Here I need parse a custom protocol in many .pcapng files , I want direct filter and output the application raw data via tshark command .
At first , I use the "-e data.data" option , but ,some of the application data could be decode as other protocol , and wouldn't be output by -e data.data.
Then , I find a way that special the "disable-protocol" file under wireshark profile folder,but ,I must take the profile file and deploy it before run the parse program on other PC.
And, I tried disable all the protocol except udp and tcp ,but it can't work.
I also disable the known conflict protocols , it works ,but there may be same mistake on other unknown protocol and the tshark's output still can't be trust completely.
I works on Windows7 and wireshark 2.2.use python 2.7 for parse work.
In a summary , what I want is a portable command line that can flexible and direct output all data after UDP information in a net frame.
could I disable decode on some ports by just add options in command line?
EDIT1:
I find in wireshark 1.12,there is a "Do not decode" option in "decode as..." dialog , if enable it,the display is what I want.but in wireshark 2.2,they removed the option.and I still need a command line to do this filter.
After 48 hours and 26 times viewed ,it still no response but one vote up.
I already give up this way, and decode the frame by myself.
what I want is the udp srcport and dstport, and the application data.
In actual , every net frame has a same length of header , so ,it's easy to strip the header by a fixed offset , and get the special data.
In my case , I just do some filter and use -x option for output.,as this:
tshark -r xxx.pcapng -j udp -x
the output may looks like this:
(just for example,not real case)
Every line contains three parts :The first column is offset reference, the next 16 columns are bytes in hex , and the remains are the characters map to the data.
My code:
def load_tshark_data(tshark_file_path):
tshark_exe = "c:/Program Files/Wireshark/tshark.exe"
output = subprocess.check_output([
tshark_exe,
"-r",tshark_file_path,
"-j","udp",
"-x"
])
hex_buff = ""
line_buff = ""
for c in output:
if c == "\n":
if len(line_buff) > 54:
hex_buff += line_buff[5:53]
line_buff = ''
else:
src_port = int(hex_buff[0x22*3 : 0x24*3].replace(" ",""),16)
dst_port = int(hex_buff[0x24*3 : 0x26*3].replace(" ",""),16)
app_data = hex_buff[0x2a*3 : ].strip(" ")
hex_buff = ""
yield [src_port, dst_port, app_data]
else:
line_buff += c
hope this can help any one also blocked by such a problem
Related
we bought a Printronix RFID printer T4304 with these dates:
FirmwareP301189 V1.21A
Serial NumberT4K431948007
Our wish is
to produce RFID-Labels with an QR-Code which includes the EPC-number
of the label. The QR-Code shall look like this:
http://qr.mycompany.com/epc/E280689123456789012345
We were hoping to use it with the Software Nicelabel. But Nicelabel
is only able to produce a QR-Code with only the EPC-Number but not
with our http://qr.my..../epc/ in front.
I had the idea to save the printjob as file. So I was able to
manipulate the file and send that file as printjob to the Printronix
printer like this:
lpr -S 192.168.1.2 -P raw myprintjob.prn
I found the document PTX_PRM_PGL_P7_253642C.pdf
which describes how the printer language is working. But I cannot
fulfill my destination.
My myprintjob.prn looks like this:
!PTX_SETUP
ENGINE-IMAGE_SHFT_H;0
ENGINE-IMAGE_SHFT_V;0
ENGINE-WIDTH;04146.
PTX_END
~NORMAL
~PIOFF
~DELETE LOGO;*ALL
~PAPER;INTENSITY 8;MEDIA 1;FEED SHIFT 0;CUT 0;PAUSE 0;TYPE 0;LABELS 2;SPEED IPS 6;SLEW IPS 6
~CREATE;FRM;99
SCALE;DOT;300;300
RFRTAG;96;EPC
96;DF511;H
STOP
ISET;0
FONT;FACE 92250
ALPHA
AF511;24;INV;POINT;329;1033;10;10;
STOP
BARCODE
QRCODE;INV;XD9;T2;E0;I1;95;843;
"http://qr.mycompany.com/epc/","EPCCODE"
STOP
END
~EXECUTE;FRM
~REPEAT;1
~AF511;<DF511>
~NORMAL
The result is a QRcode which only includes the first part of the string:
"http://qr.mycompany.com/epc/"
but not the "EPCCODE". I am looking for a hint how to do this.
