Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Wireshark post-dissector example (tested with Wireshark 2.0.6 and git master (2.3.x))
-- Wireshark post-dissector written in Lua
--
-- "Turns out #wireshark allows adding any field value as a column.
-- How about a column with a function of a value like strlen(x)+5 or log(x)?😁"
-- https://twitter.com/Wirefloss/status/790677617955344384
--
-- You were asking for what? Ok, here you go! An example of a Lua
-- post-dissector which adds a field to the Wireshark protocol tree which can
-- then be displayed as custom column. Have fun! ~ @Lekensteyn
--
-- Instructions:
-- 1. Install Lua dissector (copy into the plugins directory)
-- 2. Open the "Fake protocol" tree, right-click on the field and select
-- "Apply as Column".
--
-- Other references if you want to play:
-- https://wiki.wireshark.org/Lua/Dissectors#postdissectors
-- https://www.wireshark.org/docs/wsdg_html_chunked/wsluarm.html
-- https://www.wireshark.org/docs/wsdg_html_chunked/wsluarm_modules.html
-- Existing fields to use as input
local ip_src_field = Field.new("ip.src")
local tcp_srcport_field = Field.new("tcp.srcport")
local udp_srcport_field = Field.new("udp.srcport")
-- our fake protocol
local fake_proto = Proto("fake", "Fake protocol")
-- our fake fields
local number_field = ProtoField.float("fake.number", "Number")
local number2_field = ProtoField.float("fake.number2", "Number2")
local string_field = ProtoField.string("fake.string", "String")
-- register fields to the protocol
fake_proto.fields = {
number_field,
number2_field,
string_field,
}
function fake_proto.dissector(tvb, pinfo, tree)
-- Add a new protocol tree for out fields
local subtree = tree:add(fake_proto)
-- Calculate "strlen(x) + 5" where "x" is the first ip.src field value
-- Note: for technical reasons, tostring is needed to convert the internal
-- Address type to a Lua string.
local x = tostring(ip_src_field().value)
local n = #x + 5
-- Add the result to the tree (as number and as string)
subtree:add(number_field, n)
subtree:add(string_field, tostring(n))
-- Example for "log(x)"
-- Hack: support both tcp and udp ports
local port = tcp_srcport_field() or udp_srcport_field()
x = port.value
n = math.log(x)
subtree:add(number2_field, n)
end
-- Ensure that our dissector is invoked after dissection of a packet.
register_postdissector(fake_proto)
@gianmaxfactor

This comment has been minimized.

Copy link

gianmaxfactor commented Mar 13, 2018

Can I get as a variable the ethernet address of the capturing interface (to reference it dynamically in a post-dissector)? Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.