search

CrabeDeFrance / rtshark

Rust interface to tshark application
Other
32 stars 9 forks source link

metadata position and size are zero after add whitelist or blacklist #21

Open tornadochen opened 2 days ago

tornadochen commented 2 days ago

without whitelist/blacklist the output is flowed,
Metadata { name: "modbus.func_code", value: "3", raw_value: None, display: ".000 0011 = Function Code: Read Holding Registers (3)", size: 1, position: 61 } Metadata { name: "modbus.reference_num", value: "12", raw_value: Some("000c"), display: "Reference Number: 12", size: 2, position: 62 } Metadata { name: "modbus.word_cnt", value: "2", raw_value: Some("0002"), display: "Word Count: 2", size: 2, position: 64 } after add whitelist/blacklist the size and position are 0. Metadata { name: "modbus.func_code", value: "3", raw_value: None, display: "", size: 0, position: 0 } Metadata { name: "modbus.reference_num", value: "12", raw_value: None, display: "", size: 0, position: 0 }

CrabeDeFrance commented 2 days ago

Hello, do you have a pcap file I can use to reproduce this issue ? Regards

tornadochen commented 5 hours ago

hello CrabeDeFrance, I post a simple test pcap file for your reference.

test.zip let builder = rtshark::RTSharkBuilder::builder() .input_path("./test.pcapng") // .metadata_blacklist("iec60870_asdu.ioa") // .metadata_whitelist("iec60870_asdu.float"); // .metadata_whitelist("ip.src") // .metadata_whitelist("ip.dst") // .metadata_whitelist("frame.time") .metadata_whitelist("modbus.func_code") .metadata_whitelist("modbus.reference_num")

    .metadata_whitelist("modbus.regnum16")
    .metadata_whitelist("modbus.regval_uint16");

tshark info is followed,

TShark (Wireshark) 4.4.0.

Copyright 1998-2024 Gerald Combs gerald@wireshark.org and contributors. Licensed under the terms of the GNU General Public License (version 2 or later). This is free software; see the file named COPYING in the distribution. There is NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) using GCC 13.2.0, with GLib 2.80.0, with libpcap, with POSIX capabilities (Linux), with libnl 3, with zlib 1.3, without zlib-ng, with PCRE2, with Lua 5.4.6, with GnuTLS 3.8.3 and PKCS #11 support, with Gcrypt 1.10.3, with Kerberos (MIT), with MaxMind, with nghttp2 1.59.0, with nghttp3 0.8.0, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.9.14, with libsmi 0.4.8, with binary plugins.

Running on Linux 6.8.0-45-generic, with Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz (with SSE4.2), with 31788 MB of physical memory, with GLib 2.80.0, with libpcap 1.10.4 (with TPACKET_V3), with zlib 1.3, with PCRE2 10.42 2022-12-11, with c-ares 1.27.0, with GnuTLS 3.8.3, with Gcrypt 1.10.3, with nghttp2 1.59.0, with nghttp3 0.8.0, with brotli 1.1.0, with LZ4 1.9.4, with Zstandard 1.5.5, with libsmi 0.4.8, with LC_TYPE=en_US.UTF-8, binary plugins supported.

thanks,