Skip to content

Instantly share code, notes, and snippets.

@jtai
Last active May 24, 2021 15:52
Show Gist options
  • Save jtai/8e53bde0dd24648b0d5a to your computer and use it in GitHub Desktop.
Save jtai/8e53bde0dd24648b0d5a to your computer and use it in GitHub Desktop.
Wireshark dissector to decode statsd protocol
-- Usage: tshark -X lua_script:statsd_dissector.lua -r capture.pcap
-- Usage: tshark -X lua_script:statsd_dissector.lua -T fields -e statsd.metric_name -e statsd.value -e statsd.metric_type -r capture.pcap
local statsd = Proto("statsd","Statsd Protocol")
local pf_metric_name = ProtoField.new("Metric Name", "statsd.metric_name", ftypes.STRING)
local pf_value = ProtoField.new("Value", "statsd.value", ftypes.STRING)
local pf_metric_type = ProtoField.new("Metric Type", "statsd.metric_type", ftypes.STRING)
statsd.fields = { pf_metric_name, pf_value, pf_metric_type }
function statsd.dissector(tvbuf,pktinfo,root)
local pktlen = tvbuf:reported_length_remaining()
local tvbr = tvbuf:range(0,pktlen)
-- <metric name>:<value>|<metric type>[|@<sample rate>]
local payload = tvbr:string()
local a, b, metric_name, value, metric_type = string.find(payload, "^([^:]+):([^|]+)|([^|]+)")
if a then
pktinfo.cols.protocol:set("Statsd")
pktinfo.cols.info:set(payload)
local pos = 0
local tree = root:add(statsd, tvbr)
tree:add(pf_metric_name, tvbuf:range(pos, metric_name:len()), metric_name)
pos = pos + metric_name:len() + 1
tree:add(pf_value, tvbuf:range(pos, value:len()), value)
pos = pos + value:len() + 1
tree:add(pf_metric_type, tvbuf:range(pos, metric_type:len()), metric_type)
pos = pos + metric_type:len()
end
end
DissectorTable.get("udp.port"):add(8125, statsd)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment