Domů Procházet
Registrovat se Přihlásit se
parv.ashwani
/
WiresharkResetPlugin
1
0
Rozštěpit 0
Soubory Úkoly 0 Pull Requesty 0 Wiki
Strom: 3943525e8c
Větve Značky
WiresharkResetP...
/
nsrstplug.lua

nsrstplug.lua 15 KB
Historie Surový

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325 
  1. --------------------------------------------------------------------------------
    2. 

  2. -- 1. Define a new protocol
    3. 

  3. --------------------------------------------------------------------------------
    4. 

  4. 

  5. local citrix_reset_proto = Proto("citrix_reset", "Citrix ADC Reset Codes")
    6. 

  6. 

  7. --------------------------------------------------------------------------------
    8. 

  8. -- 2. Define the fields for this protocol
    9. 

  9. --------------------------------------------------------------------------------
    10. 

  10. 

  11. citrix_reset_proto.fields.reset_window = ProtoField.uint16(
    12. 

  12.     "citrix_reset.window_size",
    13. 

  13.     "Citrix Reset Window Size",
    14. 

  14.     base.DEC
    15. 

  15. )
    16. 

  16. 

  17. --------------------------------------------------------------------------------
    18. 

  18. -- 3. Define field extractors from the existing TCP dissector
    19. 

  19. --------------------------------------------------------------------------------
    20. 

  20. 

  21. local f_tcp_srcport       = Field.new("tcp.srcport")
    22. 

  22. local f_tcp_dstport       = Field.new("tcp.dstport")
    23. 

  23. local f_tcp_window_size   = Field.new("tcp.window_size")       -- or "tcp.window_size_value"
    24. 

  24. local f_tcp_flags_reset   = Field.new("tcp.flags.reset")
    25. 

  25. 

  26. --------------------------------------------------------------------------------
    27. 

  27. -- 4. Define the lookup table for Citrix ADC reset codes
    28. 

  28. --------------------------------------------------------------------------------
    29. 

  29. 

  30. local window_size_lookup = {
    31. 

  31.     [8196]  = "SSL bad record.",
    32. 

  32.     [8201]  = "NSDBG_RST_SSTRAY, 8201 – NSDBG_RST_SSTRAY",
    33. 

  33.     [8202]  = "NSDBG_RST_CSTRAY: Triggered when the NetScaler receives data on a connection with an expired SYN cookie.",
    34. 

  34.     [8204]  = "Client retransmitted SYN with the wrong sequence number.",
    35. 

  35.     [8205]  = "ACK number in the final ACK from peer during connection establishment is wrong.",
    36. 

  36.     [8206]  = "Received a bad packet in TCPS_SYN_SENT state (non-RST). Possibly reused 4-tuple from old connection.",
    37. 

  37.     [8207]  = "Received SYN on an established connection within the window. Protects from spoofing attacks.",
    38. 

  38.     [8208]  = "Reset after receiving more than the configured number of duplicate retransmissions.",
    39. 

  39.     [8209]  = "Memory allocation failure (system out of memory).",
    40. 

  40.     [8210]  = "HTTP DoS protection triggered by a bad client request.",
    41. 

  41.     [8211]  = "Cleanup of idle connections.",
    42. 

  42.     [8212]  = "Stray SYN packet with no listening service or invalid SYN cookie.",
    43. 

  43.     [8213]  = "Sure Connect feature, bad client sending post on a closing connection.",
    44. 

  44.     [8214]  = "MSS in SYN exceeded NIC/VLAN MTU.",
    45. 

  45.     [9100]  = "NSDBG_RST_ORP: Orphan HTTP connection timed out waiting for completion.",
    46. 

  46.     [9212]  = "HTTP invalid request.",
    47. 

  47.     [9214]  = "Cache resource store failed.",
    48. 

  48.     [9216]  = "Cache async no memory.",
    49. 

  49.     [9217]  = "HTTP state machine error from receiving content longer than specified Content-Length.",
    50. 

  50.     [9218]  = "Terminated due to extra orphan data.",
    51. 

