How can I get current display filter in Lua script with Tshark
Hi,
I'm writing a script in Lua I want to use with Tshark. With this script I want to process a pcap file I feed to Tshark with the '-r' option. In the script I use a tap (listener) to process the packets.
The problem I have is that I want the script to process only the packets that comply with the filter I set with the '-Y' option (or the '-f' option, but that doesn't work in combination with '-r'). In Wireshark I can use the 'get_filter()' function to get the current display filter and give that as an argument to the 'Listener.new()' function. But 'get_filter()' doesn't work in Tshark.
Of course I can set the filter hardcoded in the script, but that isn't what I want.
So, is there a way to process only packets that comply with the filter? Some ideas I had, but I don't know if they are possible:
1) Read the display filter value in Lua directly (as 'get_filter()' does in Wireshark)?
2) Read the complete command given at the command line (including -y ....') and parse this command line in Lua to get the filter value?
3) For every packet coming in through 'Listener.packet()' check if it complies with the display filter by checking some value from 'Pinfo'?
4) Can I use the 'get_preference(preference)' function?
5) Some other options?
11.2.3.9. get_filter() is part of the Gui functions. We could add an "Errors" section like
new_dialog()
- "GUI not available".Could you pass it in as a command line argument to the lua script?
tshark man page:
Wiki example using command line arguments: Extract field values
get_filter()
added in 7725: Add get_filter method to Wireshark's Lua interface