I have written a program to analyze TCP streams. I want to validate my results with Wireshark. My program gives the packet numbers in the related stream, but Wireshark displays packet numbers based on whole packets in the Pcap file. Is there anyway to show the displayed packet number in Wireshark? (Something like "Delta time displayed".)
Can you test the Lua script below by saving it to a .lua file in your Personal Lua Plugins folder.
Seems to be working with Webernetz Ultimate Pcap but would like a real world test.
It creates a new field called easypost.counter that starts at 0. (code can be changed to start at 1 if needed)
How Lua fits into Wireshark
(More Lua information in the WSDG)
-- EASYPOST.lua
-- Replace occurrences of "easypost/EASYPOST" with protocol/dissector name.
-- Grab and format fields as needed
-- Step 1 - document as you go. See header above and set_plugin_info().
local easypost_info =
{
version = "1.0.0",
author = "Good Coder",
description = "Important EASYPOST stuff",
repository = "Floppy in top drawer"
}
set_plugin_info(easypost_info)
-- Step 1a - local storage from stream frame counters
local frame_counters = {}
local frame_index = {}
-- Step 2 - create a protocol to attach new fields to
local easypost_p = Proto.new("easypost","Important EASYPOST Protocol")
-- Step 3 - add some field(s) to Step 2 protocol
local pf = { payload = ProtoField.string("easypost.payload", "EASYPOST data") ,
counter = ProtoField.uint32("easypost.counter", "Frame counter") }
easypost_p.fields = pf
-- Step 4 - create a Field extractor to copy packet field data.
easypost_payload_f = Field.new("tcp.stream")
-- Step 5 - create the postdissector function that will run on each frame/packet
function easypost_p.dissector(tvb,pinfo,tree)
local subtree = nil
-- copy existing field(s) into table for processing
finfo = { easypost_payload_f() }
if not subtree then
subtree = tree:add(easypost_p)
end
if (#finfo > 0) and not frame_index[pinfo.number] then
for k, v in pairs(finfo) do
-- process data and add results to the tree
if not frame_counters[v.display] then
frame_counters[v.display] = 0
else
frame_counters[v.display] = frame_counters[v.display] + 1
end
frame_index[pinfo.number] = frame_counters[v.display]
end
end
if frame_index[pinfo.number] then
subtree:add(pf.counter, frame_index[pinfo.number])
end
end
-- Step 6 - register the new protocol as a postdissector
register_postdissector(easypost_p)
Thanks for your time. I added the code in plugin folder and added the field as a column. It works when starts from 0. But it does not work when I changed 0 to 1.
https://pasteboard.co/hQpHxlSZnDGE.png
Can we focus on just what displayed in Lua regardless of what kind of packet it is? this code is what @SYN-bit said.
The Wiki page (https://wiki.wireshark.org/lua) and the WSDG (https://www.wireshark.org/docs/wsdg_h...) have examples.
There are several Lua presentations from past SharkFest (https://sharkfest.wireshark.org/retro...).
I can help specifically with questions on sf22us:05: Duct tape and baling wire: Extending Wireshark with Lua” by Chuck Craft and sf23us: 07: “I wish Wireshark” - add the missing pieces with Lua by Chuck Craft.
I'm not sure there is a way to query the qui (from Lua) to see what is currently in the displayed packets list.
Wireshark can do it since “Export Specified Packets” allows it..
Busy today. Will look at tomorrow.
You might want to file this as an enhancement request on the Wireshark issues list.
It would be implemented as a "Displayed frame number" or "Displayed packet number" column type, with "Number" being renamed "Captured frame number" or "Displayed frame number" or something such as that. It could probably be implemented fairly straightforwardly, albeit with a possible increase in per-frame/per-packet memory.
Thanks for adding issue 19250, to me it seems that having a packet number relative to the TCP stream (or UDP stream) seems more versatile than having a packet number after filtering.
Which one would work best in your use case? See also my comment in issue 19250.
What about just opening the pcap file using a Read Filter (File -> Open -> File name: foo.pcap, Read filter: tcp.stream eq 0)?
The equivalent of this in tshark is:
tshark -r foo.pcap -2R "tcp.stream == 0"
Asked: 2023-07-30 12:56:47 +0000
Seen: 1,384 times
Last updated: Aug 02 '23
You want something like this in a Gui column?
The-Ultimate-PCAP$ tshark -r *v20221220* -Y "tcp.stream == 0" | cat -n 1 79 113831518.641076 10.200.200.202 10.200.200.201 BGP KEEPALIVE Message 2 80 113831518.641076 10.200.200.202 10.200.200.201 TCP [TCP Retransmission] 179 → 23975 [PSH, ACK] Seq=1 Ack=1 Win=16073 Len=19 3 82 113831518.704076 10.200.200.201 10.200.200.202 BGP KEEPALIVE Message 4 84 113831518.704076 10.200.200.201 10.200.200.202 TCP [TCP Retransmission] 23975 → 179 [PSH, ACK] Seq=1 Ack=20 Win=16054 Len=19 5 89 113831518.938076 10.200.200.202 10.200.200.201 TCP 179 → 23975 [ACK] Seq=20 Ack=20 Win=16054 Len=0@Chuckc Yeah. Exactly. How can I do that?
I think this could be done with a Lua script (post-dissector) but won't have time today to work on it.
Have an array of counters indexed by
tcp.streamnumber, increment for each packet matching the stream then add a field to the packet with the stream packet index.@Chuckc How can I write a Lua script for Wireshark? Can you give me a hint?