Packet analysis with mruby on Wireshark - dRuby as example

.JTBLJ4IJPJ [email protected]

4FQ
3VCZ,BJHJ
1BDLFUBOBMZTJTXJUINSVCZPO8JSFTIBSL
E3VCZBTFYBNQMF

View Slide

"CPVUNF
(JU)VC!TIJPJNN
[email protected]
8FCBQQMJDBUJPOEFWFMPQFS
.FNCFSPG"TBLVTBSC'VLVPLBSC
8BTBTQFBLFSBU3VCZ,BJHJ5BLFPVU
5PZDPM%F
fi
OFZPVSPXOBQQMJDBUJPOQSPUPDPM
[email protected]

View Slide

"OE*BNJOUFSFTUFEJODPNQVUFSOFUXPSLT
BOEBNBIPCCZVTFSPG8JSFTIBSL

View Slide

"CPVU8JSFTIBSL
8JSFTIBSLJTBXJEFMZVTFEOFUXPSLQBDLFUBOBMZ[FS

"OFUXPSLQBDLFUBOBMZ[FSJTʜ
4PGUXBSFUPBOBMZ[FQBDLFUT
fl
PXJOHPWFSBOFUXPSL
BOEEJTQMBZUIFNJOIVNBOSFBEBCMFGPSNBU

View Slide

"CPVU8JSFTIBSL
[email protected]@TDSFFOTIPUQOH

View Slide

"CPVU8JSFTIBSL
[email protected]@TDSFFOTIPUQOH
5IFl1BDLFU%FUBJMTzQBOF
5IFl1BDLFU#ZUFTzQBOF
5IFl1BDLFU-JTUzQBOF

View Slide

8JSFTIBSLTVQQPSUTNBOZDPNNPOOFUXPSL
QSPUPDPMTCZEFGBVMU
FH&UIFSOFU** *1
5$1
%/4 5-4 26*$ )551ʜ
1BDLFUBOBMZTJTXJUIQSPUPDPMEJTTFDUPST

View Slide

5PBOBMZ[FQBDLFUTGPSUIFTFQSPUPDPMT
8JSFTIBSLIBTCVJMUJONPEVMFTGPSFBDIPGUIFN
XIJDIBSFDBMMFElQSPUPDPMEJTTFDUPSTz
1BDLFUBOBMZTJTXJUIQSPUPDPMEJTTFDUPST

View Slide

28IBUJG*XBOUUPBOBMZ[FQBDLFUTGPSBQSPUPDPM
UIBU8JSFTIBSLEPFTOPUTVQQPSUCZEFGBVMU
":PVDBODSFBUFZPVSPSJHJOBMEJTTFDUPS
BOEJODMVEFJUJOUP8JSFTIBSL
UPBOBMZ[FQBDLFUTGPSUIBUQSPUPDPM

View Slide

28IBUJG*XBOUUPBOBMZ[FQBDLFUTGPSBQSPUPDPM
UIBU8JSFTIBSLEPFTOPUTVQQPSUCZEFGBVMU
":PVDBODSFBUFZPVSPXOEJTTFDUPS
BOEJODMVEFJUJOUP8JSFTIBSL
UPBOBMZ[FQBDLFUTGPSUIBUQSPUPDPM

View Slide

8JSFTIBSL%FWFMPQFST(VJEFJODMVEFTBUVUPSJBMGPS
EFWFMPQJOHZPVSPXOEJTTFDUPS
'PSEFWFMPQJOHZPVSPXOEJTTFDUPST
[email protected]@DIVOLFE$IBQUFS%JTTFDUJPOIUNM

View Slide

'PSFYBNQMF IFSFJTBQSPUPDPMOBNFE'PP
'PPQBDLFUIBTBTUSVDUVSFJOUIJTGPSNBU
Y Y Y Y YG Y Y Y
5ZQF
'MBHT
4FRVFODF/VNCFS
*OJUJBM*1"EESFTT

View Slide

#include "con
fi
g.h"

#include

#de
fi
ne FOO_PORT 30000

static int proto_foo = -1;

static int hf_foo_pdu_type = -1;

static int hf_foo_
fl
ags = -1;

static int hf_foo_sequenceno = -1;

static int hf_foo_initialip = -1;

static gint ett_foo = -1;

static const value_string packettypenames[] = {

{ 1, "Initialise" }, { 2, "Terminate" }, { 3, "Data" }, { 0, NULL }

};

static int dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, void *data _U_)

{

col_set_str(pinfo->cinfo, COL_PROTOCOL, "FOO");

col_clear(pinfo->cinfo,COL_INFO);

proto_item *ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA);

proto_tree *foo_tree = proto_item_add_subtree(ti, ett_foo);

gint offset = 0;

proto_tree_add_item(foo_tree, hf_foo_pdu_type, tvb, offset, 1, ENC_BIG_ENDIAN);

offset += 1;

proto_tree_add_item(foo_tree, hf_foo_
fl
ags, tvb, offset, 1, ENC_BIG_ENDIAN);

offset += 1;

proto_tree_add_item(foo_tree, hf_foo_sequenceno, tvb, offset, 2, ENC_BIG_ENDIAN);

offset += 2;

proto_tree_add_item(foo_tree, hf_foo_initialip, tvb, offset, 4, ENC_BIG_ENDIAN);

offset += 4;

return tvb_captured_length(tvb);

}

void proto_register_foo(void)

{

static hf_register_info hf[] = {

{ &hf_foo_pdu_type, { "FOO PDU Type", "foo.type", FT_UINT8, BASE_DEC, VALS(packettypenames), 0x0, NULL, HFILL } },

//…

};

static gint *ett[] = { &ett_foo };

proto_foo = proto_register_protocol("FOO Protocol", "FOO", "foo");

proto_register_
fi
eld_array(proto_foo, hf, array_length(hf));

proto_register_subtree_array(ett, array_length(ett));

}

void proto_reg_handoff_foo(void)

{

static dissector_handle_t foo_handle = create_dissector_handle(dissect_foo, proto_foo);

dissector_add_uint("tcp.port", FOO_PORT, foo_handle);

}
'PMMPXJOHUIF8JSFTIBSLUVUPSJBM ZPVDBOEFWFMPQBEJTTFDUPS
UPBOBMZ[F'PPQSPUPDPMQBDLFUTMJLFUIJT

View Slide

#ZJODMVEJOHUIJT'PPEJTTFDUPSJOUP8JSFTIBSL
UIF'PPQSPUPDPMQBDLFUDBOCFBOBMZ[FEMJLFUIJT
5ZQF
'MBHT
4FRVFODF/VNCFS
*OJUJBM*1"EESFTT

View Slide

$VSSFOUMZ
8JSFTIBSLQSPWJEFT"1*TUPEFWFMPQEJTTFDUPST
JO-VBBOE$POMZ
*U`TBMJUUMFEJTBQQPJOUJOHGPSVT3VCZJTUT
XFDBOOPUXSJUF3VCZGPSEFWFMPQJOHEJTTFDUPSTʜ

View Slide

4P *DSFBUFEBOFYUFOEFE8JSFTIBSL
UIBUBMMPXTZPVUPEFWFMPQBEJTTFDUPSJO3VCZ
CZFNCFEEJOHNSVCZJOUP8JSFTIBSL
ɹ[email protected]@NSVCZ

View Slide

5PEBZ`TBHFOEB
)PXUPEFWFMPQBEJTTFDUPSJO3VCZ
*NQMFNFOUJOHFYUFOEFE8JSFTIBSLXJUINSVCZ
5SZUPBOBMZ[FE3VCZQBDLFUT

View Slide

)PXUPEFWFMPQBEJTTFDUPSJO3VCZ

View Slide

'JSTU
MFUNFTIPXZPVIPXB8JSFTIBSLEJTTFDUPSXPSLT

View Slide

5IFSFBSF PSNPSF
UJNFTXIFOBEJTTFDUPSXPSLT
8IFO8JSFTIBSLTUBSUTBOEXIFOUSB
ff
i
DJTPDDVSSFE
)PXEPFTB8JSFTIBSLEJTTFDUPSXPSL
ᶃ8IFO8JSFTIBSLTUBSUT
ɹBEJTTFDUPSJTSFHJTUFSFEJOUPJU
ᶄ8IFOUSB
ff i
DJTPDDVSSFE
ɹBEJTTFDUPSBOBMZ[FTUIFQBDLFU

View Slide

"EJTTFDUPSJTSFHJTUFSFEJOUP8JSFTIBSLXJUI
UIFQSPUPDPMJOGPSNBUJPOOFDFTTBSZUPBOBMZ[FQBDLFUT
5IJTJOGPSNBUJPOJODMVEFTBMJTUPGIFBEFS
fi
FME
ᶃ8IFO8JSFTIBSLTUBSUT
'PSFYBNQMF
ɾ5IFQSPUPDPM`TOBNF
ɾ5SBOTQPSUQSPUPDPMUPVTF
ɾ1PSUOVNCFSUPVTF
ɾ"MJTUPGIFBEFS
fi
FME

View Slide

"IFBEFS
fi
FMEJTBNFUBEBUB
TVDIBTMBCFM OVNCFSTPGCZUFTBOEEJTQMBZGPSNBUUIBU
IFMQT8JSFTIBSLJOUFSQSFUQBDLFUTDPSSFDUMZ
8IBUJTIFBEFS
fi
FME
static hf_register_info hf[] = {

{ &hf_foo_pdu_type,

{ "FOO PDU Type”,

“foo.type”,

FT_UINT8,

BASE_DEC,

VALS(packettypenames),

0x0,

NULL,

HFILL } },

// …

},
-BCFM
/VNCFSTPGCZUFT
%JTQMBZGPSNBU
5IFJOGPSNBUJPOEJTQMBZFEJOUIFl1BDLFU%FUBJMTzQBOFJT
PSJHJOBUFEGSPNBOBSSBZPGIFBEFS
fi
FME

View Slide

5IFEJTTFDUPSNBQTUIFEBUBJOXIJDIQPTJUJPOJOUIF
QBDLFUJTBOBMZ[FEXJUIXIJDIIFBEFS
fi
FME
TUCZUF6TFl5ZQFzIFBEFS
fi
FME
Y Y Y Y YG Y Y Y
ᶄ8IFOUSB
ffi
DJTPDDVSSFE

View Slide

5IJTBMMPXT8JSFTIBSLUPBOBMZ[FUIFEBUBDPOUBJOFE
JOUIFQBDLFUGPSFBDIQPTJUJPOXIFSFJUJT
ᶄ8IFOUSB
ffi
DJTPDDVSSFE
Y Y Y Y YG Y Y Y
TUCZUF6TFl5ZQFzIFBEFS
fi
FME

View Slide

5PBOBMZ[FQBDLFUTXJUIBEJTTFDUPS
JUSFRVJSFTBUMFBTUUIFGPMMPXJOHGFBUVSFT
ɹᶃ3FHJTUFSJOHUIFQSPUPDPMJOGPSNBUJPO
ɹJODMVEJOHBMJTUPGIFBEFS
fi
FMET
ɹᶄ.BQQJOHFBDIEBUBQPTJUJPOJOUIFQBDLFU
ɹUPBIFBEFS
fi
FMEUIBUBOBMZ[FTUIBUEBUB
4VNNBSZ

View Slide

%FWFMPQJOHBEJTTFDUPSJO3VCZBMTPSFRVJSFT
UIFTFGFBUVSFT
4PUIFEJTTFDUPSEFWFMPQNFOUJO3VCZJTBTGPMMPXT

View Slide

WSProtocol.con
fi
gure("Foo") do

transport :tcp

port 4567

fi
lter “foo”

headers [{ name: :foo_pdu_type,

label: "FOO PDU Type",

fi
lter: "foo.type",

type: WSProtocol::FT_UINT8,

display: WSProtocol::BASE_DEC,

dict: { 1 => "Initialise", 2 => "Terminate", 3 => "Data" } },

… ]

dissectors do

items [{ header: :foo_pdu_type,

endian: WSDissector::ENC_BIG_ENDIAN,

offset: 0 },

… ]

end

end
%FWFMPQBEJTTFDUPSJO3VCZ
"EJTTFDUPSJO3VCZDBOCFXSJUUFO
JOBDPO
fi
HVSBUJPO
fi
MFMJLF%4-
QMVHJOTFQBOGPPDPO
fi
HGPPSC

View Slide

WSProtocol.con
fi
gure("Foo") do

transport :tcp

port 4567

fi
lter “foo”



fi
lter: "foo.type",




… ]

dissectors do



offset: 0 },

… ]

end

end
841SPUPDPMDPO
fi
HVSF
$BMM841SPUPDPMDPO
fi
HVSFUPEFWFMPQBEJTTFDUPS
5IFSFBSFTFDUJPOTJOUIJTCMPDL
QMVHJOTFQBOGPPDPO
fi
HGPPSC

View Slide

WSProtocol.con
fi
gure("Foo") do

transport :tcp

port 4567

fi
lter “foo”



fi
lter: "foo.type",




… ]

dissectors do



offset: 0 },

… ]

end

end
ᶃ3FHJTUFSTFDUJPO
ᶄ%JTTFDUPSTFDUJPO
QMVHJOTFQBOGPPDPO
fi
HGPPSC

View Slide

WSProtocol.con
fi
gure("Foo") do

transport :tcp

port 4567

fi
lter “foo”



fi
lter: "foo.type",




… ]

dissectors do



offset: 0 },

… ]

end

end
ᶃ3FHJTUFSTFDUJPO
5IFSFHJTUFSTFDUJPOJTGPSSFHJTUFSJOH
UIFQSPUPDPMJOGPSNBUJPOGPSBOBMZ[JOHQBDLFUT
QMVHJOTFQBOGPPDPO
fi
HGPPSC

View Slide

WSProtocol.con
fi
gure("Foo") do

transport :tcp

port 4567

fi
lter “foo”



fi
lter: "foo.type",




… ]

dissectors do



offset: 0 },

… ]

end

end
-BCFM
/VNCFSTPGCZUFT
%JTQMBZGPSNBU
ᶃ3FHJTUFSTFDUJPO
841SPUPDPMIFBEFSTSFHJTUFSTBMJTUPGIFBEFS

fi
FMETCZSFDFJWJOHBOBSSBZPGIBTIFTPGIFBEFS

fi
FMET
QMVHJOTFQBOGPPDPO
fi
HGPPSC
841SPUPDPMIFBEFST

View Slide

WSProtocol.con
fi
gure("Foo") do

transport :tcp

port 4567

fi
lter “foo”



fi
lter: "foo.type",




… ]

dissectors do



offset: 0 },

… ]

end

end
ᶄ%JTTFDUPSTFDUJPO
5IFEJTTFDUPSTFDUJPOJTGPSNBQQJOHFBDIEBUB
QPTJUJPOJOUIFQBDLFUUPBIFBEFS
fi
FME
QMVHJOTFQBOGPPDPO
fi
HGPPSC

View Slide

WSProtocol.con
fi
gure("Foo") do

transport :tcp

port 4567

fi
lter “foo”



fi
lter: "foo.type",




… ]

dissectors do



offset: 0 },

… ]

end

end
ᶄ%JTTFDUPSTFDUJPO
5IFEJTTFDUPSTFDUJPOJTJOTJEF
UIFCMPDLPG841SPUPDPMEJTTFDUPST
QMVHJOTFQBOGPPDPO
fi
HGPPSC
841SPUPDPMEJTTFDUPST

View Slide

WSProtocol.con
fi
gure("Foo") do

transport :tcp

port 4567

fi
lter “foo”



fi
lter: "foo.type",




… ]

dissectors do



offset: 0 },

… ]

end

end
)FBEFS
fi
FME
1PTJUJPO
ᶄ%JTTFDUPSTFDUJPO
84%JTTFDUPSJUFNTSFDFJWFTBOBSSBZPGIBTIFTPG
BNBQQJOHCFUXFFOBEBUBQPTJUJPOBOEBIFBEFS
fi
FME
QMVHJOTFQBOGPPDPO
fi
HGPPSC
841SPUPDPMJUFNT

View Slide

5IF'PPEJTTFDUPSJO3VCZBMTPDBOBOBMZ[F
'PPQSPUPDPMQBDLFUT
'PPEJTTFDUPSJO3VCZ

View Slide

&YUFOEFE8JSFTIBSLIBTPUIFSVTFGVMGFBUVSFT
XIJDI*XJMMTIPXZPV

View Slide

WSProtocol.con
fi
gure(“Foo") do

# …

dissectors do



offset: 0 }, … ]

sub(“Foo Subtree“) do



offset: 0 }, … ]

end

end

end
841SPUPDPMTVC
84%JTTFDUPSTVCDBOEJTQMBZUIFBOBMZTJTSFTVMUT
BTBTVCUSFFJOUIFl1BDLFU%FUBJMTzQBOF
QMVHJOTFQBOGPPDPO
fi
HGPPSC
841SPUPDPMTVC

View Slide

WSProtocol.con
fi
gure(“Foo") do

# …

dissectors do



offset: 0 }, … ]

sub(“Foo Subtree (1)“) do



offset: 0 }, … ]

sub(“Foo Subtree (2)“) do



offset: 0 }, … ]

end

end

end

end
$BMMJOH841SPUPDPMTVCXJUIJO841SPUPDPMTVC
DBOEJTQMBZBEEJUJPOBMTVCUSFFTXJUIJOBTVCUSFF
841SPUPDPMTVC
QMVHJOTFQBOGPPDPO
fi
HGPPSC
841SPUPDPMTVC
841SPUPDPMTVC

View Slide

WSProtocol.con
fi
gure(“Foo") do

# …

puts "WSProtocol#value_at(0) - #{value_at(0)}”

puts "WSProtocol#value_at(0) - #{value_at(4)}"

dissectors do

puts "WSDissector#value_at(0) - #{value_at(0)}”

puts "WSDissector#value_at(0) - #{value_at(4)}”

# …

end

end
[email protected]%[email protected]
[email protected]
TQFDJ
fi
FEQPTJUJPOJOUIFQBDLFUUPCFPCUBJOFE
BTBIFYBEFDJNBMOVNCFS 4USJOHPCKFDU

QMVHJOTFQBOGPPDPO
fi
HGPPSC
[email protected]
84%[email protected]

View Slide

WSProtocol.con
fi
gure(“Foo") do

transport :tcp

port 4567

fi
lter "proto_foo"



fi
lter: "foo.type",




… ]

dissectors do



offset: 0 },

… ]

end

end
6TFGVMDPOTUBOUTCBTFEPO$
'JFMEUZQFT
'[email protected]*/5
*OUFHSBMUZQFT
#"4&@%&$
.BDSP
&/[email protected]#*(@&/%*"/
4PNFPGUIFNBDSPTBOEFOVNOBNFTUIBU
8JSFTIBSLQSPWJEFTGPSEJTTFDUPSEFWFMPQNFOU
BSFBWBJMBCMFBTDPOTUBOUTJOUIJTDPO
fi
H
fi
MF
QMVHJOTFQBOGPPDPO
fi
HGPPSC

View Slide

*NQMFNFOUJOH
FYUFOEFE8JSFTIBSLXJUINSVCZ

View Slide

*OPSEFSUPEFWFMPQBEJTTFDUPSJO3VCZ CFIBWJPSTOFFE
UPCFCVJMUJOUP8JSFTIBSL
ᶄ%JTTFDUPSNVTUMPBEUIFDPO
fi
H
fi
MF
ɹXIFO8JSFTIBSLTUBSUT
8IBUBSFOFFEFEJOFYUFOEFE8JSFTIBSL
ᶃ8JSFTIBSLNVTULOPX
ɹIPXUPJOUFSQSFU3VCZDPEFT
Ruby
Ruby

View Slide

8JSFTIBSLJTEFWFMPQFEQSJNBSJMZJO$
BOECZEFGBVMUDBOOPUJOUFSQSFU3VCZ
5PBMMPX8JSFTIBSLUPEPTP
NSVCZNVTUCFFNCFEEFEJOUPJU
ᶃ8JSFTIBSLNVTULOPXIPXUPJOUFSQSFU3VCZDPEFT

View Slide

*
fi
STUGPSLFEUIF8JSFTIBSLSFQPTJUPSZBOEBEEFE
UIFNSVCZSFQPTJUPSZBTB(JUTVCNPEVMFUPJU
)FSF

View Slide

8JSFTIBSLVTFT$.BLFUPHFOFSBUF.BLF
fi
MFTGPSCVJMEJOH
4P*BEEFEB
fi
MF 'JOE.36#:DNBLFUIBU8JSFTIBSLDBO
fi
OE
NSVCZBTBQBDLBHFXIFO$.BLFJTSVO
fi
nd_path(MRUBY_INCLUDE_DIR mruby.h

PATHS "${CMAKE_SOURCE_DIR}/mruby/include"

NO_DEFAULT_PATH)

fi
nd_library(MRUBY_LIBRARY

NAMES mruby

PATHS “${CMAKE_SOURCE_DIR}/mruby/host"

PATH_SUFFIXES lib

NO_DEFAULT_PATH)

include(FindPackageHandleStandardArgs)

fi
nd_package_handle_standard_args(MRUBY

REQUIRED_VARS MRUBY_LIBRARY MRUBY_INCLUDE_DIR 300

VERSION_VAR 300)

set(MRUBY_LIBRARIES "${MRUBY_LIBRARY}")

set(MRUBY_INCLUDE_DIRS ${MRUBY_INCLUDE_DIR} )

# …
DNBLFNPEVMFT'JOE.36#:DNBLF

View Slide

[email protected]
fi
[email protected]
MJCSBSJFTXIFO$.BLFJTSVO
4P*VTFEUIJTNBDSPUPBEENSVCZUPUIFTFBSDIUBSHFU
JO$.BLF-JTUTUYU
# ws_
fi
nd_package(

#

# fi
g.h.in macro de
fi
nition>

# [remaining
fi
nd_package() arguments])

ws_
fi
nd_package(MRUBY

ENABLE_MRUBY

HAVE_MRUBY

)

$.BLF-JTUTUYU
option(ENABLE_MRUBY "Build with mruby dissector support" ON)
$.BLF0QUJPOTUYU
#cmakede
fi
ne HAVE_MRUBY 1
$.BLF0QUJPOTUYU

View Slide

5IFO TQFDJGZUIBUUIFEJTTFDUPSBCPVUUPEFWFMPQMJOLT
NSVCZXIFOCVJMEJOH8JSFTIBSL
5IJTXJMMCFEFTDSJCFEJOUIF$.BLF-JTUTUYUGPSUIFEJTTFDUPS
include(WiresharkPlugin)

set_module_info(foo 0 0 1 0)

# …

add_wireshark_plugin_library(protofoo epan)

target_include_directories(foo PRIVATE ${MRUBY_INCLUDE_DIRS})

target_link_libraries(foo epan ${MRUBY_LIBRARIES})

install_plugin(foo epan)

# …
QMVHJOTFQBOQSPUPGPP$.BLF-JTUTUYU

View Slide

#include "con
fi
g.h"

#include

#include

#include

# …

void proto_reg_handoff_protofoo(void)

{

mrb_state *mrb = mrb_open();

mrb_load_string(mrb, “puts ‘Hello from mruby’”);

mrb_close(mrb);

}
ʜOPXTVDDFTTGVMMZSVO3VCZDPEF
)FBEFS
fi
MFTPGNSVCZ
3VCZDPEF
5IFO CZJODMVEJOHUIFNSVCZIFBEFS
fi
MFTJOUP
UIFTPVSDFDPEFPGUIJTEJTTFDUPS
BOEXSJUF3VCZDPEFT
QMVHJOTFQBOGPPQBDLFUGPPD

View Slide

#include "con
fi
g.h"

#include

#include

#include

# …


{

mrb_state *mrb = mrb_open();

mrb_load_string(mrb, “puts ‘Hello from mruby’”);

mrb_close(mrb);

}
ʜOPXTVDDFTTGVMMZSVO3VCZDPEFJO8JSFTIBSL
QMVHJOTFQBOGPPQBDLFUGPPD

View Slide

/PX UIFOFYUTUFQJTUPBMMPXUIFEJTTFDUPSUPMPBE
UIFDPO
fi
H
fi
MFXIFO8JSFTIBSLTUBSUT
ᶄ.VTUCFBCMFUPMPBEUIFDPO
fi
H
fi
MF

View Slide

8IFO8JSFTIBSLTUBSUT UIFEJTTFDUPSBMXBZTDBMMT
BGVODUJPODBMMFElUIFIBOEP
ff
GVODUJPOz
*OUIFIBOEP
ff
GVODUJPO DBMMBGVODUJPOXIJDIJTOBNFE
[email protected]@[email protected]
UIBUMPBETUIFDPO
fi
H
fi
MF
ᶄ.VTUCFBCMFUPMPBEUIFDPO
fi
H
fi
MF
The handoff function mrb_ws_protocol_start()
WSProtocol.con
fi
gure(“Foo") do

…

headers […]

dissectors do

items [ … ]

end

end

View Slide

#include "con
fi
g.h"

#include

#include "../plugins/epan/mruby/ws_protocol.c"

# …


{

mrb_ws_protocol_start(“../plugins/epan/protofoo/con
fi
g.foo.rb”);

}
5IFIBOEP
ff
GVODUJPO
5IFIBOEP
ff
GVODUJPO
5IFIBOEP
ff
GVODUJPOJTXSJUUFOJOUIFEJTTFDUPS
*[email protected]@[email protected]
QBTTJOH
UIFQBUIUPUIFDPO
fi
H
fi
MF
WSProtocol.con
fi
gure(“Foo") do

…

headers […]

dissectors do

items [ … ]

end

end

QMVHJOTFQBOGPPQBDLFUQSPUPGPPD

View Slide

static int operation_mode = REGISTRATION;

static mrb_state *_mrb;

char con
fi
g_src_path[256];

mrb_value mrb_ws_protocol_start(const char *pathname)

{

if (operation_mode != REGISTRATION) perror(“…”); exit(1);

_mrb = mrb_open();

strcpy(con
fi
g_src_path, pathname);

// …

FILE *con
fi
g_src = fopen(con
fi
g_src_path, "r");

return mrb_load_
fi
le(_mrb, con
fi
g_src);

}

QFSGPSNTJOJUJBMJ[BUJPO
TVDIBTEF
fi
OJOHBDMBTTXJUINFUIPETGPSUIF%4-T
"OEUIFOJUMPBETUIFDPO
fi
H
fi
MF

View Slide



char con
fi
g_src_path[256];


{


_mrb = mrb_open();

strcpy(con
fi

// …

FILE *con
fi
g_src = fopen(con
fi
g_src_path, "r");

return mrb_load_
fi
le(_mrb, con
fi
g_src);

