1. Tshark模块

1.1 打开capture文件

  • 调用cf_open函数
    • 调用wtap_open_offline函数
      • 首先获得一个wtap struct
      • 调用libpcap_open函数,读取给定pcap文件的文件头信息,总共28个字节
      • 为wtap的frame_buffer结构体的buffer部分分配最大空间1500字节,然后返回给定pcap文件的wtap信息
    • 调用epan_free函数
      • conversation(epan_conversation_cleanup())
      • circuits(epan_circuit_cleanup())
      • protocol-specific variables(g_slist_foreach(cleanup_routines, &call_routine, NULL))
      • stream-handling tables(stream_cleanup())
      • expert infos(expert_packet_cleanup())
    • 调用tshark_epan_new函数,初始化后续解析工作中要用到的所有数据(同epan_free内容)
  • pcap包解析调用堆栈 
  1. #0 libpcap_open at file_access.c:901
  2. #1 wtap_open_offline at tshark.c:3995
  3. #2 cf_open at tshark.c:1999
  4. #3 real_main at cli_main.c:71
  • pcap包解析步骤

1.2 加载capture文件

  • 调用process_cap_file函数
    • 调用wtap_dump_open函数
      • 获取wtap_dump结构体
    • 调用wtap_read函数
      • 调用wtap结构中的subtype_read指向的函数,即libpcap_read()函数,读取下一个数据包数据
      • 调用pcap_process_pseudo_header函数处理该数据包的pseudo_header信息,主要是确定FCS的长度
      • 调用buffer_assure_space函数确保wtap结构中的frame_buffer中分配的空间足够容纳正在读取的数据包的大小,如果不够,则需要把frame_buffer中已经用掉的空间中存放的内容移到frame_buffer的前面,然后在分配1024个字节给frame_buffer,并返回
      • 调用pcap_read_post_process函数,根据wtap_encap值,确定pseudo_header的eth.fcs_len的大小
    • 调用process_packet_first_pass函数
      • 调用frame_data_init函数初始化该数据包的帧数据结构,包括记录数据包头信息等
      • ?调用epan_dissect_init函数
      • 判断是否设置有读过滤器,有则调用epan_dissect_prime_dfilter函数
      • ?调用tap_queue_init函数初始化tap queue
      • 调用frame_data_set_before_dissect函数进行解析前的帧数据设置操作
      • 调用epan_dissect_run函数,开始真正解析
        • 调用col_init函数初始化该结构体
        • ?调用tvb_new_real_data函数,根据数据包长度,分配一个tvbuff_t的数据结构空间,并调用tvb_set_real_data_no_exceptions函数,为刚申请的tvbuff_t空间赋值,然后返回其指针
        • 调用 add_new_data_source函数,申请一片data_source结构的空间,并把上一步骤中得到的tvbuff_t指针赋给data_source的tvb属性,最后把这个data_source空间的指针添加到data_source结构体的列表中
        • 调用call_dissector_with_data函数解析当前数据包的数据。该函数首先根据给定的handle(frame_handle)进行解析,如果失败,再利用data_handle进行解析。不管是用frame_handle还是用data_handle,都是通过调用call_dissector_work 函数完成(该函数又调用call_dissector_through_handle函数完成)
      • 如果cf->rfcode不为空,调用dfilter_apply_edt读过滤函数
      • 调用frame_data_set_after_dissect函数为解析后的帧数据进行必要的设置,包括记录总的数据包字节数,以及设置上一个包的显示时间prev_dis_ts为当前解析包的时间
    • 调用process_packet_second_pass函数
    • 调用process_packet_single_pass函数
    • 调用wtap_dump函数
      • 调用pcapng_dump函数
  • 调用堆栈
  1. #0 process_cap_file at tshark.c:2027
  2. #1 real_main at cli_main.c:71