  51.     [9219]  = "NSB allocation failure.",
    52. 

  52.     [9220]  = "Could not allocate new NSB (various reasons).",
    53. 

  53.     [9221]  = "vurl includes an invalid domain shard.",
    54. 

  54.     [9222]  = "Response was RFC-noncompliant (e.g., both Content-Length and Transfer-Encoding invalid).",
    55. 

  55.     [9300]  = "NSDBG_RST_ZSSSR: Zombie timer/idle timeout or service-down event.",
    56. 

  56.     [9301]  = "NSDBG_RST_ZSSSR: Zombie timer/idle timeout or service-down event.",
    57. 

  57.     [9302]  = "NSDBG_RST_ZSSSR: Zombie timer/idle timeout or service-down event.",
    58. 

  58.     [9303]  = "NSDBG_RST_ZSSSR: Zombie timer/idle timeout or service-down event.",
    59. 

  59.     [9304]  = "NSDBG_RST_LINK_GIVEUPS: Freed session after zero window probe limit exceeded.",
    60. 

  60.     [9305]  = "Server ACK to SYN had an invalid ACK number.",
    61. 

  61.     [9306]  = "TCP buffering undone due to duplicate TCPB enablement.",
    62. 

  62.     [9307]  = "Small window protection triggered reset.",
    63. 

  63.     [9308]  = "Small window protection triggered reset.",
    64. 

  64.     [9309]  = "Small window protection triggered reset.",
    65. 

  65.     [9310]  = "TCP keepalive probing failed.",
    66. 

  66.     [9311]  = "DHT retry failed.",
    67. 

  67.     [9400]  = "Reset server connections in reusepool that are not reusable.",
    68. 

  68.     [9401]  = "Reset older connections to free capacity for new ones or when removing an entity with active connections.",
    69. 

  69.     [9450]  = "SQL HS failed.",
    70. 

  70.     [9451]  = "SQL response failed.",
    71. 

  71.     [9452]  = "SQL request list failed.",
    72. 

  72.     [9453]  = "SQL UNK not linked.",
    73. 

  73.     [9454]  = "SQL NSB hold failed.",
    74. 

  74.     [9455]  = "SQL Server First Packet.",
    75. 

  75.     [9456]  = "SQL login response arrived before request.",
    76. 

  76.     [9457]  = "SQL server login failed.",
    77. 

  77.     [9458]  = "SQL no memory.",
    78. 

  78.     [9459]  = "SQL bad server.",
    79. 

  79.     [9460]  = "SQL link failed.",
    80. 

  80.     [9600]  = "Reset if # of pkts with Sequence/ACK mismatch > nscfg_max_orphan_pkts.",
    81. 

  81.     [9601]  = "Reset if # of data pkts with Sequence/ACK mismatch > nscfg_max_orphan_pkts.",
    82. 

  82.     [9602]  = "SSL VPN CS probe limit exceeded.",
    83. 

  83.     [9700]  = "NSDBG_RST_PASS: RST forwarded from client or server.",
    84. 

  84.     [9701]  = "NSDBG_RST_ACK_PASS: RST + ACK forwarded from client or server.",
    85. 

  85.     [9702]  = "Data received after FIN.",
    86. 

  86.     [9704]  = "NSB dropped (hold limit or transaction error).",
    87. 

  87.     [9800]  = "NSDBG_RST_PROBE: Monitoring service reset due to timeout.",
    88. 

  88.     [9810]  = "Responses match the configured NAI status code.",
    89. 

  89.     [9811]  = "NSDBG_RST_ERRHANDLER: Used with SSL after sending a Fatal Alert.",
    90. 

  90.     [9812]  = "Connection flushing: existing IP removed from configuration.",
    91. 

  91.     [9813]  = "Closing the SSF connection.",
    92. 

  92.     [9814]  = "NSDBG_RST_PETRIGGER: Reset triggered by policy engine match.",
    93. 

  93.     [9816]  = "Bad SSL record.",
    94. 

