UINT32, nil)
|
|
|
|
local pf_fsize4 = ProtoField.new ("null #5", "zk6.fsize4", ftypes.UINT32, nil)
|
|
|
|
local pf_fsizef = ProtoField.new ("fingers", "zk6.fsizef", ftypes.UINT32, nil)
|
|
|
|
local pf_fsize5 = ProtoField.new ("null #6", "zk6.fsize5", ftypes.UINT32, nil)
|
|
|
|
local pf_fsizer = ProtoField.new ("records", "zk6.fsizer", ftypes.UINT32, nil)
|
|
|
|
local pf_fsize6 = ProtoField.new ("null #7", "zk6.fsize6", ftypes.UINT32, nil)
|
|
|
|
local pf_fsize7 = ProtoField.new ("null 4096", "zk6.fsize7", ftypes.UINT32, nil)
|
|
|
|
local pf_fsize8 = ProtoField.new ("null #8", "zk6.fsize8", ftypes.UINT32, nil)
|
|
|
|
local pf_fsizec = ProtoField.new ("cards", "zk6.fsizec", ftypes.UINT32, nil)
|
|
|
|
local pf_fsize9 = ProtoField.new ("null #9", "zk6.fsize9", ftypes.UINT32, nil)
|
|
|
|
local pf_fsizefc = ProtoField.new ("finger capacity", "zk6.fsizefc", ftypes.UINT32, nil)
|
|
|
|
local pf_fsizeuc = ProtoField.new ("user capacity", "zk6.fsizeuc", ftypes.UINT32, nil)
|
|
|
|
local pf_fsizerc = ProtoField.new ("record capacity", "zk6.fsizerc", ftypes.UINT32, nil)
|
|
|
|
local pf_fsizefa = ProtoField.new ("finger available", "zk6.fsizefa", ftypes.UINT32, nil)
|
|
|
|
local pf_fsizeua = ProtoField.new ("user available", "zk6.fsizeua", ftypes.UINT32, nil)
|
|
|
|
local pf_fsizera = ProtoField.new ("record available", "zk6.fsizera", ftypes.UINT32, nil)
|
|
|
|
local pf_fsizeff = ProtoField.new ("face", "zk6.fsizerff", ftypes.UINT32, nil)
|
|
|
|
local pf_fsize10 = ProtoField.new ("nul #10", "zk6.fsize10", ftypes.UINT32, nil)
|
|
|
|
local pf_fsizeffc = ProtoField.new ("face capacity", "zk6.fsizeffc", ftypes.UINT32, nil)
|
|
|
|
local pf_pbfill = ProtoField.new ("null 01", "zk6.pbfill", ftypes.UINT8, nil)
|
|
|
|
local pf_pbcmd = ProtoField.new ("command", "zk6.pbcmd", ftypes.UINT16, rcomands)
|
|
|
|
local pf_pbarg = ProtoField.new ("argument", "zk6.pbarg", ftypes.UINT64, rfct)
|
|
|
|
local pf_pbfill0 = ProtoField.new ("null 0", "zk6.pbfill0", ftypes.UINT8, nil)
|
|
|
|
local pf_pbfree = ProtoField.new ("free space", "zk6.pbfree", ftypes.UINT32, nil)
|
|
|
|
local pf_uid = ProtoField.new ("User ID", "zk6.uid", ftypes.UINT16, nil)
|
2018-03-17 07:00:24 +07:00
|
|
|
----------------------------------------
|
|
|
|
-- this actually registers the ProtoFields above, into our new Protocol
|
|
|
|
-- in a real script I wouldn't do it this way; I'd build a table of fields programmatically
|
|
|
|
-- and then set dns.fields to it, so as to avoid forgetting a field
|
2018-04-27 03:40:57 +07:00
|
|
|
zk.fields = { pf_command, pf_checksum, pf_sesion_id, pf_reply_id, pf_commkey, pf_data, pf_string,
|
|
|
|
pf_time, pf_start, pf_size, pf_psize, pf_fsize0, pf_fsize1, pf_fsize2, pf_fsize3,
|
|
|
|
pf_fsizeu, pf_fsize4, pf_fsizef, pf_fsize5,pf_fsizer,pf_fsize6,pf_fsize7,
|
|
|
|
pf_fsize8,pf_fsizec,pf_fsize9,pf_fsizefc,pf_fsizeuc,pf_fsizerc, pf_uid,
|
|
|
|
pf_fsizefa,pf_fsizeua,pf_fsizera, pf_fsizeff, pf_fsize10, pf_fsizeffc,
|
|
|
|
pf_pbfill, pf_pbcmd, pf_pbarg, pf_pbfill0, pf_pbfree}
|
|
|
|
|
|
|
|
zk_tcp.fields = { pf_machine1, pf_machine2, pf_length }
|
2018-03-17 07:00:24 +07:00
|
|
|
----------------------------------------
|
|
|
|
-- we don't just want to display our protocol's fields, we want to access the value of some of them too!
|
|
|
|
-- There are several ways to do that. One is to just parse the buffer contents in Lua code to find
|
|
|
|
-- the values. But since ProtoFields actually do the parsing for us, and can be retrieved using Field
|
|
|
|
-- objects, it's kinda cool to do it that way. So let's create some Fields to extract the values.
|
|
|
|
-- The following creates the Field objects, but they're not 'registered' until after this script is loaded.
|
|
|
|
-- Also, these lines can't be before the 'dns.fields = ...' line above, because the Field.new() here is
|
|
|
|
-- referencing fields we're creating, and they're not "created" until that line above.
|
|
|
|
-- Furthermore, you cannot put these 'Field.new()' lines inside the dissector function.
|
|
|
|
-- Before Wireshark version 1.11, you couldn't even do this concept (of using fields you just created).
|
2018-04-27 03:40:57 +07:00
|
|
|
local machine1_field = Field.new("zk8.machine1")
|
|
|
|
local machine2_field = Field.new("zk8.machine2")
|
|
|
|
local length_field = Field.new("zk8.length")
|
|
|
|
local command_field = Field.new("zk6.command")
|
|
|
|
local checksum_field = Field.new("zk6.checksum")
|
|
|
|
local session_id_field = Field.new("zk6.session_id")
|
|
|
|
local reply_id_field = Field.new("zk6.reply_id")
|
|
|
|
local commkey_field = Field.new("zk6.commkey")
|
|
|
|
local data_field = Field.new("zk6.data")
|
|
|
|
local string_field = Field.new("zk6.string")
|
|
|
|
local time_field = Field.new("zk6.time")
|
|
|
|
local size_field = Field.new("zk6.size")
|
|
|
|
local start_field = Field.new("zk6.start")
|
|
|
|
local psize_field = Field.new("zk6.psize")
|
|
|
|
local fsize0_field = Field.new("zk6.fsize0")
|
|
|
|
local fsize1_field = Field.new("zk6.fsize1")
|
|
|
|
local fsize2_field = Field.new("zk6.fsize2")
|
|
|
|
local fsize3_field = Field.new("zk6.fsize3")
|
|
|
|
local fsize4_field = Field.new("zk6.fsize4")
|
|
|
|
local fsize5_field = Field.new("zk6.fsize5")
|
|
|
|
local fsize6_field = Field.new("zk6.fsize6")
|
|
|
|
local fsize7_field = Field.new("zk6.fsize7")
|
|
|
|
local fsize8_field = Field.new("zk6.fsize8")
|
|
|
|
local fsize9_field = Field.new("zk6.fsize9")
|
|
|
|
local fsizef_field = Field.new("zk6.fsizef")
|
|
|
|
local fsizeu_field = Field.new("zk6.fsizeu")
|
|
|
|
local fsizer_field = Field.new("zk6.fsizer")
|
|
|
|
local fsizec_field = Field.new("zk6.fsizec")
|
|
|
|
local pbfill_field = Field.new("zk6.pbfill")
|
|
|
|
local pbcmd_field = Field.new("zk6.pbcmd")
|
|
|
|
local pbarg_field = Field.new("zk6.pbarg")
|
|
|
|
local pbfill0_field = Field.new("zk6.pbfill0")
|
|
|
|
local pbfree_field = Field.new("zk6.pbfree")
|
|
|
|
local uid_field = Field.new("zk6.uid")
|
|
|
|
|
2018-03-17 07:00:24 +07:00
|
|
|
-- here's a little helper function to access the response_field value later.
