Tshark - How to show the Dissection Tree of tcp playload only with tshark?

0
votes

I am writing a wireshark dissector.I want to show the Dissection Tree in console.

So I tried:

tshark -V

It will show something like:

Frame 105: 69 bytes on wire (552 bits)...
    ...
Ethernet II, Src: Giga-Byt_97:b3:26 (e0:d5:5e:97:b3:26), Dst: Cradlepo_68:04:37 (00:e0:1c:68:04:37)
    ...
Internet Protocol Version 4, Src: 192.168.1.153, Dst: 192.168.1.99
    ...
Transmission Control Protocol, Src Port: 7555, Dst Port: 50555, Seq: 10182, Ack: 485, Len: 15
    ....
erlang term
    PackageLength: 11
    compressFlag: 0
    m_system_hb_toc(2) [SmallTuple: 2]
        time: 1589549432 [Int]

But only the last part is what i need:

erlang term
    PackageLength: 11
    compressFlag: 0
    m_system_hb_toc(2) [SmallTuple: 2]
        time: 1589549432 [Int]

I have tried with '-T fields' and -e option,but can not find any thing help.

Here's my dissecter's code:

local tcpPortLs = {7555}

local SIZE_LEN = 4
local pErlangExt = Proto("ErlangExt", "erlang term")
local fLen = ProtoField.uint32("ErlangExt.len", "PackageLength", base.DEC)
local fCompressFlag = ProtoField.string("ErlangExt.compressFlag", "compressFlag", base.ASCII)
local fBytes = ProtoField.bytes("ErlangExt.data", "PackageData", base.COLON)

pErlangExt.fields = {
    fLen,
    fBytes,
    fCompressFlag,
}

local function msg_pdu_length(buf, pkt, offset)
    local size_tvbr = buf:range(offset, SIZE_LEN)
    local size = size_tvbr:uint()
    return size + SIZE_LEN
end

local function _headBytes(n, dataBuf)
    local head = dataBuf(0, n)
    if dataBuf:len() == n then
        return head, nil
    end
    local tailDataBuf = dataBuf(n, dataBuf:len() - n)
    return head, tailDataBuf
end

local function _addToGroup()
    -- ...
end

local function _calcMainTree()
    -- ...
end

local function msg_proto_dissector(buf, pkt, root)
    local dataLenBuf, metaAndDataBytes = _headBytes(SIZE_LEN, buf)
    local detail = root:add(pErlangExt, buf)
    local dataLen = dataLenBuf:uint()
    detail:add(fLen, dataLenBuf, dataLen)
    local zlibFlagBuf, tupleDataBuf = _headBytes(1, metaAndDataBytes)
    local zlibFlag = zlibFlagBuf:uint()
    detail:add(fCompressFlag, zlibFlagBuf, zlibFlag)
    local dataRoot = detail:add(fBytes, tupleDataBuf)
    pkt.cols.protocol = "ErlangExt"
    local tree = _calcMainTree(tupleDataBuf, zlibFlag)
    _addToGroup(dataRoot, tree)
end

function pErlangExt.dissector(buf, pkt, root)
    local pktLen = buf:len()
    if pktLen ~= buf:reported_len() then
        return 0
    end
    dissect_tcp_pdus(buf, root, 4, msg_pdu_length, msg_proto_dissector)
    return pktLen
end

local tcp_encap_table = DissectorTable.get("tcp.port")
for _, port in pairs(tcpPortLs) do
    tcp_encap_table:add(port, pErlangExt)
end

And the captured data is https://github.com/cmingjian/testData/blob/master/stage.pcapng

How can I display only the data that I need? Thanks.

1
wiresharktsharkwireshark-dissector
Can you post a link to packet capture? -T fields -e data may work if this is the data field.Ross Jacobs
Am I do something wrong in "data field"?Here's my code and packet~~ testDatachenmingjian

1 Answers

1
votes

Maybe tshark -O ErlangExt will provide you with the results you're seeking? You'll still get summary lines of all lower layers (Ethernet, IP, TCP), but only your ErlangExt data will be expanded.

From the tshark man page:

-O < protocols > Similar to the -V option, but causes TShark to only show a detailed view of the comma-separated list of protocols specified, and show only the top-level detail line for all other protocols, rather than a detailed view of all protocols. Use the output of "tshark -G protocols" to find the abbreviations of the protocols you can specify.