  94.     [9817]  = "SSL connection changed while updating bound certificate.",
    95. 

  95.     [9818]  = "Bad SSL header value.",
    96. 

  96.     [9819]  = "Failed to allocate memory for SPCB.",
    97. 

  97.     [9820]  = "SSL card operation failed.",
    98. 

  98.     [9821]  = "SSL feature disabled; resetting the connection.",
    99. 

  99.     [9822]  = "SSL cipher changed; old-cipher connection flush.",
    100. 

  100.     [9823]  = "Malformed NSC_AAAC cookie or memory failure in certificate processing.",
    101. 

  101.     [9824]  = "Reset on AAA orphan connections.",
    102. 

  102.     [9825]  = "DBG_WRONG_GSLBRECDLEN: MEP error reset code, typically from version mismatch.",
    103. 

  103.     [9826]  = "Insufficient memory for NET buffers.",
    104. 

  104.     [9827]  = "Reset on SSL config change.",
    105. 

  105.     [9829]  = "Reset on GSLB other site down/out of reach.",
    106. 

  106.     [9830]  = "Reset for sessions matching ACL DENY rule.",
    107. 

  107.     [9831]  = "Connection had no application data but needed it.",
    108. 

  108.     [9832]  = "Application error.",
    109. 

  109.     [9833]  = "Fatal SSL error.",
    110. 

  110.     [9834]  = "Reset while flushing all SPCB (fips or hsm init).",
    111. 

  111.     [9835]  = "DTLS record too large.",
    112. 

  112.     [9836]  = "DTLS record zero length.",
    113. 

  113.     [9837]  = "SSLv2 record too large.",
    114. 

  114.     [9838]  = "NSBE_DBG_RST_SSL_BAD_RECORD: SSL record lookup error.",
    115. 

  115.     [9839]  = "SSL max NSB hold limit reached.",
    116. 

  116.     [9841]  = "SSL/DTLS split packet failure.",
    117. 

  117.     [9842]  = "SSL NSB allocation failure.",
    118. 

  118.     [9843]  = "Monitor wide IP probe.",
    119. 

  119.     [9844]  = "SSL reneg max NSB limit or allocation failure.",
    120. 

  120.     [9845]  = "Reset on Appsec policy.",
    121. 

  121.     [9846]  = "Delta compression aborted or failed.",
    122. 

  122.     [9847]  = "Delta compression aborted or failed.",
    123. 

  123.     [9848]  = "Reset on new SSL connection accepted during config change.",
    124. 

  124.     [9849]  = "GSLB conflict from misconfiguration.",
    125. 

  125.     [9850]  = "DNS TCP connection untrackable (compact NSB failure, etc.).",
    126. 

  126.     [9851]  = "DNS TCP failure (invalid payload length, etc.).",
    127. 

  127.     [9852]  = "RTSP (ALG) session handling error.",
    128. 

  128.     [9853]  = "MSSQL Auth response error.",
    129. 

  129.     [9854]  = "Indirect GSLB sites tried to establish connection.",
    130. 

  130.     [9855]  = "For HTTP/SSL vservers, SO threshold reached.",
    131. 

  131.     [9856]  = "AppFW ASYNC failure.",
    132. 

  132.     [9857]  = "Reset while flushing HTTP waiting PCB.",
    133. 

  133.     [9858]  = "Reset on re-chunk abort.",
    134. 

  134.     [9859]  = "New client connection deferrable by server on the label.",
    135. 

  135.     [9860]  = "pcb->link cleaned, connection reset.",
    136. 

  136.     [9861]  = "Push vserver connection reset if push disabled on client vserver.",
    137. 

  137.     [9862]  = "Reset to client for duplicate server connection.",
    138. 

  138.     [9863]  = "Reset old connection if new connection established but old one not freed.",
    139. 

  139.     [9864]  = "CVPN HINFO restore failed.",
    140. 

  140.     [9865]  = "CVPN MCMX error.",
    141. 

  141.     [9866]  = "URL policy transform error.",
    142. 

