Lua Support in Wireshark
Introduction
Wireshark has an embedded Lua interpreter. Lua is a powerful light-weight
programming language designed for extending applications. Lua is designed
and implemented by a team at PUC-Rio, the Pontifical Catholic University
of Rio de Janeiro in Brazil. Lua was born and raised at Tecgraf, the
Computer Graphics Technology Group of PUC-Rio, and is now housed at Lua.org.
Both Tecgraf and Lua.org are laboratories of the Department of Computer Science.
In Wireshark Lua can be used to write dissectors and taps.
Wireshark's Lua interpreter starts by loading init.lua that
is located in the global configuration directory of Wireshark.
Lua is disabled by default by setting the variable disable_lua
to true in init.lua. To enable lua the line that sets that variable
must be removed or commented out.
After loading init.lua from the data directory if lua is enabled
Wireshark will try to load a file named init.lua in the user's
directory.
The command line option -X lua_script:<file.lua> can be used to
load lua scripts as well.
The Lua code will be executed once after all the protocols have being initialized and before reading
any file.
Example of Dissector written in Lua
do
local p_multi = Proto("multi","MultiProto");
local vs_protos = {
[2] = "mtp2",
[3] = "mtp3",
[4] = "alcap",
[5] = "h248",
[6] = "ranap",
[7] = "rnsap",
[8] = "nbap"
}
local f_proto = ProtoField.uint8("multi.protocol","Protocol",base.DEC,vs_protos)
local f_dir = ProtoField.uint8("multi.direction","Direction",base.DEC,{ [1] = "incoming", [0] = "outgoing"})
local f_text = ProtoField.string("multi.text","Text")
p_multi.fields = { f_proto, f_dir, f_text }
local data_dis = Dissector.get("data")
local protos = {
[2] = Dissector.get("mtp2"),
[3] = Dissector.get("mtp3"),
[4] = Dissector.get("alcap"),
[5] = Dissector.get("h248"),
[6] = Dissector.get("ranap"),
[7] = Dissector.get("rnsap"),
[8] = Dissector.get("nbap"),
[9] = Dissector.get("rrc"),
[10] = DissectorTable.get("sctp.ppi"):get_dissector(3), -- m3ua
[11] = DissectorTable.get("ip.proto"):get_dissector(132), -- sctp
}
function p_multi.dissector(buf,pkt,root)
local t = root:add(p_multi,buf(0,2))
t:add(f_proto,buf(0,1))
t:add(f_dir,buf(1,1))
local proto_id = buf(0,1):uint()
local dissector = protos[proto_id]
if dissector ~= nil then
dissector:call(buf(2):tvb(),pkt,root)
elseif proto_id < 2 then
t:add(f_text,buf(2))
-- pkt.cols.info:set(buf(2,buf:len() - 3):string())
else
data_dis:call(buf(2):tvb(),pkt,root)
end
end
local wtap_encap_table = DissectorTable.get("wtap_encap")
local udp_encap_table = DissectorTable.get("udp.port")
wtap_encap_table:add(wtap.USER15,p_multi)
wtap_encap_table:add(wtap.USER12,p_multi)
udp_encap_table:add(7555,p_multi)
end
Example of Listener written in Lua
-- This program will register a menu that will open a window with a count of occurrences
-- of every address in the capture
do
local function menuable_tap()
-- Declare the window we will use
local tw = TextWindow.new("Address Counter")
-- This will contain a hash of counters of appereances of a certain address
local ips = {}
-- this is our tap
local tap = Listener.new();
function remove()
-- this way we remove the listener than otherwise will remain running indifinitelly
tap:remove();
end
-- we tell the window to call the remove() function when closed
tw:set_atclose(remove)
-- this function will be called once for each packet
function tap.packet(pinfo,tvb)
local src = ips[tostring(pinfo.src)] or 0
local dst = ips[tostring(pinfo.dst)] or 0
ips[tostring(pinfo.src)] = src + 1
ips[tostring(pinfo.dst)] = dst + 1
end
-- this function will be called once every few seconds to update our window
function tap.draw(t)
tw:clear()
for ip,num in pairs(ips) do
tw:append(ip .. "\t" .. num .. "\n");
end
end
-- this function will be called whenever a reset is needed
-- e.g. when reloading the capture file
function tap.reset()
tw:clear()
ips = {}
end
end
-- using this function we register our fuction
-- to be called when the user selects the Tools->Test->Packets menu
register_menu("Test/Packets", menuable_tap, MENU_TOOLS)
end
Wireshark's Lua API Reference Manual
This Part of the User Guide describes the Wireshark specific functions in the embedded Lua.
&WsLuaDumper;
&WsLuaField;
&WsLuaGui;
&WsLuaListener;
&WsLuaPinfo;
&WsLuaProto;
&WsLuaTree;
&WsLuaTvb;
&WsLuaUtility;