|
|
|
|
-- Like any Field retrieval, you can't retrieve a field's value until its value has been
|
|
|
|
-- set, which won't happen until we actually use our ProtoFields in TreeItem:add() calls.
|
|
|
|
-- So this isResponse() function can't be used until after the pf_flag_response ProtoField
|
|
|
|
-- has been used inside the dissector.
|
|
|
|
-- Note that calling the Field object returns a FieldInfo object, and calling that
|
|
|
|
-- returns the value of the field - in this case a boolean true/false, since we set the
|
|
|
|
-- "mydns.flags.response" ProtoField to ftype.BOOLEAN way earlier when we created the
|
|
|
|
-- pf_flag_response ProtoField. Clear as mud?
|
|
|
|
--
|
|
|
|
-- A shorter version of this function would be:
|
|
|
|
-- local function isResponse() return response_field()() end
|
|
|
|
-- but I though the below is easier to understand.
|
|
|
|
local function isResponse()
|
|
|
|
local response_fieldinfo = response_field()
|
|
|
|
return response_fieldinfo()
|
|
|
|
end
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------------
|
|
|
|
-- preferences handling stuff
|
|
|
|
--------------------------------------------------------------------------------
|
|
|
|
|
|
|
|
-- a "enum" table for our enum pref, as required by Pref.enum()
|
|
|
|
-- having the "index" number makes ZERO sense, and is completely illogical
|
|
|
|
-- but it's what the code has expected it to be for a long time. Ugh.
|
|
|
|
local debug_pref_enum = {
|
|
|
|
{ 1, "Disabled", debug_level.DISABLED },
|
|
|
|
{ 2, "Level 1", debug_level.LEVEL_1 },
|
|
|
|
{ 3, "Level 2", debug_level.LEVEL_2 },
|
|
|
|
}
|
|
|
|
|
|
|
|
zk.prefs.debug = Pref.enum("Debug", default_settings.debug_level,
|
|
|
|
"The debug printing level", debug_pref_enum)
|
|
|
|
|
|
|
|
zk.prefs.port = Pref.uint("Port number", default_settings.port,
|
|
|
|
"The UDP port number for MyDNS")
|
|
|
|
|
|
|
|
zk.prefs.heur = Pref.bool("Heuristic enabled", default_settings.heur_enabled,
|
|
|
|
"Whether heuristic dissection is enabled or not")
|
|
|
|
|
|
|
|
----------------------------------------
|
|
|
|
-- a function for handling prefs being changed
|
|
|
|
function zk.prefs_changed()
|
|
|
|
dprint2("prefs_changed called")
|
|
|
|
|
|
|
|
default_settings.debug_level = zk.prefs.debug
|
|
|
|
reset_debug_level()
|
|
|
|
|
|
|
|
default_settings.heur_enabled = zk.prefs.heur
|
|
|
|
|
|
|
|
if default_settings.port ~= zk.prefs.port then
|
|
|
|
-- remove old one, if not 0
|
|
|
|
if default_settings.port ~= 0 then
|
|
|
|
dprint2("removing ZK6 from port",default_settings.port)
|
|
|
|
DissectorTable.get("udp.port"):remove(default_settings.port, zk)
|
|
|
|
end
|
|
|
|
-- set our new default
|
|
|
|
default_settings.port = dns.prefs.port
|
|
|
|
-- add new one, if not 0
|
|
|
|
if default_settings.port ~= 0 then
|
|
|
|
dprint2("adding ZK6 to port",default_settings.port)
|
|
|
|
DissectorTable.get("udp.port"):add(default_settings.port, zk)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
dprint2("ZK6 Prefs registered")
|
|
|
|
|
|
|
|
|
|
|
|
----------------------------------------
|
|
|
|
---- some constants for later use ----
|
|
|
|
-- the DNS header size
|
|
|
|
local ZK_HDR_LEN = 8
|
|
|
|
|
|
|
|
-- the smallest possible DNS query field size
|
|
|
|
-- has to be at least a label length octet, label character, label null terminator, 2-bytes type and 2-bytes class
|
|
|
|
local MIN_QUERY_LEN = 7
|
|
|
|
|
|
|
|
----------------------------------------
|
|
|
|
-- some forward "declarations" of helper functions we use in the dissector
|
|
|
|
-- I don't usually use this trick, but it'll help reading/grok'ing this script I think
|
|
|
|
-- if we don't focus on them.