  142.     [9868]  = "MSSQL login errors.",
    143. 

  143.     [9870]  = "SQL login parse error.",
    144. 

  144.     [9871]  = "MSSQL memory allocation failure.",
    145. 

  145.     [9872]  = "Websocket upgrade request dropped due to disabled Websocket in HTTP profile.",
    146. 

  146.     [9873]  = "Agsvc MCMX failure.",
    147. 

  147.     [9874]  = "NSB hold limit reached.",
    148. 

  148.     [9875]  = "RADIUS request parse error.",
    149. 

  149.     [9876]  = "RADIUS response parse error.",
    150. 

  150.     [9877]  = "RADIUS request dropped.",
    151. 

  151.     [9878]  = "RADIUS response dropped.",
    152. 

  152.     [9879]  = "Invalid RADIUS request.",
    153. 

  153.     [9880]  = "Invalid RADIUS response.",
    154. 

  154.     [9881]  = "RADIUS no memory.",
    155. 

  155.     [9882]  = "RADIUS link failed.",
    156. 

  156.     [9883]  = "RADIUS unlinked.",
    157. 

  157.     [9884]  = "RADIUS unexpected error.",
    158. 

  158.     [9885]  = "RADIUS unhandled response.",
    159. 

  159.     [9886]  = "RADIUS unhandled request.",
    160. 

  160.     [9887]  = "RADIUS missing UNK.",
    161. 

  161.     [9888]  = "RADIUS wrong UNK.",
    162. 

  162.     [9889]  = "RADIUS UNK refcnt.",
    163. 

  163.     [9890]  = "RADIUS UNK purge.",
    164. 

  164.     [9891]  = "RADIUS tunnel reject.",
    165. 

  165.     [9892]  = "RADIUS unknown error.",
    166. 

  166.     [9893]  = "Monitor probe reset.",
    167. 

  167.     [9894]  = "Monitor mark down.",
    168. 

  168.     [9895]  = "Monitor probe flush.",
    169. 

  169.     [9896]  = "Monitor payload too small.",
    170. 

  170.     [9897]  = "SNMP wrong packet.",
    171. 

  171.     [9898]  = "SNMP wrong version.",
    172. 

  172.     [9899]  = "SNMP wrong community.",
    173. 

  173.     [9900]  = "SNMP wrong community.",
    174. 

  174.     [9901]  = "SNMP wrong PDU.",
    175. 

  175.     [9902]  = "SNMP wrong type.",
    176. 

  176.     [9903]  = "SNMP wrong request ID.",
    177. 

  177.     [9904]  = "SNMP wrong error status.",
    178. 

  178.     [9905]  = "SNMP wrong error index.",
    179. 

  179.     [9906]  = "SNMP no such object.",
    180. 

  180.     [9907]  = "SNMP no such instance.",
    181. 

  181.     [9908]  = "SNMP too big.",
    182. 

  182.     [9909]  = "SNMP read only.",
    183. 

  183.     [9910]  = "SNMP gen error.",
    184. 

  184.     [9911]  = "SNMP wrong encoding.",
    185. 

  185.     [9912]  = "SNMP wrong length.",
    186. 

  186.     [9913]  = "SNMP wrong value.",
    187. 

  187.     [9914]  = "SNMP no memory.",
    188. 

  188.     [9915]  = "SNMP no response.",
    189. 

  189.     [9916]  = "SNMP not writable.",
    190. 

  190.     [9917]  = "SNMP auth error.",
    191. 

  191.     [9918]  = "SNMP wrong digest.",
    192. 

  192.     [9919]  = "SNMP bad value.",
    193. 

  193.     [9920]  = "SNMP not in MIB.",
    194. 

  194.     [9921]  = "SNMP too many indices.",
    195. 

  195.     [9922]  = "SNMP not enough indices.",
    196. 

  196.     [9923]  = "SNMP wrong index type.",
    197. 

  197.     [9924]  = "SNMP wrong index length.",
    198. 

  198.     [9925]  = "SNMP wrong index value.",
    199. 