}
typedef enum {

REGISTRATION,

DISSECTION,

} OperationMode;
"UUIJTQPJOUXIFO8JSFTIBSLJTTUBSUFE UIJTDPEF
GPSFYUFOTJPOJTPQFSBUJOHJO3&(*453"5*0/NPEF
3&(*453"5*0/NPEF

View Slide



char con
fi
g_src_path[256];


{


_mrb = mrb_open();

strcpy(con
fi

// …

FILE *con
fi
g_src = fopen(con
fi
g_src_path, "r");

return mrb_load_
fi
le(_mrb, con
fi
g_src);

}
"[email protected]
[email protected]
'JSTU [email protected]
BHMPCBMWBSJBCMF

View Slide



char con
fi
g_src_path[256];


{


_mrb = mrb_open();

strcpy(con
fi

// …

FILE *con
fi
g_src = fopen(con
fi
g_src_path, "r");

return mrb_load_
fi
le(_mrb, con
fi
g_src);

}
/FYU TUPSFUIFQBUIUPUIFDPO
fi
H
fi
MFJOUP
BHMPCBMWBSJBCMF
4UPSFUIFQBUIUPUIFDPO
fi
H
fi
MF

"HMPCBMWBSJBCMFUPTUPSFUIFQBUI

View Slide



char con
fi
g_src_path[256];


{


_mrb = mrb_open();

strcpy(con
fi

// …

FILE *con
fi
g_src = fopen(con
fi
g_src_path, "r");

return mrb_load_
fi
le(_mrb, con
fi
g_src);

}
*OUIJTXBZ JUXJMMCFQPTTJCMFUPSFTUPSFUIFN
MBUFS XIFOUSB
ffi
DJTPDDVSSFEMBUFS

View Slide



char con
fi
g_src_path[256];


{


_mrb = mrb_open();

strcpy(con
fi

// …

FILE *con
fi
g_src = fopen(con
fi
g_src_path, "r");

return mrb_load_
fi
le(_mrb, con
fi
g_src);

}
5IFOUIFDPO
fi
H
fi
MFJTMPBEFE

-PBEUIFDPO
fi
H
fi
MF

View Slide

/PX XIFOUIFDPO
fi
H
fi
MFJTMPBEFE
UIFO841SPUPDPMDPO
fi
HVSFJTFYFDVUFE
841SPUPDPMDPO
fi
HVSF
The handoff function mrb_ws_protocol_start()
WSProtocol.con
fi
gure(“Foo") do

…

headers […]

dissectors do

items [ … ]

end

end

View Slide

static mrb_value mrb_ws_protocol_con
fi
g(mrb_state *mrb, mrb_value self)

{

mrb_value name, block;

mrb_get_args(mrb, "S&", &name, &block);

mrb_value proto = mrb_funcall(mrb, self, "new", 1, name);

mrb_funcall_with_block(mrb, proto, mrb_intern_lit(mrb, "instance_eval"), 0, NULL, block);

mrb_value mrb_con
fi
g = mrb_nil_value();

if (operation_mode == REGISTERATION) mrb_con
fi
g = mrb_funcall(mrb, proto, "register!", 0);

return mrb_con
fi
g;

}

fi
fi
H

841SPUPDPMDPO
fi
HVSFDBMMT
fi
H

View Slide

fi

{





mrb_value mrb_con
fi

fi

return mrb_con
fi
g;

}

fi
5IJTGVODUJPOJOTUBOUJBUFT841SPUPDPMDMBTTBOE
FYFDVUFTBCMPDLPGDPO
fi
[email protected]
&YFDVUF841SPUPDPMOFX
&YFDVUF#[email protected]
fi
H

View Slide

WSProtocol.con
fi
gure("Foo") do

transport :tcp

port 4567

fi
lter “foo”



fi
lter: "foo.type",




… ]

dissectors do



offset: 0 },

… ]

end

end
5IFOJOUIFSFHJTUFSTFDUJPOPGUIFCMPDL
3FHJTUFSTFDUJPO
841SPUPDPMDPO
fi
HVSF JOUIFDPO
fi
H
fi
MF

View Slide

WSProtocol.con
fi
gure("Foo") do

transport :tcp

port 4567

fi
lter “foo”



fi
lter: "foo.type",




… ]

dissectors do



offset: 0 },

… ]

end

end
5IFQSPUPDPMJOGPSNBUJPO
JODMVEJOHUIFMJTUPGIFBEFS
fi
FMET
BSFTUPSFEJO
JOTUBODFWBSJBCMFTPGUIF841SPUPDPMJOTUBODF
841SPUPDPMDPO
fi
HVSF JOUIFDPO
fi
H
fi
MF

!USBOTQPSU
!QPSU
!
fi
MUFS
!IFBEFST
!OBNF

View Slide

fi

{





mrb_value mrb_con
fi

fi

return mrb_con
fi
g;

}

fi
"GUFSUIFCMPDL
fi
OJTIFTFYFDVUJOH
fi
H

fi
H
BHBJO

View Slide

fi

{





mrb_value mrb_con
fi

fi

return mrb_con
fi
g;

}

fi
*O3&(*453"5*0/NPEF
841SPUPDPMSFHJTUFSJTUIFODBMMFE
fi
H
BHBJO
$BMM841SPUPDPMSFHJTUFS

View Slide

static void ws_protocol_register(mrb_state *mrb, mrb_value self)

{

ws_protocol_set_members(mrb, self);

mrb_value mrb_hfs = mrb_iv_get(mrb, self, mrb_intern_lit(mrb, "@headers"));

ws_hfs.size = (int)RARRAY_LEN(mrb_hfs);

hf_register_info *hf = malloc(sizeof(hf_register_info) * ws_hfs.size);

for (int i = 0; i < ws_hfs.size; i++) {

hf[i].p_id = &ws_hfs.headers[i].handle;

// ...

}

// ...

phandle = proto_register_protocol(ws_protocol.name, ws_protocol.name,ws_protocol.
fi
lter);

proto_register_
fi
eld_array(phandle, hf, ws_hfs.size);

proto_register_subtree_array((gint *const *)ett, (int)mrb_
fi
xnum(mrb_dissector_depth));

}
phandle = proto_register_protocol(ws_protocol.name, ws_protocol.name, ws_protocol.
fi
lter);
[email protected]@SFHJTUFS

841SPUPDPMSFHJTUFSDBMMT

View Slide


{







// ...

}

// ...

fi
lter);

proto_register_
fi

fi

}
fi
lter);

5IJTGVODUJPOQMBZTBOJNQPSUBOUSPMFJO
SFHJTUFSJOHQSPUPDPMJOGPSNBUJPOXJUI8JSFTIBSL

View Slide


{







// ...

}

// ...

fi
lter);

proto_register_
fi

fi

}
fi
lter);

*[email protected]@SFHJTUFS

JTDBMMFEBU
fi
STU

View Slide

static void ws_protocol_set_members(mrb_state *mrb, mrb_value self)

{

mrb_value mrb_name = mrb_iv_get(mrb, self, mrb_intern_lit(mrb, "@name"));

mrb_value mrb_transport = mrb_iv_get(mrb, self, mrb_intern_lit(mrb, "@transport"));

mrb_value mrb_port = mrb_iv_get(mrb, self, mrb_intern_lit(mrb, "@port"));

mrb_value mrb_
fi
lter = mrb_iv_get(mrb, self, mrb_intern_lit(mrb, "@
fi
lter"));

strcpy(ws_protocol.name, mrb_string_cstr(mrb, mrb_name));

strcpy(ws_protocol.
fi
lter, mrb_string_cstr(mrb, mrb_
fi
lter));

strcpy(ws_protocol.transport, mrb_string_cstr(mrb, mrb_funcall(mrb, mrb_transport, "to_s", 0)));

ws_protocol.port = (unsigned int)mrb_
fi
xnum(mrb_port);

}


SFTUPSFT
UIFQSPUPDPMJOGPSNBUJPO PUIFSUIBOIFBEFS
fi
FMET
TUPSFEJOUIF841SPUPDPMJOTUBODF
!USBOTQPSU
!QPSU
!
fi
MUFS
!OBNF

View Slide


{




mrb_value mrb_
fi
fi
lter"));


strcpy(ws_protocol.
fi
fi
lter));


fi
xnum(mrb_port);

}


5IFODPQJFTUIFNJOUPHMPCBMWBSJBCMFT

View Slide


{




mrb_value mrb_
fi
fi
lter"));


strcpy(ws_protocol.
fi
fi
lter));


fi
xnum(mrb_port);

}


*OUIJTXBZ 8JSFTIBSLDBOSFTUPSFUIFNGSPN
UIFHMPCBMWBSJBCMFTBOEIBOEMFUIFN

View Slide


{







// ...

}

// ...

fi
lter);

proto_register_
fi

fi

}
fi
lter);
BHBJO
"[email protected]@[email protected]


View Slide


{







// ...

