Disclosure of Invention
The invention aims to provide a method and a system for generating a Wireshark message parsing plug-in, which are used for solving the technical problems in the prior art.
The invention is realized by the following technical scheme:
in a first aspect, a method for generating a Wireshark message parsing plug-in according to an embodiment of the present invention includes:
acquiring a designed protocol hierarchy relation diagram;
Analyzing the protocol hierarchy relation diagram by adopting a hierarchy relation diagram analysis engine to obtain the association of field values among hierarchies and in the hierarchy and key content, and analyzing a protocol design document by adopting a protocol design document engine to obtain a field set;
The bit width of the data type in the Wireshark plug-in is used as a reference set, the field bit width is processed according to a protocol field splitting algorithm, and the type and the mask of the field are marked to obtain a field set mask;
Constructing plug-in elements according to the field set mask;
and generating a protocol analysis plug-in according to the hierarchical relation graph, the protocol design document and the plug-in element.
In a second aspect, the system for generating the Wireshark message parsing plug-in provided by the embodiment of the invention comprises an acquisition module, a parsing module, a calculation module, a construction module and a generation module,
The acquisition module is used for acquiring a designed protocol hierarchy relation diagram;
The analysis module analyzes the protocol hierarchical relation diagram by adopting a hierarchical relation diagram analysis engine to obtain the association of field values among the hierarchies and in the hierarchy and key content, and analyzes a protocol design document by adopting a protocol design document engine to obtain a field set;
the computing module takes the bit width of the data type in the Wireshark plug-in as a reference set, processes the field bit width according to a protocol field splitting algorithm, marks the type of the field and the mask to obtain a field set mask;
the construction module is used for constructing plug-in elements according to the field set mask;
And the generating module generates a protocol analysis plug-in according to the hierarchical relation graph, the protocol design document and the plug-in element.
Compared with the prior art, the invention has the following advantages and beneficial effects:
The Wireshark message analysis plug-in generation method and system provided by the embodiment of the invention firstly automatically generates the plug-in through a plug-in Python program without directly writing a Lua program, reduces the development threshold of the plug-in, secondly simplifies the design flow of the protocol plug-in through a protocol layer relation diagram mode, enables the protocol plug-in to realize more clear logic, and then introduces a protocol field splitting algorithm to enable the complicated and diverse pain points with uncertain fields of the protocol design to be solved. Finally, the method is transparent to the protocol, and the logical adjustment and field change of the protocol design are realized by only adjusting the protocol design document to regenerate the protocol plug-in unit, thus realizing plug-in and play of the plug-in unit.
Detailed Description
For the purpose of making apparent the objects, technical solutions and advantages of the present invention, the present invention will be further described in detail with reference to the following examples and the accompanying drawings, wherein the exemplary embodiments of the present invention and the descriptions thereof are for illustrating the present invention only and are not to be construed as limiting the present invention.
Examples
As shown in fig. 1, a method for generating a Wireshark message parsing plug-in according to an embodiment of the present invention includes:
acquiring a designed protocol hierarchy relation diagram;
Analyzing the protocol hierarchy relation diagram by adopting a hierarchy relation diagram analysis engine to obtain the association of field values among hierarchies and in the hierarchy and key content, and analyzing a protocol design document by adopting a protocol design document engine to obtain a field set;
The bit width of the data type in the Wireshark plug-in is used as a reference set, the field bit width is processed according to a protocol field splitting algorithm, and the type and the mask of the field are marked to obtain a field set mask;
Constructing plug-in elements according to the field set mask;
and generating a protocol analysis plug-in according to the hierarchical relation graph, the protocol design document and the plug-in element.
The method is driven by using a protocol layer relation diagram mode, and is developed around the processing of the protocol layer relation diagram based on a protocol design document.
First, as shown in fig. 2, a design protocol hierarchy diagram is shown, and the protocol in this embodiment is drawn based on Ethernet, and belongs to a two-layer communication protocol. The protocol includes a protocol type, a private service header field, a private sub-service header field, and a service body field. And taking the custom protocol Type value as an identification protocol number. Wherein the protocol field parts are all except the Ethernet head part. In the protocol, the next layer of protocol may be determined by one or more field values in the upper layer protocol structure, or may be determined by the upper layer of protocol field and the field values in the next layer of protocol. The design of the protocol hierarchy relation diagram has strong flexibility, not only can use the design of protocol multi-hierarchy messages, but also can be suitable for the design of any hierarchy nested protocol of a standard protocol, and only the fields need to be specified in the upper layer of the protocol part.
And secondly, after the protocol hierarchical relation diagram is designed, writing an analysis protocol design document engine and an engine for the hierarchical relation diagram. Two types of engines are implemented using the Python language. The engine of the hierarchical relation graph is responsible for analyzing the association and key content of field values among the hierarchies and in the hierarchy, wherein the key content comprises field names, associated fields and values, and the protocol design document engine is responsible for analyzing a field set in the protocol design document, wherein the field set comprises field names, initial bit width and bit width information.
Third, a field set mask is calculated according to the field set, and the specific method is as follows:
Taking the bit widths of the data types of the uint8, the uint16, the uint24, the uint32 and the uint64 in the Wireshark plugin as a reference set A to obtain. And initializing a field stack S for storing a field set to be calculated. As shown in fig. 3, the detailed procedure is as follows:
First, the field bit width is subjected to reference splitting and compensation splitting operations according to a protocol field splitting algorithm.
The reference split operation logic is as follows:
when the protocol fields are sequentially pushed onto the stack S, the bit width and total of the fields in the stack S are calculated as follows. Where n is the number of fields in the stack S.
If it isAnd if the field in the stack S is not split, the stack S is empty and total is set to 0.
If it isIf the bit width of the stack top field is expressed by x, the number of split segments is expressed by n, and the calculated expression of the bit width f (n) of each segment is:
,
Wherein,,For a field bit width of 0 th,For the n-th field bit width,Is the largest value in reference set a.
The compensation split operation logic is as follows:
the field bit width y of the compensation split should satisfy the condition:
After this condition is met, a compensating split algorithm is employed, wherein the split segment number is denoted by n, the calculated expression for segment bit width f (n):
Second, the type and mask of the tag field. The reference splitting algorithm is still used, but the process is different and the specific operation is as follows.
After the protocol fields are sequentially stacked S, the total width total of the bits of the S fields of the stack is calculated, and the method is the same as above.
If it isWhen the stack field shares the data type, the data type is total, field elements in the stack occupy the bit interval bit of the data type to be 1 according to the sequence from the stack bottom to the stack top, and the data type bit interval bit is the mask of the field. Where the data type and mask are then the new attributes of the field, while stack S, total is reset and the next round of computation is performed.
If it isWhen the field elements in the stack are kept, and new fields are waited for to be added to the stack.
And fourthly, constructing plug-in elements such as a field set, logic judgment and the like according to the field set mask.
Firstly, field names, data types and mask attributes in protocol fields are defined to complete field definition of plug-ins, secondly, logic judgment conditions of a protocol layer are generated according to a protocol layer relation diagram and associated fields, the logic judgment conditions of the field of the layer are supplemented, and finally, the fields are added into the whole protocol chain in sequence according to field bit offset.
So far, the Python code is constructed, namely the protocol plug-in generation tool is manufactured.
And fifthly, generating a protocol analysis plug-in. And placing the protocol layer relation diagram and the protocol design document in a catalog of a generating tool, and generating a protocol analysis plug-in named with the lua suffix by a running tool.
As shown in fig. 4, the protocol parses the application of the plug-in. And preparing an operating environment of the Wireshark software in the PC equipment, and copying the generated analysis plug-in to a plug-in directory of the Wireshark. And then starting the Wireshark to capture the protocol message sent from the server A to the network card through the network card, judging whether the protocol message is a target protocol message, if so, adopting a protocol analysis plug-in to carry out protocol analysis, and dynamically displaying the captured message analysis result on a Wireshark graphical interface, and if not, analyzing according to a built-in protocol.
The Wireshark message analysis plug-in generation method provided by the embodiment of the invention comprises the steps of firstly automatically generating the plug-in through a plug-in Python program without directly writing a Lua program, reducing the development threshold of the plug-in, secondly simplifying the design flow of the protocol plug-in through a protocol layer relation diagram mode, enabling the protocol plug-in to realize logic more clearly, and then leading in a protocol field splitting algorithm to enable complicated and various protocol design and uncertain pain points of fields to be solved. Finally, the method is transparent to the protocol, and the logical adjustment and field change of the protocol design are realized by only adjusting the protocol design document to regenerate the protocol plug-in unit, thus realizing plug-in and play of the plug-in unit.
As shown in FIG. 5, the system for generating a Wireshark message parsing plug-in provided by another embodiment of the invention comprises an acquisition module, a parsing module, a calculation module, a construction module and a generation module, wherein the acquisition module is used for acquiring a designed protocol hierarchical relation diagram, the parsing module adopts a hierarchical relation diagram parsing engine to parse the protocol hierarchical relation diagram to obtain correlations and key contents of field values among the layers and inside the layers, adopts a protocol design document engine to parse a protocol design document to obtain a field set, the calculation module processes the bit width of a field according to a protocol field splitting algorithm by taking the bit width of a data type in the Wireshark plug-in as a benchmark set, marks the type and mask of the field to obtain a field set mask, the construction module is used for constructing plug-in elements according to the field set mask, and the generation module generates a protocol parsing plug-in according to the hierarchical relation diagram, the protocol design document and the plug-in elements.
The key content comprises a field name, an associated field and a value, and the field set comprises the field name, a start bit width and bit width information.
The calculation module comprises a benchmark set unit, a benchmark split unit and a compensation split unit, wherein the benchmark set unit is used for taking bit widths of the data types of the uint8, the uint16, the uint24, the uint32 and the uint64 in the Wireshark plugin as benchmark set A to obtainInitializing a field stack S for storing a field set to be calculated;
The standard splitting unit is used for calculating the formula of total field amount total in the stack S when the protocol fields are sequentially pushed into the stack S, wherein the formula is as follows:
,
Wherein n is the number of fields in the stack S;
If it isWhen the stack S is in the state of being empty, the fields in the stack S are not split, and the stack S is set to 0;
If it isIf the bit width of the stack top field is expressed by x, the number of split segments is expressed by n, and the calculated expression of the bit width f (n) of each segment is:
Wherein,For a field bit width of 0 th,For the n-th field bit width,Is the largest value in reference set a.
The compensation splitting unit is used for judging whether the bit width y meets the condition:
;
if so, a compensation splitting algorithm is adopted, wherein the splitting number is represented by n, and the calculated expression of the bit width f (n) of each segment is as follows:
。
The calculation module further comprises a marking unit for marking the type and mask of the field, and specifically comprises that after calculating the total amount of the field in the stack S, ifWhen the stack field shares the data type, the data type is total, the field elements in the stack occupy the bit interval bit of the data type to the top of the stack according to the stack bottom, the mask of the field is 1, the data type and the mask are used as the new attribute of the field, the stack S, total is reset and the next round of calculation is performed, ifWhen the field elements in the stack are kept, and new fields are waited for to be added to the stack.
The specific method for constructing the plug-in element by the construction module according to the field set mask comprises the following steps:
According to the protocol layer relation diagram and the associated field, generating logic judgment conditions of a protocol layer, and supplementing the logic judgment conditions of the field of the layer;
the fields are added to the entire protocol chain in turn according to the field bit offset.
The embodiment of the invention provides a Wireshark message analysis plug-in generation system, which firstly automatically generates plug-ins through plug-in Python programs without directly writing Lua programs, reduces the development threshold of the plug-ins, secondly simplifies the design flow of the protocol plug-ins through a protocol layer relation diagram mode, enables the protocol plug-ins to realize more clear logic, and then introduces a protocol field splitting algorithm to enable complicated and diverse protocol design and uncertain pain points of fields to be solved. Finally, the method is transparent to the protocol, and the logical adjustment and field change of the protocol design are realized by only adjusting the protocol design document to regenerate the protocol plug-in unit, thus realizing plug-in and play of the plug-in unit.
The foregoing description of the embodiments has been provided for the purpose of illustrating the general principles of the invention, and is not meant to limit the scope of the invention, but to limit the invention to the particular embodiments, and any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the invention are intended to be included within the scope of the invention.