  199.     [9926]  = "SNMP no such name.",
    200. 

  200.     [9927]  = "SNMP wrong varbind list.",
    201. 

  201.     [9928]  = "SNMP end of MIB.",
    202. 

  202.     [9929]  = "SNMP too big for packet.",
    203. 

  203.     [9930]  = "SNMP no such view.",
    204. 

  204.     [9931]  = "SNMP no such context.",
    205. 

  205.     [9932]  = "SNMP no such user.",
    206. 

  206.     [9933]  = "SNMP not in view.",
    207. 

  207.     [9934]  = "SNMP unsupported security level.",
    208. 

  208.     [9935]  = "SNMP unsupported auth protocol.",
    209. 

  209.     [9936]  = "SNMP unsupported priv protocol.",
    210. 

  210.     [9937]  = "SNMP unknown user name.",
    211. 

  211.     [9938]  = "SNMP unknown engine ID.",
    212. 

  212.     [9939]  = "SNMP wrong security model.",
    213. 

  213.     [9940]  = "SNMP bad security level.",
    214. 

  214.     [9941]  = "SNMP bad engine ID.",
    215. 

  215.     [9942]  = "SNMP bad user name.",
    216. 

  216.     [9943]  = "SNMP bad auth protocol.",
    217. 

  217.     [9944]  = "SNMP bad priv protocol.",
    218. 

  218.     [9945]  = "SNMP bad security name.",
    219. 

  219.     [9946]  = "SNMP bad security model.",
    220. 

  220.     [9947]  = "SNMP bad message.",
    221. 

  221.     [9948]  = "SNMP bad PDU.",
    222. 

  222.     [9949]  = "SNMP bad SPI.",
    223. 

  223.     [9950]  = "SNMP bad context.",
    224. 

  224.     [9951]  = "SNMP bad security state ref.",
    225. 

  225.     [9952]  = "SNMP bad security name.",
    226. 

  226.     [9953]  = "SNMP bad community.",
    227. 

  227.     [9954]  = "SNMP bad community uses.",
    228. 

  228.     [9955]  = "SNMP bad community name.",
    229. 

  229.     [9956]  = "SNMP bad community indexing.",
    230. 

  230.     [9957]  = "SNMP bad party.",
    231. 

  231.     [9958]  = "SNMP bad party uses.",
    232. 

  232.     [9959]  = "SNMP bad party name.",
    233. 

  233.     [9960]  = "SNMP bad party indexing.",
    234. 

  234.     [9961]  = "SNMP bad party TDomain.",
    235. 

  235.     [9962]  = "SNMP bad party TAddress.",
    236. 

  236.     [9963]  = "SNMP bad party identity.",
    237. 

  237.     [9964]  = "SNMP bad party TTimeout.",
    238. 

  238.     [9965]  = "SNMP bad party TMaxMessageSize.",
    239. 

  239.     [9966]  = "SNMP bad party priv proto.",
    240. 

  240.     [9967]  = "SNMP bad party auth clock.",
    241. 

  241.     [9968]  = "SNMP bad party auth lifetime.",
    242. 

  242.     [9969]  = "SNMP bad party auth private.",
    243. 

  243.     [9970]  = "SNMP bad party auth public.",
    244. 

  244.     [9971]  = "SNMP bad party auth clock skew.",
    245. 

  245.     [9972]  = "SNMP bad party auth truncated.",
    246. 

  246.     [9973]  = "SNMP bad party auth wrong digest.",
    247. 

  247.     [9974]  = "SNMP bad party auth wrong.",
    248. 

  248.     [9975]  = "SNMP bad context.",
    249. 

  249.     [9976]  = "SNMP bad context uses.",
    250. 

  250.     [9977]  = "SNMP bad context name.",
    251. 

  251.     [9978]  = "SNMP bad context indexing.",
    252. 

  252.     [9979]  = "SNMP bad ACL.",
    253. 

  253.     [9980]  = "SNMP bad ACL uses.",
    254. 