}

// ...

fi
lter);

proto_register_
fi

fi

}
fi
lter);
BHBJO
SFTUPSFBOBSSBZPG
IFBEFS
fi
FMETTUPSFEJOUIF841SPUPDPMJOTUBODF
0CUBJOBOBSSBZPGIFBEFS
fi
FMET

View Slide


{







// ...

}

// ...

fi
lter);

proto_register_
fi

fi

}
fi
lter);
BHBJO
BOEBMMPDBUFTIFBQNFNPSZGPSUIFBSSBZPG
IFBEFS
fi
FMETXJUINBMMPD

6TFNBMMPD

View Slide


{







// ...

}

// ...

fi
lter);

proto_register_
fi

fi

}
fi
lter);
BHBJO
5IFJUFNTPGUIFIFBEFS
fi
FMETBSSBZBSFTUPSFE
JOUIFIFBQNFNPSZ
-PPQUPTUPSFUIFIFBEFS
fi
FMET

View Slide


{







// ...

}

// ...

fi
lter);

proto_register_
fi

fi

}
fi
lter);
BHBJO
*OUIJTXBZ 8JSFTIBSLDBOSFTUPSFUIFNGSPN
UIFIFBQNFNPSZBOEIBOEMFUIFN

View Slide


{







// ...

}

// ...

fi
lter);

proto_register_
fi

fi

}
fi
lter);
BHBJO
/FYU [email protected]@QSPUPDPM
UPSFHJTUFS
UIFQSPUPDPMJOGPSNBUJPOPUIFSUIBOUIFIFBEFS
fi
FMET
3FHJTUFSQSPUPDPMJOGPSNBUJPOPUIFSUIBOIFBEFS
fi
FMET
\\ Here is the climax of this function!! //

View Slide


{







// ...

}

// ...

fi
lter);

proto_register_
fi

fi

}
fi
lter);
BHBJO
'JOBMMZ [email protected]@
fi
[email protected]
UPSFHJTUFS
UIFIFBEFS
fi
FMET
3FHJTUFSIFBEFS
fi
FMET

View Slide


{







// ...

}

// ...

fi
lter);

proto_register_
fi

fi

}
fi
lter);
BHBJO
5IJTDPNQMFUFTXIBUJTEPOFCZFYFDVUJOH
UIFDPO
fi
H
fi
MF

View Slide

#include "con
fi
g.h"

#include

#include "../plugins/epan/mruby/ws_protocol.c"

# …


{

mrb_ws_protocol_start(“../plugins/epan/protofoo/con
fi
g.foo.rb”);

}
5IFIBOEP
ff
GVODUJPO
5IJTJTBMMUIBUJTEPOF
5IFIBOEP
ff
GVODUJPOUIFOEPFTOPUIJOHBOE
FYJUTXJUIPVUGVSUIFSBDUJPO
5IFTFBSFUIFEJTTFDUPSTXIBUUPEP
XIFO8JSFTIBSLTUBSUT
QMVHJOTFQBOGPPQBDLFUQSPUPGPPD

View Slide

'JOBMMZ BEEUPUIFFYUFOTJPODPEF
XIBUUIFEJTTFDUPSEPXIFOUSB
ff i
DJTPDDVSSFE
8IFOBUSB
ff
i
DPDDVSSFE UIFEJTTFDUPSBMXBZTDBMMT
BDBMMCBDLGVODUJPO
-FUTBEEUIFSFTUPGXIBUXFXJMMEPJOUIJTGVODUJPO
3FNBJOJOHJTTVFT
The callback function

View Slide

static int ws_protocol_dissector(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, void *data _U_)

{

if (operation_mode != DISSECTION) operation_mode = DISSECTION;

FILE *con
fi
g_src = fopen(con
fi
g_src_path, "r");

mrb_value mrb_con
fi
g = mrb_load_
fi
le(_mrb, con
fi
g_src);

// …

mrb_value mrb_dfs = mrb_iv_get(_mrb, mrb_con
fi
g, mrb_intern_lit(mrb, "@dissectors"));

mrb_value mrb_items = mrb_iv_get(_mrb, mrb_dfs, mrb_intern_lit(mrb, “@items”));

// …

proto_tree *main_tree = proto_item_add_subtree(ti, ett);

ws_protocol_add_items(_mrb, mrb_items, main_tree, tvb);

// …

mrb_value mrb_subtrees = mrb_iv_get(_mrb, mrb_dfs, mrb_intern_lit(mrb, "@subtrees"));

ws_protocol_add_subtree_items(_mrb, mrb_subtrees, main_tree, tvb);

// …

}

fi
5IFDBMMCBDLGVODUJPO
5IFDBMMCBDLGVODUJPO

View Slide


{


FILE *con
fi
g_src = fopen(con
fi
g_src_path, "r");

mrb_value mrb_con
fi
g = mrb_load_
fi
le(_mrb, con
fi
g_src);

// …

fi


// …



// …



// …

}

fi
5IFDBMMCBDLGVODUJPO
'JSTU UIFPQFSBUJPONPEFJTDIBOHFE
UP%*44&$5*0/IFSF
$IBOHFUP%*44&$5*0/NPEF

View Slide


{


FILE *con
fi
g_src = fopen(con
fi
g_src_path, "r");

mrb_value mrb_con
fi
g = mrb_load_
fi
le(_mrb, con
fi
g_src);

// …

fi


// …



// …



// …

}

fi
#ZUIFXBZ UIF841SPUPDPMJOTUBODFUIBUXBT
KVTUDSFBUFEXIFO8JSFTIBSLTUBSUTJTOPUQFSTJTUFOU
TPJUEJTBQQFBSTBUUIFFOEPGUIFIBOEP
ff
GVODUJPO
5IFDBMMCBDLGVODUJPO

View Slide


{


FILE *con
fi
g_src = fopen(con
fi
g_src_path, "r");

mrb_value mrb_con
fi
g = mrb_load_
fi
le(_mrb, con
fi
g_src);

// …

fi


// …



// …



// …

}

fi
-FU`TDSFBUFUIF841SPUPDPMJOTUBODFBHBJO
5IFDBMMCBDLGVODUJPO

View Slide


{


FILE *con
fi
g_src = fopen(con
fi
g_src_path, "r");

mrb_value mrb_con
fi
g = mrb_load_
fi
le(_mrb, con
fi
g_src);

// …

fi


// …



// …



// …

}

fi
[email protected]
UIFDPO
fi
H
fi
MFTUPSFEJOBHMPCBMWBSJBCMF
XIFO8JSFTIBSLTUBSUT MPBEUIFDPO
fi
H
fi
MFBHBJO
5IFDBMMCBDLGVODUJPO
[email protected]
fi
MFQBUI
-PBEUIFDPO
fi
H
fi
MFBHBJO

View Slide

fi

{





mrb_value mrb_con
fi

fi

return mrb_con
fi
g;

}

fi
fi
H
BHBJO
BOEJOTUBOUJBUFT841SPUPDPMDMBTTBOEFYFDVUFT
UIFCMPDLPG841SPUPDPMDPO
fi
HVSFBHBJO
fi
H
BHBJO
&YFDVUF841SPUPDPMOFX
&YFDVUF#[email protected]

View Slide

WSProtocol.con
fi
gure("Foo") do

transport :tcp

port 4567

fi
lter “foo”



fi
lter: "foo.type",




… ]

dissectors do



offset: 0 },

… ]

end

end
%JTTFDUPSTFDUJPO
841SPUPDPMDPO
fi
HVSF JOUIFDPO
fi
H
fi
MF

5IFOJOUIFEJTTFDUPSTFDUJPOPGUIFCMPDL

View Slide

WSProtocol.con
fi
gure("Foo") do

transport :tcp

port 4567

fi
lter “foo”



fi
lter: "foo.type",




… ]

dissectors do



offset: 0 },

… ]

end

end
841SPUPDPMDPO
fi
HVSF JOUIFDPO
fi
H
fi
MF

!EJTTFDUPST
5IFNBQQJOHTPGFBDIEBUBQPTJUJPOJOUIFQBDLFUUP
BIFBEFS
fi
FMEBSFTUPSFEJOJOTUBODFWBSJBCMFTPG
UIF841SPUPDPMJOTUBODF

View Slide


{


FILE *con
fi
g_src = fopen(con
fi
g_src_path, "r");

mrb_value mrb_con
fi
g = mrb_load_
fi
le(_mrb, con
fi
g_src);

// …

fi


// …



// …



// …

}

fi
5IFO SFUVSOUPUIFDBMMCBDLGVODUJPO
5IFDBMMCBDLGVODUJPOBHBJO

View Slide


{


FILE *con
fi
g_src = fopen(con
fi
g_src_path, "r");

mrb_value mrb_con
fi
g = mrb_load_
fi
le(_mrb, con
fi
g_src);

// …

fi


// …



// …



// …

}

fi
5IFJUFNTKVTUTUPSFEJOUIFEJTTFDUPSTFDUJPO
BSFSFTUPSFEGSPNUIF841SPUPDPMJOTUBODF
0CUBJOUIFTUPSFENBQQJOHT

View Slide


{


FILE *con
fi
g_src = fopen(con
fi
g_src_path, "r");

mrb_value mrb_con
fi
g = mrb_load_
fi
le(_mrb, con
fi
g_src);

