Difference between revisions of "Jmirror"
From neil.tappsville.com
Jump to navigationJump to search (Created page with " add to $appdata%\Roaming\Wireshark\plugins\3.0 Replaces the Jmirror dissector with some crude logic so that it will dissect Jmirror frames containing vlan tags. Supports: VLA...") |
m (Gonzo moved page Jmirror Juniper Jmirror to Jmirror) |
(No difference)
|
Latest revision as of 07:41, 12 August 2019
add to $appdata%\Roaming\Wireshark\plugins\3.0 Replaces the Jmirror dissector with some crude logic so that it will dissect Jmirror frames containing vlan tags. Supports: VLAN Session = Vlan Tagged Ethernet frames DHCP Session = IP frames
-- Wireshark jmirror dissector doesnt decode jmirror packets containing vlan headers ---This does the additional check. --- neil 20190712 p_jmirror2 = Proto ("JMIRROR2","Jmirror Packet Mirror,") -- myproto dissector function function p_jmirror2.dissector (buf, pkt, root) -- validate packet length is adequate, otherwise quit if buf:len() == 0 then return end pkt.cols.protocol = p_jmirror2.name subtree = root:add(p_jmirror2, buf(0,8)) curpos = 0 chunk = buf(curpos,4) subtree:append_text(" MID: 0x" .. chunk .." (".. chunk:uint() .."),") subtree:add(chunk, " JMirror Identifier: 0x" .. chunk .." (".. chunk:uint() ..")") curpos = curpos +4 chunk = buf(curpos,4) subtree:append_text(" SID: 0x" .. chunk .." (".. chunk:uint() .."),") subtree:add(chunk, " Session Identifier: 0x" .. chunk .." (".. chunk:uint() ..")") curpos = curpos +4 -- check to see if the next byte represents a v4 or v6 address -- if it doesnt need to skip 22 bytes (2x MAC + SVID, CVID) and try again local dis = {} chunk = buf(curpos,1):uint() if chunk == 0x45 or (chunk >= 0x60 and chunk < 0x70) then dis = Dissector.get("ip") dis:call(buf(curpos, buf:len() - curpos):tvb(), pkt, root) elseif buf:len() > 30 then chunk = buf(curpos+22,1):uint() if chunk == 0x45 or (chunk >= 0x60 and chunk < 0x70) then subtree:append_text(" contains VLAN tags") dis = DissectorTable.get("wtap_encap"):get_dissector(0x0001) dis:call(buf(curpos, buf:len() - curpos):tvb(), pkt, root) end end end -- Initialization routine function p_jmirror2.init() end local udp_dissector_table = DissectorTable.get("udp.port") dissector = udp_dissector_table:get_dissector(30742) -- you can call dissector from function p_myproto.dissector above -- so that the previous dissector gets called udp_dissector_table:add(30742, p_jmirror2)
An even more crude method
- DHCP Session
"c:\Program Files\Wireshark\editcap.exe" -C 50 -T rawip dhcp.pcap chopped.pcap
- VLAN Session
"c:\Program Files\Wireshark\editcap.exe" -C 50 -T ether vlan.pcap chopped.pcap