Domů Procházet
Registrovat se Přihlásit se
parv.ashwani
/
WiresharkResetPlugin
1
0
Rozštěpit 0
Soubory Úkoly 0 Pull Requesty 0 Wiki
Procházet zdrojové kódy

Reset Plugin for Wireshark

parv.ashwani před 7 měsíci
rodič
8038ae2dec
revize
3943525e8c
1 změnil soubory, kde provedl 325 přidání a 0 odebrání
Rozdělené zobrazení Ukázat statistiku rozdílových dat
  1. 325 0
      nsrstplug.lua

+ 325 - 0
nsrstplug.lua
Zobrazit soubor 

@@ -0,0 +1,325 @@
 
+--------------------------------------------------------------------------------

+-- 1. Define a new protocol

+--------------------------------------------------------------------------------

+

+local citrix_reset_proto = Proto("citrix_reset", "Citrix ADC Reset Codes")

+

+--------------------------------------------------------------------------------

+-- 2. Define the fields for this protocol

+--------------------------------------------------------------------------------

+

+citrix_reset_proto.fields.reset_window = ProtoField.uint16(

+    "citrix_reset.window_size",

+    "Citrix Reset Window Size",

+    base.DEC

+)

+

+--------------------------------------------------------------------------------

+-- 3. Define field extractors from the existing TCP dissector

+--------------------------------------------------------------------------------

+

+local f_tcp_srcport       = Field.new("tcp.srcport")

+local f_tcp_dstport       = Field.new("tcp.dstport")

+local f_tcp_window_size   = Field.new("tcp.window_size")       -- or "tcp.window_size_value"

+local f_tcp_flags_reset   = Field.new("tcp.flags.reset")

+

+--------------------------------------------------------------------------------

+-- 4. Define the lookup table for Citrix ADC reset codes

+--------------------------------------------------------------------------------

+

+local window_size_lookup = {

+    [8196]  = "SSL bad record.",

+    [8201]  = "NSDBG_RST_SSTRAY, 8201 – NSDBG_RST_SSTRAY",

+    [8202]  = "NSDBG_RST_CSTRAY: Triggered when the NetScaler receives data on a connection with an expired SYN cookie.",

+    [8204]  = "Client retransmitted SYN with the wrong sequence number.",

+    [8205]  = "ACK number in the final ACK from peer during connection establishment is wrong.",

+    [8206]  = "Received a bad packet in TCPS_SYN_SENT state (non-RST). Possibly reused 4-tuple from old connection.",

+    [8207]  = "Received SYN on an established connection within the window. Protects from spoofing attacks.",

+    [8208]  = "Reset after receiving more than the configured number of duplicate retransmissions.",

+    [8209]  = "Memory allocation failure (system out of memory).",

+    [8210]  = "HTTP DoS protection triggered by a bad client request.",

+    [8211]  = "Cleanup of idle connections.",

+    [8212]  = "Stray SYN packet with no listening service or invalid SYN cookie.",

+    [8213]  = "Sure Connect feature, bad client sending post on a closing connection.",

+    [8214]  = "MSS in SYN exceeded NIC/VLAN MTU.",

+    [9100]  = "NSDBG_RST_ORP: Orphan HTTP connection timed out waiting for completion.",

+    [9212]  = "HTTP invalid request.",

+    [9214]  = "Cache resource store failed.",

+    [9216]  = "Cache async no memory.",

+    [9217]  = "HTTP state machine error from receiving content longer than specified Content-Length.",

+    [9218]  = "Terminated due to extra orphan data.",

+    [9219]  = "NSB allocation failure.",

+    [9220]  = "Could not allocate new NSB (various reasons).",

+    [9221]  = "vurl includes an invalid domain shard.",

+    [9222]  = "Response was RFC-noncompliant (e.g., both Content-Length and Transfer-Encoding invalid).",

+    [9300]  = "NSDBG_RST_ZSSSR: Zombie timer/idle timeout or service-down event.",

+    [9301]  = "NSDBG_RST_ZSSSR: Zombie timer/idle timeout or service-down event.",

+    [9302]  = "NSDBG_RST_ZSSSR: Zombie timer/idle timeout or service-down event.",

+    [9303]  = "NSDBG_RST_ZSSSR: Zombie timer/idle timeout or service-down event.",

+    [9304]  = "NSDBG_RST_LINK_GIVEUPS: Freed session after zero window probe limit exceeded.",