|
|
|
|
local getQueryName
|
|
|
|
|
|
|
|
local prevCommand = 0
|
|
|
|
|
|
|
|
----------------------------------------
|
|
|
|
-- The following creates the callback function for the dissector.
|
|
|
|
-- It's the same as doing "dns.dissector = function (tvbuf,pkt,root)"
|
|
|
|
-- The 'tvbuf' is a Tvb object, 'pktinfo' is a Pinfo object, and 'root' is a TreeItem object.
|
|
|
|
-- Whenever Wireshark dissects a packet that our Proto is hooked into, it will call
|
|
|
|
-- this function and pass it these arguments for the packet it's dissecting.
|
2018-04-27 03:40:57 +07:00
|
|
|
function zk.dissector(tvbuf, pktinfo, root)
|
2018-03-17 07:00:24 +07:00
|
|
|
dprint2("zk.dissector called")
|
|
|
|
|
|
|
|
-- set the protocol column to show our protocol name
|
|
|
|
pktinfo.cols.protocol:set("ZK6")
|
|
|
|
|
|
|
|
-- We want to check that the packet size is rational during dissection, so let's get the length of the
|
|
|
|
-- packet buffer (Tvb).
|
|
|
|
-- Because DNS has no additional payload data other than itself, and it rides on UDP without padding,
|
|
|
|
-- we can use tvb:len() or tvb:reported_len() here; but I prefer tvb:reported_length_remaining() as it's safer.
|
|
|
|
local pktlen = tvbuf:reported_length_remaining()
|
|
|
|
|
|
|
|
-- We start by adding our protocol to the dissection display tree.
|
|
|
|
-- A call to tree:add() returns the child created, so we can add more "under" it using that return value.
|
|
|
|
-- The second argument is how much of the buffer/packet this added tree item covers/represents - in this
|
|
|
|
-- case (DNS protocol) that's the remainder of the packet.
|
|
|
|
local tree = root:add(zk, tvbuf:range(0,pktlen))
|
|
|
|
|
|
|
|
-- now let's check it's not too short
|
|
|
|
if pktlen < ZK_HDR_LEN then
|
|
|
|
-- since we're going to add this protocol to a specific UDP port, we're going to
|
|
|
|
-- assume packets in this port are our protocol, so the packet being too short is an error
|
|
|
|
-- the old way: tree:add_expert_info(PI_MALFORMED, PI_ERROR, "packet too short")
|
|
|
|
-- the correct way now:
|
|
|
|
tree:add_proto_expert_info(ef_too_short)
|
|
|
|
dprint("packet length",pktlen,"too short")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
-- Now let's add our transaction id under our dns protocol tree we just created.
|
|
|
|
-- The transaction id starts at offset 0, for 2 bytes length.