Maybe I could find out the EPC-code via REST or telnet or so and create a special printjob for every single label?
Thanks for your help,
Richard
Printronix T4000, talk with port 9100 to get info from the printer
Author
Richard Lippmann, Stadt Zirndorf, EDV
Documentinformation
name: talk-with-port9100-to-get-infos-from-printronix-rfid-printer.md
revision: 2021-12-02 - init
What I want to achieve
I want to know the RFID-code from the label which is under the print-head.
With this information I am able to build a printjob with Qrcode which includes
the RFID-EPC.
I was not able to find out how to create a print-job with a qr-code.
I do not want this information in qrcode: ABC1234...567
But I want this information in qrcode: http://qr.mydomain.com/rfid/epc/ABC1234...567
With that I am able to take a picture of the label and go to a web-application
which helps me further with the device the label is on.
Documenation, where to find information
The printer language is described in the document which is easy to google: PTX_PRM_PGL_P7_253642C.pdf
My environment
Printronix T4000 printer with RFID-unit to read the RFID from the current label.
How to get info back from my printer
Usually Port 9100 is used to send a printjob to the Printronix-printer. Send job,
don't receive data. But you can switch the printer to be verbose, to send you
back information over the 9100-connection.
Glossary
EPC = this is the unique number which is in every RFID-label, just like
a MAC-address in a network card
PGL = the printer language. We can send printjobs with it, but also get information
from the printer about Configuration etc.
Human connect to the printer via Linux commandline
ssh me#shell.mydomain.com
export MYPRINTER=192.168.100.3
nc -v $MYPRINTER 9100
Put verbose mode on
The printer usually only receives information, but does not talk back.
You have to switch on the back-communication.
~CONFIG
SNOOP;STATUS
END
Put verbose mode off
I you are programming this interface with a programming
language like python, perl, ... it's a good idea to switch
verbose mode off after you did your job.
~CONFIG
SNOOP;OFF
END
IDENTITY
To see information:
put verbose mode on
send ~IDENTITY command
put verbose mode off
~CONFIG
SNOOP;STATUS
END
~IDENTITY
The result is:
T43040,V1.21A,12,131072KB
STATUS
To see information:
put verbose mode on
send ~IDENTITY command
put verbose mode off
~CONFIG
SNOOP;STATUS
END
~STATUS
The result is:
BUSY;0
PAPER;0
RIBBON;0
PRINT HEAD;0
COUNT;000
GAP;0
HEAD HOT;0
CUT COUNT;000000000
PRINT DIST;000001529
PRCT COMPLETE;000
TOF SYNCED;1
SENSED DIST;00450
END
Read one RFID-EPC-code from current label
These are things mentioned in this command:
~CREATE - start creating a new "form" (or subroutine to execute later)
VERIFY - the name of the subroutine we are creating. Keep it simple,
less than 15 characters, no special signs (see docu PTX_PRM_PGL_P7_253642C
page 60 under "CREATE" and page 29 under "Form Name" for exact informations)
NOMOTION - don't move the label to the next one after executing this job
DF511 = This is a variable-name, there seem to be a lot of variables in the printer
which are called by their numbers: DF1, DF2, ... I don't know which one I am
allowed to use, DF511 seems to work
96 = the RFID-EPC on my labels are 96 Bits long
H = Hexnumbers, the code is 96 Bit long, but I would like to see it like this:
ABC1234...567
VERIFY - a command to send information to the commandline.
~EXECUTE;VERIFY;1 - execute the form 1 time
~CONFIG
SNOOP;STATUS
END
~CREATE;VERIFY;432;NOMOTION
RFRTAG;96;EPC
96;DF511;H
STOP
VERIFY;DF511;H;*STARTEPC=*;*=ENDEPC\n*
END
~EXECUTE;VERIFY;1
~NORMAL
The result is:
STARTEPC=E28068940000501EC931EC87=ENDEPC
Read two RFID-EPC-codes
Reads 2 Barcodes and gives back the EPC-codes. With this command the label get
sent (moved) through the printer.