+    [9305]  = "Server ACK to SYN had an invalid ACK number.",

+    [9306]  = "TCP buffering undone due to duplicate TCPB enablement.",

+    [9307]  = "Small window protection triggered reset.",

+    [9308]  = "Small window protection triggered reset.",

+    [9309]  = "Small window protection triggered reset.",

+    [9310]  = "TCP keepalive probing failed.",

+    [9311]  = "DHT retry failed.",

+    [9400]  = "Reset server connections in reusepool that are not reusable.",

+    [9401]  = "Reset older connections to free capacity for new ones or when removing an entity with active connections.",

+    [9450]  = "SQL HS failed.",

+    [9451]  = "SQL response failed.",

+    [9452]  = "SQL request list failed.",

+    [9453]  = "SQL UNK not linked.",

+    [9454]  = "SQL NSB hold failed.",

+    [9455]  = "SQL Server First Packet.",

+    [9456]  = "SQL login response arrived before request.",

+    [9457]  = "SQL server login failed.",

+    [9458]  = "SQL no memory.",

+    [9459]  = "SQL bad server.",

+    [9460]  = "SQL link failed.",

+    [9600]  = "Reset if # of pkts with Sequence/ACK mismatch > nscfg_max_orphan_pkts.",

+    [9601]  = "Reset if # of data pkts with Sequence/ACK mismatch > nscfg_max_orphan_pkts.",

+    [9602]  = "SSL VPN CS probe limit exceeded.",

+    [9700]  = "NSDBG_RST_PASS: RST forwarded from client or server.",

+    [9701]  = "NSDBG_RST_ACK_PASS: RST + ACK forwarded from client or server.",

+    [9702]  = "Data received after FIN.",

+    [9704]  = "NSB dropped (hold limit or transaction error).",

+    [9800]  = "NSDBG_RST_PROBE: Monitoring service reset due to timeout.",

+    [9810]  = "Responses match the configured NAI status code.",

+    [9811]  = "NSDBG_RST_ERRHANDLER: Used with SSL after sending a Fatal Alert.",

+    [9812]  = "Connection flushing: existing IP removed from configuration.",

+    [9813]  = "Closing the SSF connection.",

+    [9814]  = "NSDBG_RST_PETRIGGER: Reset triggered by policy engine match.",

+    [9816]  = "Bad SSL record.",

+    [9817]  = "SSL connection changed while updating bound certificate.",

+    [9818]  = "Bad SSL header value.",

+    [9819]  = "Failed to allocate memory for SPCB.",

+    [9820]  = "SSL card operation failed.",

+    [9821]  = "SSL feature disabled; resetting the connection.",

+    [9822]  = "SSL cipher changed; old-cipher connection flush.",

+    [9823]  = "Malformed NSC_AAAC cookie or memory failure in certificate processing.",

+    [9824]  = "Reset on AAA orphan connections.",

+    [9825]  = "DBG_WRONG_GSLBRECDLEN: MEP error reset code, typically from version mismatch.",

+    [9826]  = "Insufficient memory for NET buffers.",

+    [9827]  = "Reset on SSL config change.",

+    [9829]  = "Reset on GSLB other site down/out of reach.",

+    [9830]  = "Reset for sessions matching ACL DENY rule.",

+    [9831]  = "Connection had no application data but needed it.",

+    [9832]  = "Application error.",

+    [9833]  = "Fatal SSL error.",

+    [9834]  = "Reset while flushing all SPCB (fips or hsm init).",

+    [9835]  = "DTLS record too large.",

+    [9836]  = "DTLS record zero length.",

+    [9837]  = "SSLv2 record too large.",

+    [9838]  = "NSBE_DBG_RST_SSL_BAD_RECORD: SSL record lookup error.",

+    [9839]  = "SSL max NSB hold limit reached.",

+    [9841]  = "SSL/DTLS split packet failure.",

+    [9842]  = "SSL NSB allocation failure.",

+    [9843]  = "Monitor wide IP probe.",

+    [9844]  = "SSL reneg max NSB limit or allocation failure.",

+    [9845]  = "Reset on Appsec policy.",

+    [9846]  = "Delta compression aborted or failed.",

+    [9847]  = "Delta compression aborted or failed.",

+    [9848]  = "Reset on new SSL connection accepted during config change.",

+    [9849]  = "GSLB conflict from misconfiguration.",

+    [9850]  = "DNS TCP connection untrackable (compact NSB failure, etc.).",

+    [9851]  = "DNS TCP failure (invalid payload length, etc.).",

+    [9852]  = "RTSP (ALG) session handling error.",

+    [9853]  = "MSSQL Auth response error.",

+    [9854]  = "Indirect GSLB sites tried to establish connection.",

+    [9855]  = "For HTTP/SSL vservers, SO threshold reached.",

+    [9856]  = "AppFW ASYNC failure.",

+    [9857]  = "Reset while flushing HTTP waiting PCB.",

+    [9858]  = "Reset on re-chunk abort.",

+    [9859]  = "New client connection deferrable by server on the label.",

+    [9860]  = "pcb->link cleaned, connection reset.",

+    [9861]  = "Push vserver connection reset if push disabled on client vserver.",