// …

fi


// …



// …



// …

}

fi
8JUIUIFTFNBQQJOHT FYFDVUFTBGVODUJPOUIBUEJTQMBZT
UIFBOBMZTJTSFTVMUTJOUIF1BDLFU%FUBJMQBOF
%JTQMBZUIFBOBMZTJTSFTVMUT

View Slide


{


FILE *con
fi
g_src = fopen(con
fi
g_src_path, "r");

mrb_value mrb_con
fi
g = mrb_load_
fi
le(_mrb, con
fi
g_src);

// …

fi


// …



// …



// …

}

fi
5IFBCPWFJTBOJOUSPEVDUJPOUP
UIFFYUFOEFE8JSFTIBSLJNQMFNFOUBUJPO

View Slide

5SZUPBOBMZ[FE3VCZQBDLFUT

View Slide

E3VCZ%JTUSJCVUFE3VCZ
JTPOFPGTUBOEBSE3VCZMJCSBSJFT
*UBMMPXTB3VCZQSPDFTTUPDBMMNFUIPETPOBPCKFDU
JOBOZPUIFS3VCZQSPDFTTPOBOZPUIFSIPTU
"CPVUE3VCZ

View Slide

'PSFYBNQMF
"CPVUE3VCZ
A B

View Slide

0O" UIF'PPDMBTTBOEHSFFUJOHJOTUBODFNFUIPEBSF
EF
fi
OFE"OEPOFPCKFDUPGUIF'PPDMBTTJTJOTUBOUJBUFE
"CPVUE3VCZ
class Foo

def greeting(name)

“Hello #{name}”

end

end
foo = Foo.new

A B

View Slide

1BTTJOHUIJTPCKFDUBOEB63*BTBSHVNFOUTUP
%[email protected]'PPPCKFDUUPUIJT63*
"CPVUE3VCZ
class Foo

def greeting(name)

“Hello #{name}”

end

end
foo = Foo.new

DRb.start_service(“druby://…”, foo)
A B

View Slide

0O# DBMMJOH%[email protected]@VSJXJUIUIF63*SFUVSOTB
%3C0CKFDUPCKFDUUIBUDBODBMMNFUIPETPOUIF'PPPCKFDU
CPVOEUPUIF63*
"CPVUE3VCZ
class Foo

def greeting(name)

“Hello #{name}”

end

end
foo = Foo.new

DRb.start_service(“druby://…”, foo) foo = DRbObject.new_with_uri(“druby://…”)

A B

View Slide

8IFOHSFFUJOHJTDBMMFEPO# UIJTNFUIPEDBMMJT
GPSXBSEFEWJB63*UPUIF'PPPCKFDUPO"
"CPVUE3VCZ
class Foo

def greeting(name)

“Hello #{name}”

end

end
foo = DRbObject.new_with_uri(“druby://…”)

puts foo.greeting(“Wireshark”)
foo = Foo.new

A B

View Slide

5IFO UIFSFUVSOWBMVFPGHSFFUJOHFYFDVUFEPO"JT
SFUVSOFEUP#WJB63*
"CPVUE3VCZ
class Foo

def greeting(name)

“Hello #{name}”

end

end

puts foo.greeting(“Wireshark”)

> Hello Wireshark
foo = Foo.new

A B

View Slide

'PSNPSFJOGPSNBUJPO [email protected]`TUBML
E3VCZJOUIFMBTUDFOUVSZBU3VCZ,BJHJ
[email protected]
IUUQTXXXZPVUVCFDPNXBUDI W;X5:Y;(
"CPVUE3VCZ

View Slide

/PUFUIBU8JSFTIBSLIBTBCVJMUJO$EJTTFDUPSUIBU
BOBMZ[FE3VCZQBDLFUTCZEFGBVMU
4PJGZPVXBOUUPBOBMZ[FE3VCZQBDLFUTSJHIUOPX
ZPVDBOPGDPVSTFVTFUIJTPOFʜ
"OBMZ[JOHBE3VCZQBDLFUXJUI8JSFTIBSL

View Slide

)PXFWFS
*IBWFOPXWFOUVSFEUPEFWFMPQBEJTTFDUPSJO3VCZ
UIBUBOBMZ[FTE3VCZQBDLFUT

View Slide

5PEFWFMPQBEJTTFDUPS
ZPVOFFEUPLOPXUIFTUSVDUVSFPGUIFQBDLFU
ZPVXBOUUPBOBMZ[F
-FUTMPPLBUUIFTUSVDUVSFPGBE3VCZQBDLFU

View Slide

*OUIJTDBTF UIFSFRVFTUQBDLFUJTBDBMMUPHSFFUJOH
POUIF'PPPCKFDUGSPN#
5IFTUSVDUVSFPGE3VCZSFRVFTUQBDLFU
class Foo

def greeting(name)

“Hello #{name}”

end

end

puts foo.greeting(“dRuby”)
foo = Foo.new

A B

View Slide

module DRb

# …

class DRbMessage

# …

def send_request(stream, ref, msg_id, arg, b)

ary = []

ary.push(dump(ref.__drbref))

ary.push(dump(msg_id.id2name))

ary.push(dump(arg.length))

arg.each do |e|

ary.push(dump(e))

end

ary.push(dump(b))

stream.write(ary.join(''))

rescue

raise(DRbConnError, $!.message, $!.backtrace)

end

# …

end

# …

end
3FRVFTUQBDLFUTBSFTFOUJO
%[email protected]
IUUQTHJUIVCDPNSVCZSVCZCMPCNBTUFSMJCESCESCSC--

View Slide

module DRb

# …

class DRbMessage

# …


ary = []




arg.each do |e|

ary.push(dump(e))

end

ary.push(dump(b))


rescue


end

# …

end

# …

end
&BDIEBUBUPCFJOUIFQBDLFUBSFEVNQFEJO
.BSTIBMEVNQBOEUIFOXSJUUFOUPUIFTUSFBN
BTBTFSJFTPGTUSJOHT
8SJUUFOUPUIFTUSFBN
%VNQFEJO.BSTIBMEVNQ

View Slide

module DRb

# …

class DRbMessage

# …


ary = []




arg.each do |e|

ary.push(dump(e))

end

ary.push(dump(b))


rescue


end

# …

end

# …

end
"DUVBMWBMVFTPGUIFEVNQFEEBUB

"SFRVFTUQBDLFUDPOUBJOTLJOETPGEBUB

View Slide

module DRb

# …

class DRbMessage

# …


ary = []




arg.each do |e|

ary.push(dump(e))

end

ary.push(dump(b))


rescue

# …

end

# …

end

# …

end
3FG 3FGFSFODFUPJEFOUJGZUIFPCKFDU

View Slide

module DRb

# …

class DRbMessage

# …


ary = []




arg.each do |e|

ary.push(dump(e))

end

ary.push(dump(b))


rescue

# …

end

# …

end

# …

end
.FTTBHF .FUIPEOBNF

View Slide

module DRb

# …

class DRbMessage

# …


ary = []




arg.each do |e|

ary.push(dump(e))

end

ary.push(dump(b))


rescue

# …

end

# …

end

# …

end
"SHVNFOUTMFOHUI /VNCFSPGNFUIPEBSHVNFOUT

View Slide

module DRb

# …

class DRbMessage

# …


ary = []




arg.each do |e|

ary.push(dump(e))

end

ary.push(dump(b))


rescue

# …

end

# …

end

# …

end
"SHVNFOUT "SHVNFOUT"SHVNFOUTMFOHUI

View Slide

module DRb

# …

class DRbMessage

# …


ary = []




arg.each do |e|

ary.push(dump(e))

end

ary.push(dump(b))


rescue

# …

end

# …

end

# …

end
#MPDL "OBMZ[JOHWBMVFBTBUZQFGPSTJNQMJDJUZ

View Slide

*OUIJTDBTF UIFSFTQPOTFQBDLFUJTUIFSFUVSOWBMVFPG
HSFFUJOHGPSUIF'PPPCKFDUGSPN"UP#
class Foo

def greeting(name)

“Hello #{name}”

end

end

puts foo.greeting(“dRuby”)

> Hello Wireshark
foo = Foo.new

5IFTUSVDUVSFPGE3VCZSFTQPOTFQBDLFU
A B

View Slide

module DRb

# …

class DRbMessage

# …

def send_reply(stream, succ, result)

stream.write(dump(succ) + dump(result, !succ))

rescue


end

# …

end

# …

end

3FTQPOTFQBDLFUTBSFTFOUJO
%[email protected]