  254.     [9981]  = "SNMP bad ACL name.",
    255. 

  255.     [9982]  = "SNMP bad ACL indexing.",
    256. 

  256.     [9983]  = "SNMP bad ACL party.",
    257. 

  257.     [9984]  = "SNMP bad ACL context.",
    258. 

  258.     [9985]  = "SNMP bad ACL privs.",
    259. 

  259.     [9986]  = "SNMP bad view.",
    260. 

  260.     [9987]  = "SNMP bad view uses.",
    261. 

  261.     [9988]  = "SNMP bad view name.",
    262. 

  262.     [9989]  = "SNMP bad view indexing.",
    263. 

  263.     [9990]  = "SNMP bad view subtree.",
    264. 

  264.     [9991]  = "SNMP bad view mask.",
    265. 

  265.     [9992]  = "SNMP bad view type.",
    266. 

  266.     [9993]  = "SNMP bad view storage.",
    267. 

  267.     [9994]  = "SNMP bad view status.",
    268. 

  268.     [9995]  = "SNMP bad MIB.",
    269. 

  269.     [9996]  = "SNMP bad MIB name.",
    270. 

  270.     [9997]  = "SNMP bad MIB syntax.",
    271. 

  271.     [9998]  = "SNMP bad MIB write syntax.",
    272. 

  272.     [9999]  = "SNMP bad MIB access.",
    273. 

  273.     [10000] = "SNMP bad MIB status.",
    274. 

  274.     [10001] = "SNMP bad MIB indexes.",
    275. 

  275.     [10002] = "SNMP bad MIB deps.",
    276. 

  276.     [10003] = "SNMP bad MIB inits."
    277. 

  277. }
    278. 

  278. 

  279. --------------------------------------------------------------------------------
    280. 

  280. -- 5. Dissection function
    281. 

  281. --------------------------------------------------------------------------------
    282. 

  282. 

  283. function citrix_reset_proto.dissector(buffer, pinfo, tree)
    284. 

  284.     -- Fetch extracted fields
    285. 

  285.     local tcp_srcport = f_tcp_srcport()
    286. 

  286.     local tcp_dstport = f_tcp_dstport()
    287. 

  287.     local tcp_rstflag = f_tcp_flags_reset()
    288. 

  288.     local tcp_win     = f_tcp_window_size()
    289. 

  289. 

  290.     -- If any required fields are nil, no further processing
    291. 

  291.     if not (tcp_srcport and tcp_dstport and tcp_rstflag and tcp_win) then
    292. 

  292.         return
    293. 

  293.     end
    294. 

  294. 

  295.     -- Convert to numeric
    296. 

  296.     local rst_val = tonumber(tostring(tcp_rstflag))
    297. 

  297.     local win_val = tonumber(tostring(tcp_win))
    298. 

  298. 

  299.     -- Check if the RST flag is set
    300. 

  300.     if rst_val == 1 and win_val then
    301. 

  301.         local description = window_size_lookup[win_val]
    302. 

  302.         if description then
    303. 

  303.             -- Create a subtree for Citrix ADC info
    304. 

  304.             local subtree = tree:add(
    305. 

  305.                 citrix_reset_proto,
    306. 

  306.                 buffer(),
    307. 

  307.                 "Citrix ADC Reset Info"
    308. 

  308.             )
    309. 

  309.             -- Add window size field
    310. 

  310.             local item = subtree:add(
    311. 

  311.                 citrix_reset_proto.fields.reset_window,
    312. 

  312.                 buffer(),
    313. 

  313.                 win_val
    314. 

  314.             )
    315. 

  315.             -- Append textual description
    316. 

  316.             item:append_text(" (" .. description .. ")")
    317. 

  317.         end
    318. 

  318.     end
    319. 

  319. end
    320. 

  320. 

  321. --------------------------------------------------------------------------------
    322. 

  322. -- 6. Register the post-dissector
    323. 

  323. --------------------------------------------------------------------------------
    324. 

  324. 

  325. register_postdissector(citrix_reset_proto)
    326.