+    [9862]  = "Reset to client for duplicate server connection.",

+    [9863]  = "Reset old connection if new connection established but old one not freed.",

+    [9864]  = "CVPN HINFO restore failed.",

+    [9865]  = "CVPN MCMX error.",

+    [9866]  = "URL policy transform error.",

+    [9868]  = "MSSQL login errors.",

+    [9870]  = "SQL login parse error.",

+    [9871]  = "MSSQL memory allocation failure.",

+    [9872]  = "Websocket upgrade request dropped due to disabled Websocket in HTTP profile.",

+    [9873]  = "Agsvc MCMX failure.",

+    [9874]  = "NSB hold limit reached.",

+    [9875]  = "RADIUS request parse error.",

+    [9876]  = "RADIUS response parse error.",

+    [9877]  = "RADIUS request dropped.",

+    [9878]  = "RADIUS response dropped.",

+    [9879]  = "Invalid RADIUS request.",

+    [9880]  = "Invalid RADIUS response.",

+    [9881]  = "RADIUS no memory.",

+    [9882]  = "RADIUS link failed.",

+    [9883]  = "RADIUS unlinked.",

+    [9884]  = "RADIUS unexpected error.",

+    [9885]  = "RADIUS unhandled response.",

+    [9886]  = "RADIUS unhandled request.",

+    [9887]  = "RADIUS missing UNK.",

+    [9888]  = "RADIUS wrong UNK.",

+    [9889]  = "RADIUS UNK refcnt.",

+    [9890]  = "RADIUS UNK purge.",

+    [9891]  = "RADIUS tunnel reject.",

+    [9892]  = "RADIUS unknown error.",

+    [9893]  = "Monitor probe reset.",

+    [9894]  = "Monitor mark down.",

+    [9895]  = "Monitor probe flush.",

+    [9896]  = "Monitor payload too small.",

+    [9897]  = "SNMP wrong packet.",

+    [9898]  = "SNMP wrong version.",

+    [9899]  = "SNMP wrong community.",

+    [9900]  = "SNMP wrong community.",

+    [9901]  = "SNMP wrong PDU.",

+    [9902]  = "SNMP wrong type.",

+    [9903]  = "SNMP wrong request ID.",

+    [9904]  = "SNMP wrong error status.",

+    [9905]  = "SNMP wrong error index.",

+    [9906]  = "SNMP no such object.",

+    [9907]  = "SNMP no such instance.",

+    [9908]  = "SNMP too big.",

+    [9909]  = "SNMP read only.",

+    [9910]  = "SNMP gen error.",

+    [9911]  = "SNMP wrong encoding.",

+    [9912]  = "SNMP wrong length.",

+    [9913]  = "SNMP wrong value.",

+    [9914]  = "SNMP no memory.",

+    [9915]  = "SNMP no response.",

+    [9916]  = "SNMP not writable.",

+    [9917]  = "SNMP auth error.",

+    [9918]  = "SNMP wrong digest.",

+    [9919]  = "SNMP bad value.",

+    [9920]  = "SNMP not in MIB.",

+    [9921]  = "SNMP too many indices.",

+    [9922]  = "SNMP not enough indices.",

+    [9923]  = "SNMP wrong index type.",

+    [9924]  = "SNMP wrong index length.",

+    [9925]  = "SNMP wrong index value.",

+    [9926]  = "SNMP no such name.",

+    [9927]  = "SNMP wrong varbind list.",

+    [9928]  = "SNMP end of MIB.",

+    [9929]  = "SNMP too big for packet.",

+    [9930]  = "SNMP no such view.",

+    [9931]  = "SNMP no such context.",

+    [9932]  = "SNMP no such user.",

+    [9933]  = "SNMP not in view.",

+    [9934]  = "SNMP unsupported security level.",

+    [9935]  = "SNMP unsupported auth protocol.",

+    [9936]  = "SNMP unsupported priv protocol.",

+    [9937]  = "SNMP unknown user name.",

+    [9938]  = "SNMP unknown engine ID.",

+    [9939]  = "SNMP wrong security model.",

+    [9940]  = "SNMP bad security level.",

+    [9941]  = "SNMP bad engine ID.",

+    [9942]  = "SNMP bad user name.",

+    [9943]  = "SNMP bad auth protocol.",

+    [9944]  = "SNMP bad priv protocol.",

+    [9945]  = "SNMP bad security name.",

+    [9946]  = "SNMP bad security model.",

+    [9947]  = "SNMP bad message.",

+    [9948]  = "SNMP bad PDU.",

+    [9949]  = "SNMP bad SPI.",

+    [9950]  = "SNMP bad context.",

+    [9951]  = "SNMP bad security state ref.",

+    [9952]  = "SNMP bad security name.",

+    [9953]  = "SNMP bad community.",

+    [9954]  = "SNMP bad community uses.",

