Hi, I'm basically just trying to get any lua script to execute. I found init.lua in my distribution at epan/wslua/init.lua. Is it in this file that I need to change "disable_lua" to false and "run_user_scripts_when_superuser" to true? Or do I need to copy this file somewhere else? (I see it says that wireshark will look for this script in the "global configuration directory", but I'm not really sure what that directory is. (I'm on a RedHat Linux platform.)

At this point, where do my scripts need to live in order for wireshark to find them?

I am actually not a root user on my machine, but I have Linux "Capabilities" that enable me to do packet sniffing. I wonder if I will be able to run lua scripts through wireshark if I'm not root.

asked 17 Aug '11, 13:06

JVo's gravatar image

JVo
16558
accept rate: 0%


Running Lua

Lua is enabled by default in Wireshark 1.4.0 and later. Assuming 1.4.0+, you shouldn't have to edit any files to use Lua.

Yes, you can run Lua as a non-root user. In fact, Wireshark purposely ignores Lua user scripts if you're root unless you set run_user_scripts_when_superuser to true ( from %PROGRAMFILES%\Wireshark\init.lua (Windows) or ${WIRESHARK_HOME}/share/wireshark/init.lua (Linux) ). The intention is to prevent accidentally executing potentially "dangerous" code.

Path to Lua scripts

Wireshark tries to load Lua files from all plugins directories (specified in the Wireshark manual). The file extensions must be ".lua" (case sensitive). Directories under plugins are searched recursively for Lua scripts. In the following tree, for example, files a through e are loaded at startup:

  • $HOME/.wireshark/plugins/a.lua
  • $HOME/.wireshark/plugins/foo/b.lua
  • $HOME/.wireshark/plugins/foo/bar/c.lua
  • $HOME/.wireshark/plugins/foo/bar/d.lua
  • $HOME/.wireshark/plugins/foo/bar/foo2/e.lua
  • $HOME/.wireshark/plugins/foo/bar/foo2/f.Lua (ignored due to ext mismatch)
  • $HOME/.wireshark/plugins/foo/bar/foo2/g.LUA (ignored due to ext mismatch)

Alternatively, you can specify the Lua file (with any extension) to load from the command line:

$ echo print \'hello world\' > /tmp/test.txt
$ tshark -v -Xlua_script:/tmp/test.txt

UPDATE: The next release of Wireshark (1.8.0) will not require the Lua file extension to be lower-case; it'll be case insensitive (regardless of the file system's case sensitivity). So, in the example above, f.Lua and g.LUA would be loaded at startup. This change took effect 25 Aug 2011 in SVN r38737 / Git c6eb911.

link

answered 17 Aug '11, 17:14

helloworld's gravatar image

helloworld
2.8k21940
accept rate: 27%

edited 06 Sep '11, 21:33

Well, it looks like I'm running wireshark 1.0.8, which precedes 1.4 (not sure why but this is what the sys admin loaded onto the machine). Thus, I guess I do need to change "disable_lua" to false, right?

(18 Aug '11, 08:49) JVo

For some reason when the root user and I each call the lines you have above, it executes differently. For me, it seems to disregard the fact that I am trying to run a lua script. It just prints out the version information and that's it. (When I had the root user do something similar yesterday it actually printed out an error stating that the script was an invalid "capture filter": but I notice that you have a space between "-X" and "lua_script", which we didn't...perhaps that was the problem. ?)

(18 Aug '11, 10:57) JVo

The "invalid capture filter" error is not a result of running the Lua script. That's simply a syntax error.

The space between -X and lua_script does not matter. Where is your Lua file located?

(18 Aug '11, 18:12) helloworld

Sorry, I realized today that when the root user was issuing the command they were using a lower case "x", not an upper case "X"....thus the strange error about the "invalid capture filter". When she uses an upper case X, the behavior is the same as it is for me. Basically, the version information gets printed and the lua script gets ignored.

(19 Aug '11, 10:19) JVo

I copied exactly what you put above; thus, the lua script is at /tmp/test.txt.

One issue could be that wireshark exists in multiple places. The wireshark binary had already been installed, after which I asked that the source code be brought over. That was put into /usr/local/src: I made a copy of this, put it elsewhere on the drive and built it. Do you think this could be a problem/

I've tried running tshark from both the original binary location and from the new location that I compiled. In both cases, it ignores my lua script.

(19 Aug '11, 10:24) JVo

The lua interpreter comes with wireshark, right? So, I don't have to install it separately? Was that the case for wireshark version 1.0.8 as well? I notice in the C source code, there's an #ifdef HAVE_LUA_5_1. (not sure whether or not that's set for me...or what determines whether it's set)

Thanks for all your help, BTW! Julie

(19 Aug '11, 10:42) JVo

So, it looks like when I ran "./configure" it automatically configured it as "Use lua library: no". This is the problem, right? I found online somebody who had to install lua separately and then run "./configure with_lua=[path]": http://www.wireshark.org/lists/wireshark-users/200707/msg00049.html This is a post from 2007, so perhaps since then, wireshark may now come with lua? or no?

(19 Aug '11, 12:19) JVo

No, having multiple binaries of Wireshark/Tshark is not a problem. I often use multiple versions for testing/dev purposes.

(19 Aug '11, 12:59) helloworld

It turns out that Wireshark versions prior to 1.2.0 do not include Lua unless explicitly requested during build configuration (via the configure script):

$ ${WIRESHARK-SRC}/configure --with-lua

The --with-lua parameter tells configure to check for Lua 5.1 and include it in the Wireshark build if it exists (by defining HAVE_LUA_5_1). Otherwise, configure complains that it can't find Lua.

(19 Aug '11, 12:59) helloworld

configure normally prints a summary at the end to indicate whether Lua will be built in (something like "Lua: yes"). You can also check your current binaries to see if Lua is there:

$ tshark -v | grep Lua

which should result in a string that contains: "with Lua 5.1" or "without Lua 5.1"

(19 Aug '11, 12:59) helloworld

Do you have any particular reason to not install the latest version of Wireshark?

(19 Aug '11, 13:14) helloworld

Nope, I'll request that my sys admin install the latest version of wireshark in that case. Thanks! I'm so glad to have received your help. The one thing that scares me about this stuff is that it seems like there aren't many people to ask questions to. Is there anywhere else I should go with questions aside from this forum?

(19 Aug '11, 14:21) JVo

You can try the Wireshark mailing lists, stackoverflow.com, or serverfault.com.

Getting a response from any of these places (including this Q&A site) is somewhat hit-or-miss. Some people aren't paying attention, don't know the answer, or choose not to answer for whatever reason (e.g., too busy with higher-priority things). I'm actually one of those people!

(19 Aug '11, 14:40) helloworld

Well, I'm lucky if I caught you on a slow week or something. Thanks again.

(19 Aug '11, 15:09) JVo

On windows, as of the current wireshark : 1.10.6 (64-Bit) My wireshark is in Program Files\Wireshark\

Lua scripts are NOT loaded from just the plugins directory, you must also include the version directory.

For example : This will not work : "C:\Program Files\Wireshark\plugins\d.lua"
But this will : "C:\Program Files\Wireshark\plugins\1.10.6\d.lua"

I wasted like an hour trying to understand why my lua script is not working and no errors too. (Doh!)

(08 Mar, 06:40) eitama

I don't think you're supposed to put your Lua script in that one.

If you go to the "Help" menu, and select "About Wireshark", a dialog window pops up. One of the tabs is named "Folders". Select that tab. You will then see a list of directories Wireshark uses for various things. The one with the version number you cited should be the "Global Plugins" directory. You should not put your Lua scripts in it - that's intended for things that come with Wireshark, I believe (which is why it uses a version number presumably).

Instead, you should put them in the directory labeled "Personal Plugins", I think. What is that directory for you? (I don't have a Windows system)

(08 Mar, 16:27) Hadriel
showing 5 of 16 show 11 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×195

Asked: 17 Aug '11, 13:06

Seen: 6,628 times

Last updated: 08 Mar, 16:27

powered by OSQA