Is there any difference in the way tshark and wireshark execute lua?

asked 2022-07-06 02:01:52 +0000

leelli
3 ●2 ●4

updated 2022-07-06 17:20:49 +0000

I want to print some needed logs through lua, the code is as follows.

The result obtained when tshark executes is correct.

When I open redis.pcap with wireshark I get a result that is repeated many times.

I would like to understand the reason for this difference and how should I modify my code for wireshark to work correctly

thank you very much

windows tshark : tshark -X lua_Script:hello.lu -r redis.pcap

lu.log：

2 0.000299000
3 0.000019000
5 0.000442000

wireshark lu.log：

2 0.000299000
3 0.000019000
5 0.000442000
2 0.000299000
3 0.000019000
5 0.000442000
2 0.000299000
3 0.000019000
5 0.000442000
2 0.000299000
3 0.000019000
5 0.000442000

hello.lua:

 T_gre_proto = Proto("test_pro","Test ")    
      tcp_ack = Field.new("tcp.analysis.ack_rtt")
      frame_num = Field.new("frame.number")
      file = io.open("C:\\Program Files\\Wireshark\\lu.log", 'w')

 function T_gre_proto.dissector(buffer,pinfo,tree)
     if tcp_ack() then
      frame_v = frame_num().value
      ttcp_v = tcp_ack().value

       file:write(string.format("%s %s\n",frame_v,ttcp_v) )

       file:flush()  

      end

  end

  register_postdissector(T_gre_proto)

answered 2022-07-06 03:48:41 +0000

Chuckc
2858 ●5 ●567 ●19

Is there any difference ...

Yes

Wireshark dissects packets in what it calls 'two-pass' dissection.

If you add -2 to the tshark command line and a print(pinfo.visited) to the T_gre_proto.dissector you will see that tshark can be a multi pass dissector also.

In addition to the WSDG description above about two-pass, see:
What's the difference between a dissector, post-dissector and tap?

There is an example in A post-dissector example using pinfo.visited to only process on the first pass through.

    log("Visited: " .. tostring(pinfo.visited))

    if not pinfo.visited then

edit flag offensive delete link

Comments

thank you very much for your reply But I still don't understand how to solve it, can I modify the hello.lua to solve it?

leelli ( 2022-07-06 17:21:19 +0000 )edit

This will run the postdissector just once when the packet is dissected the first time.

function T_gre_proto.dissector(buffer,pinfo,tree)
    if tcp_ack() and not pinfo.visited then

Chuckc ( 2022-07-06 17:43:04 +0000 )edit

Problem solved, thank you very much for your guidance

leelli ( 2022-07-07 01:56:23 +0000 )edit

hi Chuckc I found that no matter where I write file:close(), it will report an error or write less data. Where should I close the file?

T_gre_proto = Proto("test_pro","Test ")    
      tcp_ack = Field.new("tcp.analysis.ack_rtt")
      frame_num = Field.new("frame.number")
      file = io.open("C:\\Program Files\\Wireshark\\lu.log", 'w')

 function T_gre_proto.dissector(buffer,pinfo,tree)
     if tcp_ack()  and not pinfo.visited then  
      frame_v = frame_num().value
      ttcp_v = tcp_ack().value

       file:write(string.format("%s %s\n",frame_v,ttcp_v) )

       file:flush()  
          end
      end

  end

  register_postdissector(T_gre_proto)

leelli ( 2022-07-07 12:53:34 +0000 )edit

How is the Lua script being called - Wireshark Gui, Wireshark CLI, TShark CLI?

Chuckc ( 2022-07-07 14:24:42 +0000 )edit

see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Is there any difference in the way tshark and wireshark execute lua?

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Is there any difference in the way tshark and wireshark execute lua? edit

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Is there any difference in the way tshark and wireshark execute lua?