Ask Your Question
0

Tshark LUA Script

asked 2021-02-14 01:03:28 +0000

moraist gravatar image

updated 2021-02-16 20:32:52 +0000

cmaynard gravatar image

I am trying to run a Lua script (filtcols.lua) from tshark in the same way as I do from the Wireshark GUI (filtcols.info contains "string"), but I am getting a syntax error. How can I do that in the tshark?

edit retag flag offensive close merge delete

Comments

filtcols is a work around for fields that are available in tshark but not in wireshark.

Any reason for not using the _ws.col fields in tshark?

$ tshark -r captureFile.pcap -T fields -e _ws.col.Protocol -e _ws.col.Info

Chuckc gravatar imageChuckc ( 2021-02-14 03:50:06 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-02-16 22:00:37 +0000

cmaynard gravatar image

As Chuck mentions, the filtcols.lua script shouldn't be needed with tshark; however, if you really want to use it, then the following modified version of the filtcols.lua script does seem to work with tshark too. I'll let Chuck decide if it's worth updating on the Wireshark wiki or not, since it's his creation and I only tweaked it.

-- filtcols.lua
-- similar to _ws.col.protocol in tshark

local filtcols_info =
{
    version = "1.0.1",
    author = "Chuck Craft",
    description = "Support filtering on Protocol and Info columns",
}

set_plugin_info(filtcols_info)

-- we create a "protocol" for our tree
local filtcols_p = Proto("filtcols","Filterable Protocol/Info columns")

-- we create our fields
local col_protocol_field = ProtoField.string("filtcols.protocol", "Protocol column")
local col_info_field = ProtoField.string("filtcols.info", "Info column")

-- we add our fields to the protocol
filtcols_p.fields = { col_protocol_field, col_info_field }

-- variables to persist across all packets
local pkt_data = {} -- indexed per packet

pkt_data.protocol = {}
pkt_data.info = {}

-- let's do it!
function filtcols_p.dissector(tvb, pinfo, tree)

    -- Protocol Column
    local cols_protocol = tostring(pinfo.cols.protocol)
    if cols_protocol ~= "(protocol)" then
        --print (" Frame: " .. pinfo.number .. "; Protocol: " .. cols_protocol)
        if pkt_data.protocol[pinfo.number] == nil then
            pkt_data.protocol[pinfo.number] = cols_protocol
        end
    end
    tree:add(col_protocol_field, pkt_data.protocol[pinfo.number])

    -- Info Column
    local cols_info = tostring(pinfo.cols.info)
    if cols_info ~= "(info)" then
        --print (" Frame: " .. pinfo.number .. "; Info: " .. cols_info .. "\n")
        if pkt_data.info[pinfo.number] == nil then
            pkt_data.info[pinfo.number] = cols_info
        end
    end
    tree:add(col_info_field, pkt_data.info[pinfo.number])
end

-- then we register filtcols_p as a postdissector
register_postdissector(filtcols_p)
edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2021-02-14 01:03:28 +0000

Seen: 840 times

Last updated: Feb 16 '21

Related questions

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Using tshark filters to extract only interesting traffic from 12GB trace

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark

can I install only tshark?

How do I change the interface on Tshark?

Tshark TCP stream assembly

Tshark output file problem, saving to csv or txt

How to convert Pcapng file to pcap file by Tshark