Ask Your Question
0

Adding a custom dissector to wireshark

asked 2020-02-11 20:25:53 +0000

bobsaccamano gravatar image

I have a dissector written in Lua for a custom protocol that I would like to decode in wireshark. I placed the Lua script in /usr/lib/x86_64-linux-gnu/wireshark/plugins/3.2/ and restarted wireshark. How can I load and apply the dissector on a sample pcap trace?

I am using wireshark v3.2.1 on Ubuntu 18.04.

Thanks in advance.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-02-11 20:41:05 +0000

grahamb gravatar image

See the Developers Guide, Section 10 - Introduction to Lua.

edit flag offensive delete link more

Comments

Thanks @grahamb, had a look there! I loaded the Lua script explicitly by passing -X lua_script:<script_name> to wireshark while starting it.

I guess my issue is that when I load a pcap file and select a packet and hit "Decode as", I do not see my custom dissector. I checked also in Analyze --> Enabled Protocols for my custom protocol to no avail.

Any thoughts on what might be the issue? Do I need to rebuild wireshark in order to load the dissector?

Note that I built wireshark from source (it is the latest stable release).

P.S.: I double-checked the plugins directory in Help --> About --> Folders and ensured that the Lua script exists in both the Personal and Global plugins directory.

bobsaccamano gravatar imagebobsaccamano ( 2020-02-11 21:20:41 +0000 )edit

As it's a custom build, have you included Lua support? Post the contents of the Help -> About Wireshark, Wireshark tab.

grahamb gravatar imagegrahamb ( 2020-02-12 07:09:00 +0000 )edit

Turns out Lua was not enabled as wireshark 3.2.1 requires Lua version >= 5.1. So I installed Lua 5.2 from source and rebuilt wireshark with the correct paths (LUA_LIBRARY, LUA_INCLUDE_DIR etc.). it now finds the Lua installation, however complains that the header lua.h is missing.

So I checked the location of the Lua install and turns out my build has not copied the libs and headers in the configured path. I will now install Lua as Debian package and recheck.

Below the contents of Wireshark About:

3.2.1 (Git commit bf38a67724d0)

Compiled (64-bit) with Qt 5.9.5, with libpcap, without POSIX capabilities,
without libnl, with GLib 2.56.4, with zlib 1.2.11, without SMI, without c-ares,
without Lua, without GnuTLS, with Gcrypt 1.8.1, without Kerberos, without
MaxMind DB resolver, without nghttp2, without brotli, with LZ4, without
Zstandard, without Snappy ...
(more)
bobsaccamano gravatar imagebobsaccamano ( 2020-02-12 14:17:23 +0000 )edit

Not sure about lua, but quite often on Ubuntu you need the -dev package to get the libs and headers.

grahamb gravatar imagegrahamb ( 2020-02-12 14:35:18 +0000 )edit

Did install the -dev package but wireshark build fails with the same error. Rebuilt wireshark with the correct Lua install paths and it now works. Thanks again for your help. Much appreciated!

bobsaccamano gravatar imagebobsaccamano ( 2020-02-12 15:15:32 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-02-11 20:25:53 +0000

Seen: 9,618 times

Last updated: Feb 11 '20

Related questions

writing a modular dissector plugin [closed]

how to invert two bytes in lua script dissector ?

Adjusting Bit order and Endianess in LUA between Dissectors

Reuse (part of) a Wireshark Dissector

how to decode part of a message as IPv4 with a custom dissector?

Use UDS dissector inside DoIP dissector

How to setup a totally new dissector for the data without UDP/TCP header

How to register LUA dissectors without GUI

Proprietary CAN dissector - dissector is never called

How to use two lua dissectors together ?