Sie sind auf Seite 1von 3

-- Create a file named ackpackets.cap (works for tshark only) -- Dump file is created for all packets captured.

-- Display packets with a capture filter that adheres to display filter syntax firsttime = true firstclose = false setdumpers = true dumpers = {} dumpfile={} --Set filter to use as capture filter on next line filter = "(tcp.flags == 0x02 && tcp.seq == 0) || (tcp.flags == 0x12 && tcp.seq = = 0) || (tcp.flags == 0x10 && tcp.seq == 1)" -- syn ack -- tcp.flags -- 0x10 = ack -- 0x02 = syn -- 0x12 = syn ack --first frame --syn, seq = 0 --tcp.flags = 0x02 tcp.seq = 0 --second frame --syn ack, seq = 0 --tcp.flags = 0x12 --tcp.seq = 0 --third frame --ack, seq = 1 --tcp.flags = 0x10 --tcp.seq = 1 -- Run tshark as shown on the following line -- tshark -X lua_script:dumptofile_ack_packet.lua -i 4 -o tcp.relative_sequence_ numbers:TRUE do --local dumpers = {} local function init_listener() local tap = Listener.new("frame", filter) --tap = Listener.new("frame", filter) --A Listener, is called once for every packet th at matches a certain filter or has a certain tap. --It can read the tree, the packet's Tvb eventua lly the tapped data but it cannot add elements to the tree. -- Listener.new([tap], [filter]) -- Creates a new Listener listener -- tap (optional) --The name of this tap -- filter (optional) --A filter that when matches the tap.packet func tion gets called (use nil to be called for every packet) -- This case I'm filtering for ip --Returns --The newly created Listener listener object -- we will be called once for every IP Header. -- If there's more than one IP header in a given packet we'll du mp the packet once per every header function tap.packet(pinfo,tvb,ip) --listener.packet

--A function that will be called once every pack et matches the Listener listener filter. --function tap.packet(pinfo,tvb,userdata) ... en d --Packet information --pinfo.number --The number of this packet in the current file --tvb --The buffer to dissect -- local means a variable local to this function dumpersindex = "ttt" local filename filename ="ackpackets.cap" --local dumpfile if setdumpers == true then dumpfile = dumpers[dumpersindex] setdumpers = false end -- Saving capture files -- dumpers --Dumper.new(filename, [filetype ], [encap]) --Creates a file to write packet s. Dumper:new_for_current() will probably be a better choice. --Arguments --filename --The name of the capture file t o be created --filetype (optional) --The type of the file to be cre ated --encap (optional) --The encapsulation to be used i n the file to be created -- The case below is just the fi le name -- where dir is a variable of th e directory -- ip_src is a variable which wa s from -- tap variable ip.src if firsttime == true th en dumpfile = Dumpe r.new_for_current( filename ) firsttime=false

end -- end if firsttim e == true then --dumper:dump_current() --Dumps the current packet as it is dumpfile:dump_current() --dumper:flush() --Writes all unsaved data of a d umper to the disk -- dumpfile:flush() --Now same for destination IP ad dress to a seperate file end -- end function tap.packet(pinfo,tvb,ip) --listener.draw --A function that will be called once every few seconds to redraw the gui objects in tshark this funtion is --called oly at the very end of the capture file . function tap.draw(userdata) ... end function tap.draw() end -- end function tap.draw() function tap.reset() --listener.reset -- A function that will be called at the end of the c apture run. function tap.reset(userdata) ... end -- dumpers = {} end -- end function tap.reset() end init_listener() end -- do loop dumpfile:flush() dumper:close()

Das könnte Ihnen auch gefallen