These are things mentioned in this command:
~CREATE - start creating a new "form" (or subroutine to execute later)
VERIFY - the name of the subroutine we are creating. Keep it simple,
less than 15 characters, no special signs (see docu PTX_PRM_PGL_P7_253642C
page 60 under "CREATE" and page 29 under "Form Name" for exact informations)
NOMOTION - don't move the label to the next one after executing this job
DF511 = This is a variable-name, there seem to be a lot of variables in the printer
which are called by their numbers: DF1, DF2, ... I don't know which one I am
allowed to use, DF511 seems to work
96 = the RFID-EPC on my labels are 96 Bits long
H = Hexnumbers, the code is 96 Bit long, but I would like to see it like this:
ABC1234...567
VERIFY - a command to send information to the commandline.
~EXECUTE;VERIFY;1 - execute the form 1 time
~CONFIG
SNOOP;STATUS
END
~CREATE;VERIFY;432
RFRTAG;96;EPC
96;DF511;H
STOP
VERIFY;DF511;H;*STARTEPC=*;*=ENDEPC\n*
END
~EXECUTE;VERIFY;2
~NORMAL
The result is:
STARTEPC=E28068940000501EC931EC87=ENDEPC
STARTEPC=E28068940000401EC931EC86=ENDEPC
If I send the usual
/Border [ 0 0 0] % [0 0 0 ] = none; [0 0 2] = debug
/Color [ .7 0 0 ]
/Action <</Subtype /URI /URI cururlname>>
/ANN % annotation type
pdfmark % call pdf operators
} def
to a PostScript program, Distiller provides the link just fine.
Google Drive generates a link free image, as does GhostScript.
How do I get Google Drive to generate a live link or an actual PDF file?
I suspect some non-obvious command line entry is needed.
I'd expect working links both internal to Google Drive and elsewhere on the web on a produced .PDF output.
That doesn't appear to be a complete pdfmark definition. There's no mark and you seem to be missing the Subtype for the annotation (there's a Subtype of URI for the Action but nothing for the annotation), there's also no Rect, which makes it difficult for the consumer to know where to place the annotation....
Eliding the Annotation Subtype causes Ghostscript's pdfwrite device to write it out as a Text annotation (its default). Eliding the Rect, but making the Annotation Subtype /Link, the pdfwrite device emits a Link Annotation, but Acrobat doesn't seem to actually display it anywhere.
If I borrow the example from page 23 of the pdfmark reference version 9 (from 2008, which is the most recent I have) and wrap it up as PostScript:
%!
[ /Rect [50 425 295 445] /Action << /Subtype /URI /URI (http://www.adobe.com) >> /Border [0 0 2] /Color [.7 0 0] /Subtype /Link /ANN pdfmark
showpage
Then use Ghostscript:
gs -sDEVICE=pdfwrite -o out.pdf test.ps
The resulting file contains an Annot, of type Link, with a URI:
5 0 obj
<</Type/Page/MediaBox [0 0 595 842]
/Parent 3 0 R
/Resources<</ProcSet[/PDF]
/ExtGState 9 0 R
>>
/Annots[4 0 R]/Contents 6 0 R
>>
endobj
...
4 0 obj
<</Type/Annot
/Rect [50 425 295 445]
/Border [0 0 2]
/C [0.7 0 0]
/A<</URI(http://www.adobe.com)
/S/URI>>
/Subtype/Link>>endobj
Which Acrobat correctly displays as a Rectangle, and launches my web browser when I click in it.
Since your example isn't complete, I can't test it, but I can't see a problem here myself.
[EDIT]
Edited to add answers to the comments below, there was too much to write in a commnet:
1) Your original file, using the same simple Ghostscript command line as in my answer, produces a PDF file with two links, both of which I can click in Acrobat and which launch a browser with the correct URL. So for me, using the current version of Ghostscript, your code works as expected. Perhaps I'm missing something. I've put my output file here
2) I cannot answer questions relating to Google Drive, I don't use it and don't have any idea how it works. If it converts to PDF then I can't see any reason that wouldn't work as is.
