Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2020-05-22 15:33:54 +0000

cmaynard gravatar image

To avoid the need for recompiling Wireshark, you could consider implementing a Lua post-dissector that reformats the frame.time field however you like. Below is one such Lua post-dissector that you may find useful. To use it, you will need to save it in your Wireshark plugins directory or explicitly specify to use it on the tshark command line.

local framepost = Proto("framepost", "frame post-dissector")

local pf = {
    ft = ProtoField.string("framepost.time", "Arrival Time")
}

-- Register protocol fields
framepost.fields = pf

local ft = Field.new("frame.time")

local function mon2num(mon)
    local mons = {
        ["Jan"] = 1, ["Feb"] = 2, ["Mar"] = 3, ["Apr"] = 4, ["May"] = 5, ["Jun"] = 6,
        ["Jul"] = 7, ["Aug"] = 8, ["Sep"] = 9, ["Oct"] = 10, ["Nov"] = 11, ["Dec"] = 12
    }

    return mons[mon]
end

function framepost.dissector(tvbuf, pinfo, tree)
    local ft_ex = ft()
    if ft_ex ~= nil then

        local framepost_tree = tree:add(framepost, "Frame Postdissector")

        local ft = ft_ex.display:gsub('(%a+)%s+(%d+),%s+(%d+)(.)',
            function(m, d, y, t)
                --return y .. "-" .. mon2num(m) .. "-" .. d .. t
                return y .. "-" .. ("%02d"):format(mon2num(m)) .. "-" .. ("%02d"):format(d) .. t
            end)

        framepost_tree:add(pf.ft, ft)
    end
end

register_postdissector(framepost)

Example Usage:

tshark -r 0001.pcap -X lua_script:framepost.lua -T fields -e framepost.time -e ip.src -e ip.dst

To avoid the need for recompiling Wireshark, you could consider implementing a Lua post-dissector that reformats the frame.time field however you like. Below is one such Lua post-dissector that you may find useful. To use it, you will need to save it in your Wireshark plugins directory or explicitly specify to use it on the tshark command line.

local framepost = Proto("framepost", "frame post-dissector")

local pf = {
    ft = ProtoField.string("framepost.time", "Arrival Time")
}

-- Register protocol fields
framepost.fields = pf

local ft = Field.new("frame.time")

local function mon2num(mon)
    local mons = {
        ["Jan"] = 1, ["Feb"] = 2, ["Mar"] = 3, ["Apr"] = 4, ["May"] = 5, ["Jun"] = 6,
        ["Jul"] = 7, ["Aug"] = 8, ["Sep"] = 9, ["Oct"] = 10, ["Nov"] = 11, ["Dec"] = 12
    }

    return mons[mon]
end

function framepost.dissector(tvbuf, pinfo, tree)
    local ft_ex = ft()
    if ft_ex ~= nil then

        local framepost_tree = tree:add(framepost, "Frame Postdissector")

        local ft = ft_ex.display:gsub('(%a+)%s+(%d+),%s+(%d+)(.)',
            function(m, d, y, t)
                --return y .. "-" .. mon2num(m) .. "-" .. d .. t
                return y .. "-" .. ("%02d"):format(mon2num(m)) .. "-" .. ("%02d"):format(d) .. t
            end)

        framepost_tree:add(pf.ft, ft)
    end
end

register_postdissector(framepost)

Example Usage:

tshark -r 0001.pcap -X lua_script:framepost.lua -T fields -e framepost.time -e ip.src -e ip.dst