2. Tshark数据结构

  1. typedef struct _packet_info {
  2.   const char *current_proto;        /**< name of protocol currently being dissected */
  3.   struct epan_column_info *cinfo;   /**< Column formatting information */
  4.   guint32 presence_flags;           /**< Presence flags for some items */
  5.   guint32 num;                      /**< Frame number */
  6.   nstime_t abs_ts;                  /**< Packet absolute time stamp */
  7.   nstime_t rel_ts;                  /**< Relative timestamp (yes, it can be negative) */
  8.   frame_data *fd;
  9.   union wtap_pseudo_header *pseudo_header;
  10.   wtap_rec *rec;                    /**< Record metadata */
  11.   GSList *data_src;                 /**< Frame data sources */
  12.   address dl_src;                   /**< link-layer source address */
  13.   address dl_dst;                   /**< link-layer destination address */
  14.   address net_src;                  /**< network-layer source address */
  15.   address net_dst;                  /**< network-layer destination address */
  16.   address src;                      /**< source address (net if present, DL otherwise )*/
  17.   address dst;                      /**< destination address (net if present, DL otherwise )*/
  18.   guint32 vlan_id;                  /**< First encountered VLAN Id if present otherwise 0 */
  19.   const char *noreassembly_reason;  /**< reason why reassembly wasn't done, if any */
  20.   gboolean fragmented;              /**< TRUE if the protocol is only a fragment */
  21.   struct {
  22.     guint32 in_error_pkt:1;         /**< TRUE if we're inside an {ICMP,CLNP,...} error packet */
  23.     guint32 in_gre_pkt:1;           /**< TRUE if we're encapsulated inside a GRE packet */
  24.   } flags;
  25.   port_type ptype;                  /**< type of the following two port numbers */
  26.   guint32 srcport;                  /**< source port */
  27.   guint32 destport;                 /**< destination port */
  28.   guint32 match_uint;               /**< matched uint for calling subdissector from table */
  29.   const char *match_string;         /**< matched string for calling subdissector from table */
  30.   gboolean use_endpoint;            /**< TRUE if endpoint member should be used for conversations */
  31.   struct endpoint* conv_endpoint;   /**< Data that can be used for conversations */
  32.   guint16 can_desegment;            /**< >0 if this segment could be desegmented.
  33.                                          A dissector that can offer this API (e.g.
  34.                                          TCP) sets can_desegment=2, then
  35.                                          can_desegment is decremented by 1 each time
  36.                                          we pass to the next subdissector. Thus only
  37.                                          the dissector immediately above the
  38.                                          protocol which sets the flag can use it*/
  39.   guint16 saved_can_desegment;      /**< Value of can_desegment before current
  40.                                          dissector was called.  Supplied so that
  41.                                          dissectors for proxy protocols such as
  42.                                          SOCKS can restore it, allowing the
  43.                                          dissectors that they call to use the
  44.                                          TCP dissector's desegmentation (SOCKS
  45.                                          just retransmits TCP segments once it's
  46.                                          finished setting things up, so the TCP
  47.                                          desegmentor can desegment its payload). */
  48.   int desegment_offset;             /**< offset to stuff needing desegmentation */
  49. #define DESEGMENT_ONE_MORE_SEGMENT 0x0fffffff
  50. #define DESEGMENT_UNTIL_FIN        0x0ffffffe
  51.   guint32 desegment_len;            /**< requested desegmentation additional length
  52.                                        or
  53.                                        DESEGMENT_ONE_MORE_SEGMENT:
  54.                                          Desegment one more full segment
  55.                                          (warning! only partially implemented)
  56.                                        DESEGMENT_UNTIL_FIN:
  57.                                          Desgment all data for this tcp session
  58.                                          until the FIN segment.
  59.                                     */
  60.   guint16 want_pdu_tracking;    /**< >0 if the subdissector has specified
  61.                                    a value in 'bytes_until_next_pdu'.
  62.                                    When a dissector detects that the next PDU
  63.                                    will start beyond the start of the next
  64.                                    segment, it can set this value to 2
  65.                                    and 'bytes_until_next_pdu' to the number of
  66.                                    bytes beyond the next segment where the
  67.                                    next PDU starts.
  69.                                    If the protocol dissector below this
  70.                                    one is capable of PDU tracking it can
  71.                                    use this hint to detect PDUs that starts
  72.                                    unaligned to the segment boundaries.
  73.                                    The TCP dissector is using this hint from
  74.                                    (some) protocols to detect when a new PDU
  75.                                    starts in the middle of a tcp segment.
  77.                                    There is intelligence in the glue between
  78.                                    dissector layers to make sure that this
  79.                                    request is only passed down to the protocol
  80.                                    immediately below the current one and not
  81.                                    any further.
  82.                                 */
  83.   guint32 bytes_until_next_pdu;
  85.   int     p2p_dir;              /**< Packet was captured as an
  86.                                        outbound (P2P_DIR_SENT)
  87.                                        inbound (P2P_DIR_RECV)
  88.                                        unknown (P2P_DIR_UNKNOWN) */
  90.   GHashTable *private_table;    /**< a hash table passed from one dissector to another */
  92.   wmem_list_t *layers;      /**< layers of each protocol */
  93.   guint8 curr_layer_num;       /**< The current "depth" or layer number in the current frame */
  94.   guint16 link_number;
  96.   guint16 clnp_srcref;          /**< clnp/cotp source reference (can't use srcport, this would confuse tpkt) */
  97.   guint16 clnp_dstref;          /**< clnp/cotp destination reference (can't use dstport, this would confuse tpkt) */
  99.   int link_dir;                 /**< 3GPP messages are sometime different UP link(UL) or Downlink(DL) */
  101.   GSList* proto_data;          /**< Per packet proto data */
  103.   GSList* dependent_frames;     /**< A list of frames which this one depends on */
  105.   GSList* frame_end_routines;
  107.   wmem_allocator_t *pool;      /**< Memory pool scoped to the pinfo struct */
  108.   struct epan_session *epan;
  109.   const gchar *heur_list_name;    /**< name of heur list if this packet is being heuristically dissected */
  110. } packet_info;