View Slide

module DRb

# …

class DRbMessage

# …



rescue

# …

end

# …

end

# …

end

"SFTQPOTFQBDLFUDPOUBJOTLJOETPGEBUB

View Slide

module DRb

# …

class DRbMessage

# …



rescue

# …

end

# …

end

# …

end

4VDDFTT 8IFUIFSUIFNFUIPEDBMMXBTTVDDFTTGVMPSOPU

View Slide

module DRb

# …

class DRbMessage

# …



rescue

# …

end

# …

end

# …

end

3FTVMU 3FUVSOWBMVF

View Slide

#BTFEPOUIFTUSVDUVSF
MFUTDPOTJEFSIPXUPBOBMZ[FUIFE3VCZQBDLFUT

View Slide

%BUBPVUQVUJO.BSTIBMGPSNBU
&BDIQJFDFPGEBUBFYDIBOHFECZE3VCZJTEVNQFE
JO.BSTIBMEVNQ
5IFEVNQFEEBUBJODMVEFT JOPSEFSGSPNUIFCFHJOOJOH
UIFTJ[FPGUIFEBUB UIFUZQFPGEBUB BOEUIFBDUVBMWBMVF
4J[FPGEBUB 5ZQFPGEBUB
FH*OUFHFS 4USJOH #PPMʜ
[email protected]
7BMVFPGEBUB

View Slide

"OBMZ[JOHEBUBJO.BSTIBMGPSNBU
*OUIJTUJNF *USZUPEFWFMPQBEJTTFDUPSUIBUDBOBOBMZ[FBOE
EJTQMBZFBDIEBUBDPOUBJOFEJOUIFTFEVNQFETUSJOHT
4J[FPGEBUB 7BMVFPGEBUB
5ZQFPGEBUB

View Slide

"OBMZ[JOHEBUBJO.BSTIBMGPSNBU
'PSUIJTQVSQPTF *XPVMEMJLFUPQSPWJEFEIFBEFS
fi
FMET
ɾ4J[FPGEBUB
ɾ5ZQFPGEBUB
ɾ*OUFHFSWBMVFPGEBUB
ɾ4USJOHWBMVFPGEBUB
4J[FPGEBUB 7BMVFPGEBUB
5ZQFPGEBUB

View Slide

WSProtocol.con
fi
gure("dRuby") do

# …

headers [{ name: :hf_druby_size,

label: "Size",


… },

{ name: :hf_druby_type,

label: "Type",


dict: data_types,

… },

{ name: :hf_druby_integer,

label: "Value",


… },

{ name: :hf_druby_string,

label: "Value",

type: WSProtocol::FT_STRING,

… }]

# …

end
)FBEFS
fi
FMETPGUIFE3VCZEJTTFDUPS
4J[FPGEBUB
5IJTJTUIFMJTUPGIFBEFS
fi
FMETGPSE3VCZQBDLFUT
5ZQFPGEBUB
*OUFHFSWBMVFPGEBUB
4USJOHWBMVFPGEBUB

View Slide

#ZUIFXBZ

View Slide

5ZQFPGEBUBJO.BSTIBMGPSNBUJTUPPEJ
ff
i
DVMU
5IFEVNQFEEBUBDPOUBJOTBWBMVFNFBOTUIFUZQFPGEBUB
#VUKVTUMPPLJOHBUUIJTWBMVF
JUJTOPUDMFBSXIBUUZQFPGEBUBUIJTNFBOTʜ
5ZQFPGEBUB

View Slide

ff
i
DVMU
l4USJOH
5USVF
**OTUBODFWBSJBCMF
8IBUUIJTWBMVFNFBOTzJTEF
fi
OFEJOUIF.BSTIBMGPSNBU

View Slide

ff
i
DVMU

#VUBTJUJTOPX UIFWBMVFTJO
UIJTVOSFBEBCMFGPSNBUJTEJTQMBZFEJOUIFl1BDLFU%FUBJMTzQBOF

View Slide

WSProtocol.con
fi
gure("dRuby") do

# …

data_types = {

"0" => "nil",

"T" => "true",

"F" => "false",

"i" => "Integer",

":" => "Symbol",

"\"" => "String",

"I" => "Instance variable",

"[" => "Array",

# …

}

headers [ …


label: "Type",


dict: data_types,

… },

… ]

# …

end
"EJDUJPOBSZGPSEJTQMBZJOHUZQFTPGEBUB
"EJDUJPOBSZ
4P *QSFQBSFEBEJDUJPOBSZUPHFUUIFBDUVBMUZQFPG
EBUBSFGFSSJOHUPUIF.BSTIBMGPSNBUJOUIFDPO
fi
H
fi
MF

View Slide

WSProtocol.con
fi
gure("dRuby") do

# …

data_types = {

"0" => "nil",

"T" => "true",

"F" => "false",

"i" => "Integer",

":" => "Symbol",

"\"" => "String",


"[" => "Array",

# …

}

headers [ …


label: "Type",


dict: data_types,

… },

… ]

# …

end
5IFIFBEFS
fi
FMEUIBUBOBMZ[FUIFUZQFPGEBUB
.BLFUIFIFBEFS
fi
FMEUIBUBOBMZ[FUIFUZQF
PGEBUBUPIBWFUIJTEJDUJPOBSZ
5IFEJDUJPOBSZ
"EJDUJPOBSZ

View Slide

WSProtocol.con
fi
gure("dRuby") do

# …

data_types = {

"0" => "nil",

"T" => "true",

"F" => "false",

"i" => "Integer",

":" => "Symbol",

"\"" => "String",


"[" => "Array",

# …

}

headers [ …


label: "Type",


dict: data_types,

… },

… ]

# …

end
8IFOEBUBJTEJTQMBZFEJOUIF1BDLFU%FUBJMTzQBOF
UIFUZQFPGEBUBDBOCFEJTQMBZFEJOBSFBEBCMFGPSNBU

View Slide

WSProtocol.con
fi
gure("dRuby") do

# …

data_types = {

"0" => "nil",

"T" => "true",

"F" => "false",

"i" => "Integer",

":" => "Symbol",

"\"" => "String",


"[" => "Array",

# …

}

headers [ …


label: "Type",


dict: data_types,

… },

… ]

# …

end 5IJTDPNQMFUFTUIFSFHJTUFSTFDUJPO

View Slide

/FYU MFU`TDPOTJEFSBCPVUUIFEJTTFDUPSTFDUJPO

View Slide

WSProtocol.con
fi
gure("dRuby") do

# …

packet_type = druby_types[value_at(6)&.hex&.chr]

if %w[true false].include?(packet_type)

# …

else

# …

end

end

-FU`TEF
fi
OFUIFEJTTFDUPSTFDUJPO
*TlUSVFzPSlGBMTFz
'JSTU TFFUIFWBMVFJOUIFCZUFGSPN
UIFCFHJOOJOHPGUIFQBDLFU
*GUIFWBMVFNFBOTlUSVFzPSlGBMTFz

View Slide

WSProtocol.con
fi
gure("dRuby") do

# …



# …

else

# …

end

end

-FU`TEF
fi
OFUIFEJTTFDUPSTFDUJPO
3FTQPOTFQBDLFU
3FRVFTUQBDLFU
ʜUIFQBDLFUJTBSFTQPOTFQBDLFU
#FDBVTFJUTIPVMECFBSFTVMUPGBNFUIPEDBMM

0UIFSXJTF JUJTBSFRVFTUQBDLFU

View Slide

WSProtocol.con
fi
gure("dRuby") do

# …



dissectors("dRuby Response") do

sub("Success") do

# …

end

sub(“Result") do

# …

end

end

else

# …

end

end
/PX
MFU`TEF
fi
OFUIFNBQQJOHPGFBDIEBUBQPTJUJPO
JOUIFSFTQPOTFQBDLFUUPFBDIIFBEFS
fi
FME
%F
fi
OFUIFNBQQJOH
%JTTFDUPSTFDUJPOGPSSFTQPOTFQBDLFUTBOBMZTJT 4VDDFTT

View Slide

WSProtocol.con
fi
gure("dRuby") do

# …



dissectors("dRuby Response") do

sub("Success") do

# …

end

sub(“Result") do

# …

end

end

else

# …

end

end &BDIEBUBJOUIFSFTQPOTFQBDLFUJTEJTQMBZFE
JOUIFJSPXOTVCUSFFT
4VDDFTT 8IFUIFSUIFNFUIPEDBMMXBTTVDDFTTGVMPSOPU

3FTVMU 3FUVSOWBMVF


View Slide

sub(“Success") do

items [{ header: :hf_druby_size,


offset: 0 },

{ header: :hf_druby_type,


offset: 6 }]

end

5IJTJTBTVCUSFFGPSBOBMZ[JOH4VDDFTTEBUB
8IFUIFSUIFNFUIPEDBMMXBTTVDDFTTGVMPSOPU


View Slide

sub(“Success") do



offset: 0 },



offset: 6 }]

end

.BQQJOHGPSBOBMZ[JOHUIFTJ[FPGUIFEBUB
)FBEFS
fi
FMEGPSUIFTJ[FPGEBUB
1PTJUJPOPGUIFTJ[FPGEBUB

View Slide

sub(“Success") do



offset: 0 },



offset: 6 }]

end

)FBEFS
fi
FMEGPSUIFUZQFPGEBUB
1PTJUJPOPGUIFUZQFPGEBUB

.BQQJOHGPSBOBMZ[JOHUIFUZQFPGUIFEBUB

View Slide

sub(“Result") do

result_tree_items = [{ header: :hf_druby_size,


offset: 7 }]