+    [9955]  = "SNMP bad community name.",

+    [9956]  = "SNMP bad community indexing.",

+    [9957]  = "SNMP bad party.",

+    [9958]  = "SNMP bad party uses.",

+    [9959]  = "SNMP bad party name.",

+    [9960]  = "SNMP bad party indexing.",

+    [9961]  = "SNMP bad party TDomain.",

+    [9962]  = "SNMP bad party TAddress.",

+    [9963]  = "SNMP bad party identity.",

+    [9964]  = "SNMP bad party TTimeout.",

+    [9965]  = "SNMP bad party TMaxMessageSize.",

+    [9966]  = "SNMP bad party priv proto.",

+    [9967]  = "SNMP bad party auth clock.",

+    [9968]  = "SNMP bad party auth lifetime.",

+    [9969]  = "SNMP bad party auth private.",

+    [9970]  = "SNMP bad party auth public.",

+    [9971]  = "SNMP bad party auth clock skew.",

+    [9972]  = "SNMP bad party auth truncated.",

+    [9973]  = "SNMP bad party auth wrong digest.",

+    [9974]  = "SNMP bad party auth wrong.",

+    [9975]  = "SNMP bad context.",

+    [9976]  = "SNMP bad context uses.",

+    [9977]  = "SNMP bad context name.",

+    [9978]  = "SNMP bad context indexing.",

+    [9979]  = "SNMP bad ACL.",

+    [9980]  = "SNMP bad ACL uses.",

+    [9981]  = "SNMP bad ACL name.",

+    [9982]  = "SNMP bad ACL indexing.",

+    [9983]  = "SNMP bad ACL party.",

+    [9984]  = "SNMP bad ACL context.",

+    [9985]  = "SNMP bad ACL privs.",

+    [9986]  = "SNMP bad view.",

+    [9987]  = "SNMP bad view uses.",

+    [9988]  = "SNMP bad view name.",

+    [9989]  = "SNMP bad view indexing.",

+    [9990]  = "SNMP bad view subtree.",

+    [9991]  = "SNMP bad view mask.",

+    [9992]  = "SNMP bad view type.",

+    [9993]  = "SNMP bad view storage.",

+    [9994]  = "SNMP bad view status.",

+    [9995]  = "SNMP bad MIB.",

+    [9996]  = "SNMP bad MIB name.",

+    [9997]  = "SNMP bad MIB syntax.",

+    [9998]  = "SNMP bad MIB write syntax.",

+    [9999]  = "SNMP bad MIB access.",

+    [10000] = "SNMP bad MIB status.",

+    [10001] = "SNMP bad MIB indexes.",

+    [10002] = "SNMP bad MIB deps.",

+    [10003] = "SNMP bad MIB inits."

+}

+

+--------------------------------------------------------------------------------

+-- 5. Dissection function

+--------------------------------------------------------------------------------

+

+function citrix_reset_proto.dissector(buffer, pinfo, tree)

+    -- Fetch extracted fields

+    local tcp_srcport = f_tcp_srcport()

+    local tcp_dstport = f_tcp_dstport()

+    local tcp_rstflag = f_tcp_flags_reset()

+    local tcp_win     = f_tcp_window_size()

+

+    -- If any required fields are nil, no further processing

+    if not (tcp_srcport and tcp_dstport and tcp_rstflag and tcp_win) then

+        return

+    end

+

+    -- Convert to numeric

+    local rst_val = tonumber(tostring(tcp_rstflag))

+    local win_val = tonumber(tostring(tcp_win))

+

+    -- Check if the RST flag is set

+    if rst_val == 1 and win_val then

+        local description = window_size_lookup[win_val]

+        if description then

+            -- Create a subtree for Citrix ADC info

+            local subtree = tree:add(

+                citrix_reset_proto,

+                buffer(),

+                "Citrix ADC Reset Info"

+            )

+            -- Add window size field

+            local item = subtree:add(

+                citrix_reset_proto.fields.reset_window,

+                buffer(),

+                win_val

+            )

+            -- Append textual description

+            item:append_text(" (" .. description .. ")")

+        end

+    end

+end

+

+--------------------------------------------------------------------------------

+-- 6. Register the post-dissector

+--------------------------------------------------------------------------------

+

+register_postdissector(citrix_reset_proto)