3) You can't build a Ghostscript command line into a PostScript procedure, or at least, not use it usefully afterwards, that's not how the command line works. Technically you could use setpagedevice to set the device, and OutputFile, you cannot set the input file any way other than the command line, though you could use the run operator. None of that will work if Ghostscript is started in SAFER mode and I woud be amazed if Google is using Ghostscript and not using SAFER.
You can use the product operator to distinguish between interpreters, but since it returns a string you would have to write your own string compare to check for Distiller vs Ghostscript. Obviously your code would be executed contingent on the content of the string. Distiller returns (Distiller) and Ghostscript returns (GPL Ghostscript).
[Edit #2]
The Ghostscript command line is, unfortunately a thing of horror :-( No excuses, its simply that it is an old program, worked on by many developers over the decades, and once something is implemented its all but impossible to remove, there are howls of protest when that gets attempted.
Which one of the files you link to shouldn't work ? #21 doesn't work for me because it uses hard-coded filenames. If I set want_to_trace to false instead of true it produces a file. Possibly that doesn't 'work' but since I'm not sure what to expect its hard to tell.
To get the file to work with want_to_trace true, I had to modify all the hard-coded paths in the program. Once I did that, I get a PDF file which has a working link (that is, Acrobat opens my web browser to a file on your site, or would if I were to let it).
You don't say what happens when you try to execute the program, in what way does it fail ? I would guess, personally, that the problem is that Ghostscript is executing in SAFER mode, in which case you won't be able to open the JPEG file, it will throw an invalidaccess error.
I am attempting to send a file from IFS to an outq on our AS/400 system. Whenever I do, I get exactly what I send, as well as a line of "#" symbols of varying lengths appended to the end.
Here's the command I'm using:
qsh cmd('cat -c /path/test.txt | Rfile -wbQ -c "ovrprtf file(qprint)
outq(*LIBL/ABCD) devtype(*USERASCII) rplunprt(*no) splfname(test) hold(*no)"
qprint')
The contents of test.txt is just Hello World!
The output I get when I send the command is
Hello World!####################################################################
I have not found any posts online about a similar problem, and have tried changing values and looking for additional switches to get it to work. Nothing I'm doing seems to fix the issue.
Is there a command or switch that I am missing, or is something I have in there already causing this?
EDIT:
I found this documentation which is the first time I've seen this issue mentioned, but it's not very helpful:
“Messages for a Take Action command might consist of a long string of "at" symbols (#) in a pop-up message. (The Reflex automation Take Action command, which is configured in situations, does not have this problem.) A resolution for this problem is under construction. This problem might be resolved by the time of the product release. If you see this problem, contact IBM Software Support.”
The only differences are: 1) this is not a pop-up message, it's printed. 2) I don't believe we use Tivoli Monitoring, although I could be wrong.
Assuming we do use Tivoli Monitoring, what would the solution be? There's no additional documentation past that, and I am not a system administrator, so I can't really make the call to IBM Software Support myself. And assuming we DON'T use it, what else could cause this issue?
I get different results, yet similar. I created a test.txt with Windows Explorer, put in Hello, world!, saved it and tried the script. I got gibberish for the 'Hello, world!' and then the line of # symbols.
My system is 7.3 TR5, CCSID 37 (US English) and my IFS file is CCSID 1252 (Windows English). Results did not change if I used a stream file of CCSID 819 (US ASCII).
I didn't have any luck modifying Rfile switches.
I found that removing devtype(*userascii) produced printed output in plain English without the # symbols. Do you really need *USERASCII? I would think that would be more for a pre-formatted 'print-ready' file like Postscript or the like.
EDIT: some more things to try
I don't understand why *USERASCII is adding those # symbols; it looks like a translation issue.
I tried this and still got the extra ###... You might have to play with the TOCCSID() parameter. Although a failure, it did give me an idea: what if those # symbols are EBCDIC spaces being sent as-is to the *USERASCII print stream? All we'd need is a way to send only the number of bytes in the stream file, without any padding.