result_value_size = value_at(7, :gint32, WSDissector::ENC_BIG_ENDIAN)

result_value_type = druby_types[value_at(13).hex.chr]

if result_value_type == “Integer"

result_tree_items.push({ header: :hf_druby_type,


offset: 13 })

result_tree_items.push({ header: :hf_druby_integer,

value: convert_form_to_int(value_at(14)&.to_i),

size: result_value_size.hex - 3,

offset: 14})

else



offset: 14 })

result_tree_items.push({ header: :hf_druby_string,

endian: WSDissector::ENC_NA,


offset: 16 })

end

items result_tree_items

end

end
%JTTFDUPSTFDUJPOGPSSFTQPOTFQBDLFUTBOBMZTJT 3FTVMU

5IJTJTBTVCUSFFGPSBOBMZ[JOH3FTVMUEBUB
5IFSFUVSOWBMVFPGUIFNFUIPE

View Slide

sub(“Result") do



offset: 7 }]






offset: 13 })




offset: 14})

else



offset: 14 })




offset: 16 })

end


end

end
)FBEFS
fi
FMEGPSUIFTJ[FPGEBUB
1PTJUJPOPGUIFTJ[FPGEBUB

.BQQJOHGPSBOBMZ[JOHUIFTJ[FPGUIFEBUB

View Slide

sub(“Result") do



offset: 7 }]






offset: 13 })




offset: 14})

else



offset: 14 })




offset: 16 })

end


end

end
8IBUUZQFPGEBUB
*OUFHFS 0SPUIFS

5IFEBUBJOUIFUICZUFGSPNUIFCFHJOOJOHPG
UIFQBDLFUNFBOTUIFUZQFPGUIBUEBUB

View Slide

sub(“Result") do



offset: 7 }]






offset: 13 })




offset: 14})

else



offset: 14 })




offset: 16 })

end


end

end
*GUIFEBUBUZQFJT*OUFHFS

View Slide

sub(“Result") do



offset: 7 }]






offset: 13 })




offset: 14})

else



offset: 14 })




offset: 16 })

end


end

end
)FBEFS
fi
FMEGPSUIFUZQFPGEBUB


View Slide

sub(“Result") do



offset: 7 }]






offset: 13 })




offset: 14})

else



offset: 14 })




offset: 16 })

end


end

end
.BQQJOHGPSBOBMZ[JOHUIFJOUFHFSWBMVFPGUIFEBUB
)FBEFS
fi
FMEGPSUIFWBMVFPGEBUB
1PTJUJPOPGUIFWBMVFPGEBUB

View Slide

sub(“Result") do



offset: 7 }]






offset: 13 })




offset: 14})

else



offset: 14 })




offset: 16 })

end


end

end
4J[FPGUIFJOUFHFSWBMVF

4JODFJOUFHFSWBMVFMFOHUIJTWBSJBCMF
JUNVTUTQFDJGZXIFSFUIFFOEPGUIFEBUBJT UPP

View Slide

sub(“Result") do



offset: 7 }]






offset: 13 })




offset: 14})

else



offset: 14 })




offset: 16 })

end


end

end
def convert_form_to_int(n)

n = n ^ 128 - 128

if n == 0 then 0

elsif n >= 4 then n - 5

elsif n < -6 then n + 5

# …

end

end
4JODFUIFWBMVFTBSFJO.BSTIBMGPSNBU JUOFFETUPCF
DPOWFSUFEUPJOUFHFSSFQSFTFOUBUJPOCFGPSFEJTQMBZ

View Slide

sub(“Result") do



offset: 7 }]






offset: 13 })




offset: 14})

else



offset: 14 })




offset: 16 })

end


end

end
*GUIFEBUBUZQFJTOPUJOUFHFS

View Slide

sub(“Result") do



offset: 7 }]






offset: 13 })




offset: 14})

else



offset: 14 })




offset: 16 })

end


end

end
)FBEFS
fi
FMEGPSUIFUZQFPGEBUB


View Slide

sub(“Result") do



offset: 7 }]






offset: 13 })




offset: 14})

else



offset: 14 })




offset: 16 })

end


end

end
.BQQJOHGPSBOBMZ[JOHUIFTUSJOHWBMVFPGUIFEBUB
)FBEFS
fi
FMEGPSUIFWBMVFPGEBUB
1PTJUJPOPGUIFWBMVFPGEBUB

View Slide

sub(“Result") do



offset: 7 }]






offset: 13 })




offset: 14})

else



offset: 14 })




offset: 16 })

end


end

end
4JODFTUSJOHWBMVFMFOHUIJTBMTPWBSJBCMF
JUNVTUTQFDJGZXIFSFUIFFOEPGUIFEBUBJT
4J[FPGUIFTUSJOHWBMVF

View Slide

sub(“Result") do



offset: 7 }]






offset: 13 })




offset: 14})

else



offset: 14 })




offset: 16 })

end


end

end
5IJTDPNQMFUFTUIFEJTTFDUPSTFDUJPO
GPSSFTQPOTFQBDLFUT

View Slide

WSProtocol.con
fi
gure("dRuby") do

# …



# …

else

dissectors("dRuby Request") do

sub(“Ref") do

# …

end

sub(“Message") do

# …

end

sub(“Args size") do

# …

end

sub(“Args") do

# …

end

sub(“Block”) do

# …

end

end

end

3FRVFTUQBDLFU
3FG
.FTTBHF
"SHVNFOUTTJ[F
"SHVNFOUT
#MPDL
3FRVFTUQBDLFUTBMTPSFRVJSF
BNBQQJOHEF
fi
OJUJPOJOUIFEJTTFDUPSTFDUJPO
%JTTFDUPSTFDUJPOGPSSFRVFTUQBDLFUTBOBMZTJT
3FTQPOTFQBDLFU

View Slide

/PX MFUTBOBMZ[FBE3VCZQBDLFU
XJUIUIJTE3VCZEJTTFDUPS

View Slide

require “drb”

class Foo

def greeting(name)

"Hello #{name}"

end

def sum(x, y)

x + y

end

def with_block

yield

end

end

foo = Foo.new


sleep

require “drb”

DRb.start_service

foo =

DRbObject.new_with_uri(“druby://…”, foo)

p foo.greeting(“dRuby”)

p foo.sum(1, 2)

p foo.with_block { “with block” }
)FSFBSFUIFE3VCZTDSJQUTUPSVO
# A (sending response packets) # B (sending request packets)

View Slide

%FNP

View Slide

4P *IPQFZPVFOKPZ
EJTTFDUPSTEFWFMPQNFOUJO3VCZ
XJUIFYUFOEFE8JSFTIBSL
ɹa1MFBTFTFF3&"%.&UPHFUTUBSUFE

View Slide

5IBOLZPVGPSZPVSBUUFOUJPO
*OTQJSFEGSPN
[email protected]
!VE[VSB
4QFDJBMUIBOLTUP
!PLVSBNBTBGVNJ
5IF8JSFTIBSLDPNNVOJUZ

View Slide

'PSXIFOUIFEFNPEPFTOUXPSL

View Slide

&YFDVUFUIFE3VCZTDSJQUT

View Slide

$BQUVSFUIFE3VCZQBDLFUT

View Slide

$BQUVSFUIFE3VCZQBDLFUT
/PB3FRVFTUQBDLFU $BMM'PPHSFFUJOHGSPN"UP#

/PB3FTQPOTFQBDLFU 3FUVSOWBMVFPG'PPHSFFUJOHGSPN#UP"

/PB3FRVFTUQBDLFU $BMM'PPTVNGSPN"UP#

/PB3FTQPOTFQBDLFU 3FUVSOWBMVFPG'PPTVNGSPN#UP"

/PB3FRVFTUQBDLFU $BMM'[email protected]"UP#

/PB3FTQPOTFQBDLFU 3FUVSOWBMVFPG'[email protected]#UP"

View Slide

E3VCZQBDLFUTPG'PPHSFFUJOH
/PB3FRVFTUQBDLFU
$BMM'PPHSFFUJOHGSPN"UP#

/PB3FTQPOTFQBDLFU
3FUVSOWBMVFPG'PPHSFFUJOHGSPN#UP"

View Slide

E3VCZQBDLFUTPG'PPTVN
/PB3FRVFTUQBDLFU
$BMM'PPTVNGSPN"UP#

/PB3FTQPOTFQBDLFU
3FUVSOWBMVFPG'PPTVNGSPN#UP"

View Slide

E3VCZQBDLFUTPG'[email protected]
/PB3FRVFTUQBDLFU
$BMM'[email protected]"UP#

/PB3FTQPOTFQBDLFU
3FUVSOWBMVFPG'[email protected]#UP"

View Slide

Packet analysis with mruby on Wireshark - dRuby as example

Packet analysis with mruby on Wireshark - dRuby as example

Misaki Shioi(塩井美咲/しおい)

More Decks by Misaki Shioi(塩井美咲/しおい)

Other Decks in Programming

Featured

Transcript