geraldcombs/event-extras.lua

## event-extras.lua
-- event_extras.lua
-- Add extra event fields.
-- By Gerald Combs <gerald@wireshark.org>
-- Modified from https://wiki.wireshark.org/Lua/Examples/PostDissector

-- To use this script, place it in your personal Lua plugin directory.
-- You can find that by going to "About → Folders".

-- Links:

-- The Lua programming language
-- https://www.lua.org/

-- The Wireshark Developer's Guide Lua reference
-- https://www.wireshark.org/docs/wsdg_html_chunked/wsluarm.html

-- Wireshark Q&A
-- https://ask.wireshark.org/

-- The Wireshark development mailing list
-- wireshark-dev@wireshark.org

--
-- Setup.
-- The following code is run once during program startup
--

-- Extract evt. This will be added by the Falco bridge syscall
-- dissector before event_extras_p.dissector is called below.
local evt_f = Field.new("evt")
local evt_dir_f = Field.new("evt.dir")
local evt_buflen_f = Field.new("evt.buflen")
local evt_is_io_read_f = Field.new("evt.is_io_read")
local evt_is_io_write_f = Field.new("evt.is_io_write")

-- Define the event_extras protocol.
-- This will show up at the bottom of the details view in square brackets.
local event_extras_p = Proto("event_extras", "Event Extras")

-- Define our fields. These will show up under delta_distance.
local ee_dir_fld = ProtoField.string("event_extras.dir", "Direction")
local ee_rw_fld = ProtoField.string("event_extras.rw", "R/W")

-- Add our fields to delta_distance_p.
event_extras_p.fields = { ee_dir_fld, ee_rw_fld }

-- Register delta_distance_p as a postdissector.
register_postdissector(event_extras_p)

--
-- Post-dissection.
-- The following code is run after each packet has been dissected.
--

-- This is where we add items to the tree.
function event_extras_p.dissector(tvb, pinfo, tree)
    local evt_fld = evt_f()
    if evt_fld == nil then
        return
    end

    local evt_dir_fld = evt_dir_f()
    if evt_dir_fld == nil then
        return
    end

    local extras_tree = tree:add(event_extras_p)
    extras_tree:set_generated()
    extras_tree:set_hidden()

    local evt_dir = evt_dir_fld.value
    if evt_dir == ">" then
        extras_tree:add(ee_dir_fld, "↓") -- ⬇︎ ↓ ↘︎ ➘ ⬊ --
    else
        extras_tree:add(ee_dir_fld, "↑") -- ⬆︎ ↑ ↗︎ ➚ ⬈ -- ↖︎ ⬉
    end

    local evt_buflen_fld = evt_buflen_f()

    if evt_buflen_fld then
        local evt_is_io_read_fld = evt_is_io_read_f()
        local evt_is_io_write_fld = evt_is_io_write_f()

        if evt_is_io_read_fld and evt_is_io_read_fld.value == true then
            extras_tree:add(ee_rw_fld, "▲") -- ▲ ▴
        elseif evt_is_io_write_fld and evt_is_io_write_fld.value == true then
            extras_tree:add(ee_rw_fld, "▼") -- ▼ ▾
        end
    end

end
	-- event_extras.lua
	-- Add extra event fields.
	-- By Gerald Combs <gerald@wireshark.org>
	-- Modified from https://wiki.wireshark.org/Lua/Examples/PostDissector

	-- To use this script, place it in your personal Lua plugin directory.
	-- You can find that by going to "About → Folders".

	-- Links:

	-- The Lua programming language
	-- https://www.lua.org/

	-- The Wireshark Developer's Guide Lua reference
	-- https://www.wireshark.org/docs/wsdg_html_chunked/wsluarm.html

	-- Wireshark Q&A
	-- https://ask.wireshark.org/

	-- The Wireshark development mailing list
	-- wireshark-dev@wireshark.org

	--
	-- Setup.
	-- The following code is run once during program startup
	--

	-- Extract evt. This will be added by the Falco bridge syscall
	-- dissector before event_extras_p.dissector is called below.
	local evt_f = Field.new("evt")
	local evt_dir_f = Field.new("evt.dir")
	local evt_buflen_f = Field.new("evt.buflen")
	local evt_is_io_read_f = Field.new("evt.is_io_read")
	local evt_is_io_write_f = Field.new("evt.is_io_write")

	-- Define the event_extras protocol.
	-- This will show up at the bottom of the details view in square brackets.
	local event_extras_p = Proto("event_extras", "Event Extras")

	-- Define our fields. These will show up under delta_distance.
	local ee_dir_fld = ProtoField.string("event_extras.dir", "Direction")
	local ee_rw_fld = ProtoField.string("event_extras.rw", "R/W")

	-- Add our fields to delta_distance_p.
	event_extras_p.fields = { ee_dir_fld, ee_rw_fld }

	-- Register delta_distance_p as a postdissector.
	register_postdissector(event_extras_p)

	--
	-- Post-dissection.
	-- The following code is run after each packet has been dissected.
	--

	-- This is where we add items to the tree.
	function event_extras_p.dissector(tvb, pinfo, tree)
	local evt_fld = evt_f()
	if evt_fld == nil then
	return
	end

	local evt_dir_fld = evt_dir_f()
	if evt_dir_fld == nil then
	return
	end

	local extras_tree = tree:add(event_extras_p)
	extras_tree:set_generated()
	extras_tree:set_hidden()

	local evt_dir = evt_dir_fld.value
	if evt_dir == ">" then
	extras_tree:add(ee_dir_fld, "↓") -- ⬇︎ ↓ ↘︎ ➘ ⬊ --
	else
	extras_tree:add(ee_dir_fld, "↑") -- ⬆︎ ↑ ↗︎ ➚ ⬈ -- ↖︎ ⬉
	end

	local evt_buflen_fld = evt_buflen_f()

	if evt_buflen_fld then
	local evt_is_io_read_fld = evt_is_io_read_f()
	local evt_is_io_write_fld = evt_is_io_write_f()

	if evt_is_io_read_fld and evt_is_io_read_fld.value == true then
	extras_tree:add(ee_rw_fld, "▲") -- ▲ ▴
	elseif evt_is_io_write_fld and evt_is_io_write_fld.value == true then
	extras_tree:add(ee_rw_fld, "▼") -- ▼ ▾
	end
	end

	end