CRTPF FILE(QTEMP/PRTSTMF) RCDLEN(132)
CPY OBJ('/path/test.txt') TOOBJ('/qsys.lib/qtemp.lib/prtstmf.file/prtstmf.mbr') replace(*yes)
ovrprtf file(qprint) outq(*LIBL/prt3812) devtype(*USERASCII) rplunprt(*no) splfname(test) hold(*no)
cpyf prtstmf qprint
The data in QTEMP/PRTSTMF is in ASCII; DSPPFM shows that much. It also shows a bunch of spaces: after all, it is a fixed length file. My next step was to write an RPG program to read the stream file and print it, but Scott Klement already did that: http://www.scottklement.com/PrtStmf.zip
This works on my system:
ovrprtf file(qsysprt) outq(*LIBL/abcd) devtype(*USERASCII) rplunprt(*no) splfname(test) hold(*no)
prtstmf stmf('/path/test.txt') outq(abcd)
I'm new to Lua altogether, and this is my first attempt at writing a wireshark dissector.
I want to analyze SSH without cipher by Lua script. I write a script to detect the packet length and padding length for the first step.
Here is my script:
do
local p_test = Proto("test","Test.");
local f_packet_length = ProtoField.uint32("packet_length")
local f_padding_length = ProtoField.uint8("padding_length")
p_test.fields = {
f_packet_length,
f_padding_length
}
function p_test.dissector(buf,pkt,root)
local offset = 0
local buf_len = buf:len()
local t = root:add(p_test, buf:range(offset))
t:add(f_packet_length,buf:range(offset,4))
offset = offset+4
t:add(f_padding_length,buf:range(offset,1))
offset = offset+1
end
local tcp_table = DissectorTable.get("tcp.port")
tcp_table:add(22,p_test)
end
After I run the code through Evalutate Lua and applied the test filter, I find that there is an error in Packet Details:
Lua Error: [string "do..."]:19: Tree item ProtoField/Protocol handle is invalid (ProtoField/Proto not registered?)
Line 19 corresponds the t:add(f_packet_length... line.
Could anyone help to explain this error?
Thanks in advance.
Your code above will work fine if it's in a real Lua script for Wireshark... either by being in a .lua file in the personal plugins directory, or by being loaded with the "-X lua_script:<filename>" command line switch.
But you can't register a new protocol in the tools->evaluate window, because it's too late by then to register a new protocol (or new fields). Unfortunately the error Wireshark reports isn't clear about that, because it sort of half works, but really it's not working and cannot work.
The problem is new protocol registration happens in two phases internally: the first phase is when the Lua scripts are loaded and executed, which adds the protocol and fields to an internal temporary table, and then after all the lua scripts load then the second phase has new protocols and fields moved from the temporary table into their final run-time tables and registered, and then wireshark finishes loading and you see the GUI. That second phase happens once and only once, when Wireshark first starts up. But running the tools->evaluate window happens after all that, so it's too late.
I am writing a code in Lua to read from a serial port, but when I read I receive an echo back with the code :
print("Dragino Uart Test started\n")
while 1 do
serialin=io.open("/dev/ttyS0","r")
print(serialin:read()) --print the data
serialin:close()
end
When I open minicom to send him some data, I enable local echo than I type "text" and I see :
tteexxtt
Then I need to press enter to see my message in my lua script.
I am using a OpenWRT in a Dragino.
It seems that it is like a prompt command that you type every thing that you see and you need to press enter to send you command.
There is any other way to read and write to/from a serial port?
Can somebody help me please? Thank you so much!
The read method with no arguments reads a full line. That's why you need to press enter at the end of the text. Try reading one byte at a time with :read(1) or all of it with :read("*a").
I don know if this is still an issue to someone but maybe this helps a few people. Like lhf said :read(1) is a gread way of doing this. I had a few problems with :read("*a") though. In my opinion the easiest way of doing this is to append the answer piece by piece like:
rserial=io.open("/dev/ttyS0",'r')
lines = ""
repeat
local line=rserial:read(1)
if string.sub(line, 0, 3) == "OED" then --OED is here the stream ending. This can vary
EOD = true
rserial:close()
elseif line then
lines = lines .. line
end
until EOD == true
print (lines)