|
|
|
|
tree:add_le(pf_command, tvbuf:range(0,2))
|
|
|
|
tree:add_le(pf_checksum, tvbuf:range(2,2))
|
|
|
|
tree:add_le(pf_sesion_id, tvbuf:range(4,2))
|
|
|
|
tree:add_le(pf_reply_id, tvbuf:range(6,2))
|
2018-04-27 03:40:57 +07:00
|
|
|
local command = tvbuf:range(0,2):le_uint()
|
2018-03-17 07:00:24 +07:00
|
|
|
if pktlen > ZK_HDR_LEN then
|
|
|
|
remain = pktlen - ZK_HDR_LEN -- TODO: no funciona el prevCommand,
|
2018-04-27 03:40:57 +07:00
|
|
|
if (command == 1102) then
|
|
|
|
tree:add_le(pf_commkey, tvbuf:range(8,4))
|
|
|
|
elseif (command == 1500) then
|
|
|
|
tree:add_le(pf_size, tvbuf:range(8,4))
|
|
|
|
if remain > 8 then
|
|
|
|
tree:add_le(pf_psize, tvbuf:range(12,4))
|
|
|
|
end
|
|
|
|
elseif (command == 12) or (command == 11) then
|
|
|
|
tree:add(pf_string, tvbuf:range(8,remain))
|
|
|
|
elseif (command == 18) then
|
|
|
|
tree:add_le(pf_uid, tvbuf(8,2))
|
|
|
|
elseif (command == 1503) then
|
|
|
|
tree:add(pf_pbfill, tvbuf:range(8,1))
|
|
|
|
tree:add_le(pf_pbcmd, tvbuf:range(9,2))
|
|
|
|
tree:add_le(pf_pbarg, tvbuf:range(11,8))
|
|
|
|
elseif (command == 1504) then
|
|
|
|
tree:add_le(pf_start, tvbuf:range(8,4))
|
|
|
|
tree:add_le(pf_size, tvbuf:range(12,4))
|
|
|
|
elseif (prevCommand == 1503) then
|
|
|
|
tree:add_le(pf_pbfill0, tvbuf:range(8,1))
|
|
|
|
tree:add_le(pf_size, tvbuf:range(9,4))
|
|
|
|
tree:add_le(pf_psize, tvbuf:range(13,4))
|
|
|
|
tree:add_le(pf_pbfree, tvbuf:range(17,4))
|
|
|
|
elseif (prevCommand == 12) or (prevCommand == 11) or (prevCommand == 1100) then
|
|
|
|
tree:add(pf_string, tvbuf:range(8,remain))
|
|
|
|
elseif (prevCommand == 201) or (prevCommand == 202) then
|
2018-03-17 07:00:24 +07:00
|
|
|
local ts = tvbuf:range(8,4):le_uint()
|
2018-04-27 03:40:57 +07:00
|
|
|
tree:add_le(pf_time, tvbuf:range(8,4))
|
|
|
|
elseif (prevCommand == 50) then
|
|
|
|
tree:add_le(pf_fsize0, tvbuf:range(8,4))
|
|
|
|
tree:add_le(pf_fsize1, tvbuf:range(12,4))
|
|
|
|
tree:add_le(pf_fsize2, tvbuf:range(16,4))
|
|
|
|
tree:add_le(pf_fsize3, tvbuf:range(20,4))
|
|
|
|
tree:add_le(pf_fsizeu, tvbuf:range(24,4))
|
|
|
|
tree:add_le(pf_fsize4, tvbuf:range(28,4))
|
|
|
|
tree:add_le(pf_fsizef, tvbuf:range(32,4))
|
|
|
|
tree:add_le(pf_fsize5, tvbuf:range(36,4))
|
|
|
|
tree:add_le(pf_fsizer, tvbuf:range(40,4))
|
|
|
|
tree:add_le(pf_fsize6, tvbuf:range(44,4))
|
|
|
|
tree:add_le(pf_fsize7, tvbuf:range(48,4))
|
|
|
|
tree:add_le(pf_fsize8, tvbuf:range(52,4))
|
|
|
|
tree:add_le(pf_fsizec, tvbuf:range(56,4))
|
|
|
|
tree:add_le(pf_fsize9, tvbuf:range(60,4))
|
|
|
|
tree:add_le(pf_fsizefc, tvbuf:range(64,4))
|
|
|
|
tree:add_le(pf_fsizeuc, tvbuf:range(68,4))
|
|
|
|
tree:add_le(pf_fsizerc, tvbuf:range(72,4))
|
|
|
|
tree:add_le(pf_fsizefa, tvbuf:range(76,4))
|
|
|
|
tree:add_le(pf_fsizeua, tvbuf:range(80,4))
|
|
|
|
tree:add_le(pf_fsizera, tvbuf:range(84,4))
|
|
|
|
if remain > 80 then
|
|
|
|
tree:add_le(pf_fsizeff, tvbuf:range(88,4))
|
|
|
|
tree:add_le(pf_fsize10, tvbuf:range(92,4))
|
|
|
|
tree:add_le(pf_fsizeffc, tvbuf:range(96,4))
|
|
|
|
end
|
2018-03-17 07:00:24 +07:00
|
|
|
else
|
2018-04-27 03:40:57 +07:00
|
|
|
-- tree:add_le(pf_data, tvbuf:range(8,remain)) most time we need strings
|
|
|
|
tree:add(pf_string, tvbuf:range(8,remain))
|
2018-03-17 07:00:24 +07:00
|
|
|
end
|
|
|
|
end
|
|
|
|
dprint2("zk.dissector returning",pktlen)
|
2018-04-27 07:17:48 +07:00
|
|
|
if rcomands[command] ~= nil then
|
|
|
|
pktinfo.cols.info:set(rcomands[command])
|
|
|
|
else
|
|
|
|
pktinfo.cols.info:set("CMD:" .. tostring(command))
|
|
|
|
end
|
2018-04-27 03:40:57 +07:00
|
|
|
prevCommand = command
|
2018-03-17 07:00:24 +07:00
|
|
|
-- tell wireshark how much of tvbuff we dissected
|
|
|
|
return pktlen
|
|
|
|
end
|
|
|
|
----------------------------------------
|
|
|
|
-- we want to have our protocol dissection invoked for a specific UDP port,
|
|
|
|
-- so get the udp dissector table and add our protocol to it
|
|
|
|
DissectorTable.get("udp.port"):add(default_settings.port, zk)
|
|
|
|
|
|
|
|
|
2018-04-27 03:40:57 +07:00
|
|
|
function zk_tcp.dissector(tvbuf, pktinfo, root)
|
|
|
|
dprint2("zk_tcp.dissector called")
|
|
|
|
local pktlen = tvbuf:reported_length_remaining()
|
|
|
|
|
|
|
|
-- We start by adding our protocol to the dissection display tree.
|
|
|
|
-- A call to tree:add() returns the child created, so we can add more "under" it using that return value.
|
|
|
|
-- The second argument is how much of the buffer/packet this added tree item covers/represents - in this
|
|
|
|
-- case (DNS protocol) that's the remainder of the packet.
|
|
|
|
local tree = root:add(zk_tcp, tvbuf:range(0,pktlen))
|
|
|
|
|
|
|
|
-- now let's check it's not too short
|
|
|
|
if pktlen < ZK_HDR_LEN then
|
|
|
|
-- since we're going to add this protocol to a specific UDP port, we're going to
|
|
|
|
-- assume packets in this port are our protocol, so the packet being too short is an error
|
|
|
|
-- the old way: tree:add_expert_info(PI_MALFORMED, PI_ERROR, "packet too short")
|
|
|
|
-- the correct way now:
|
|
|
|
tree:add_proto_expert_info(ef_too_short)
|
|
|
|
dprint("packet length",pktlen,"too short")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
dprint2("zk_tcp.dissector returning", pktlen)
|
|
|
|
tree:add_le(pf_machine1, tvbuf:range(0,2))
|
|
|
|
tree:add_le(pf_machine2, tvbuf:range(2,2))
|
|
|
|
tree:add_le(pf_length, tvbuf:range(4,4))
|
|
|
|
-- tell wireshark how much of tvbuff we dissected
|
|
|
|
if pktlen > ZK_HDR_LEN then
|
|
|
|
remain = pktlen - ZK_HDR_LEN
|
|
|
|
-- zk_tree = tree:add(zk, tvbuf:range(8, remain))
|
|
|
|
zk.dissector(tvbuf:range(8,remain):tvb(), pktinfo, tree)
|
|
|
|
end
|
|
|
|
-- set the protocol column to show our protocol name
|
|
|
|
pktinfo.cols.protocol:set("ZK8")
|
|
|
|
return pktlen
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
DissectorTable.get("tcp.port"):add(default_settings.port, zk_tcp)
|
2018-03-17 07:00:24 +07:00
|
|
|
-- We're done!
|
|
|
|
-- our protocol (Proto) gets automatically registered after this script finishes loading
|
|
|
|
----------------------------------------
|
|
|
|
|