-
-
Save 18z/7af5214f2298ee803070 to your computer and use it in GitHub Desktop.
wireshark tcp stream split in lua script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-- This script is used to analyze tcp stream from the input | |
-- libcap file. | |
-- This scirpt current only works well with tshark | |
-- Usage: | |
-- tshark -X lua_script:TcpStreamAnalyze.lua -r inputfile -R display_filter | |
do | |
filter = "ip.addr == 192.168.201.53 && ip.addr == 192.168.201.46 && tcp.port == 80" | |
local streams_table = {} -- table to store all tcp streams | |
local tcp_stream_f = Field.new("tcp.stream") | |
local tcp_srcport_f = Field.new("tcp.srcport") | |
local tcp_dstport_f = Field.new("tcp.dstport") | |
local function init_listener() | |
local tap = Listener.new("frame", filter) | |
function tap.reset() | |
-- nothing | |
end | |
function tap.packet(pinfo, tvb, ip) | |
local tcp_stream = assert(tonumber(tostring(tcp_stream_f()))) | |
local index = tcp_stream + 1 -- It is customary in | |
-- Lua to start arrays with 1 (and not with 0, as in C) | |
local number = pinfo.number | |
local start_time = assert(tonumber(tostring(pinfo.rel_ts))) | |
local tcp_srcport = assert(tonumber(tostring(tcp_srcport_f()))) | |
local tcp_dstport = assert(tonumber(tostring(tcp_dstport_f()))) | |
-- print("packet_number: ", number) | |
-- print("tcp_stream ", tcp_stream) | |
-- print("start_time ", start_time) | |
-- print("tcp_srcport ", tcp_srcport) | |
-- print("tcp_dstport ", tcp_dstport) | |
if streams_table[index] == nil then | |
-- the first time | |
streams_table[index] = { | |
tcp_stream = tcp_stream, | |
start_time = start_time, | |
stop_time = start_time, | |
port1 = tcp_srcport, | |
port2 = tcp_dstport, | |
time = 0, | |
packetcnt = 1 | |
} | |
print(index) | |
else | |
local stream = assert(streams_table[index]) | |
-- already have this tcp stream | |
if start_time > stream.stop_time then | |
stream.stop_time = start_time | |
end | |
if start_time < stream.start_time then | |
stream.start_time = start_time | |
end | |
stream.time = stream.stop_time - stream.start_time | |
stream.packetcnt = stream.packetcnt + 1 | |
end | |
end | |
function tap.draw() | |
-- wirte the streams table to file | |
print("Total tcp stream: " , table.getn(streams_table)) | |
local file = assert(io.open("tcpstreams.txt", "w")) | |
file:write("#index\t") | |
file:write("start_time\tstop_time\t") | |
file:write("time\t") | |
file:write("packetcnt\t") | |
file:write("port1\tport2\tstream\n") | |
table.foreach(streams_table, | |
function(key, val) | |
file:write(key, "\t") | |
file:write(val.start_time, "\t", val.stop_time, "\t") | |
file:write(val.time, "\t") | |
file:write(val.packetcnt, "\t") | |
file:write(val.port1, "\t", val.port2, "\t") | |
file:write(val.tcp_stream, "\n") | |
end) | |
-- for key, val in ipairs(streams_table) do | |
-- file:write(key, "\t") | |
-- file:write(val.start_time, "\t", val.stop_time, "\t") | |
-- file:write(val.time, "\t") | |
-- file:write(val.packetcnt, "\t") | |
-- file:write(val.port1, "\t", val.port2, "\t") | |
-- file:write(val.tcp_stream, "\n") | |
-- end | |
file:close() | |
end | |
end | |
init_listener() | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment