Wireshark Lua plugin not working after update
I made a plugin for Wireshark and now with the new version 4.4.2 it is not working anymore. It seems like something with Lua has changed, but I can't find the problem.
With the old version 4.2, everything worked and it showed the hex stream correctly. However, in version 4.4.2, the plugin no longer parses the data as expected. Specifically, the JSON data parsing seems to fail, and the custom fields are not being populated.
I noticed that Wireshark 4.4.2 has updated its Lua API, which might be causing the issue. Unfortunately, I couldn't find detailed documentation on these changes.
Here is the part of the code where the issue seems to occur. Does anyone have an idea what might be causing this issue with the new version?
Thanks in advance!
local json = require "json"
local ws = Proto("ws", "WS")
local identifier = "03"
-- Function to recursively parse and display JSON data
local function parse_json(json_data, tree)
for key, value in pairs(json_data) do
if type(value) == "table" then
local subtree = tree:add(ws, string.format("%s: ", key))
parse_json(value, subtree)
else
tree:add(ws, string.format("%s: %s", key, tostring(value)))
end
end
end
function ws.dissector(buffer, pinfo, tree)
local id = buffer(0, 12):bytes():tohex()
if id:sub(-2) == identifier then
pinfo.cols.protocol = "ws"
local subtree = tree:add(ws, buffer(), "ws Data")
subtree:add(buffer(0, 12), "Identification: " .. id)
subtree:add("----------------------------------------")
local data = buffer(12, buffer:len() - 12)
local data_string = tostring(data:string())
-- Clean up the data string by removing unwanted characters
data_string = data_string:gsub("\r\n", ""):gsub("\n", ""):gsub("\t", ""):gsub("[\128-\255]", ""):gsub("UUUU$", "")
print("Debug: Extracted Data String = " .. data_string)
-- Parse JSON data using the json.decode function from json.lua
local status, json_data = pcall(json.decode, data_string)
if not status or type(json_data) ~= "table" then
subtree:add_expert_info(PI_MALFORMED, PI_ERROR, "Malformed JSON Data")
return
end
-- Add custom fields to the dissection tree
if json_data["action"] then
subtree:add(ws_action, json_data["action"])
end
if json_data["domain"] then
subtree:add(ws_domain, json_data["domain"])
end
if json_data["message"] then
subtree:add(ws_message, json_data["message"])
pinfo.cols.info:set(tostring(json_data["message"]))
end
if json_data["session_id"] then
subtree:add(ws_session_id, json_data["session_id"])
end
if json_data["request_id"] then
subtree:add(ws_request_id, json_data["request_id"])
end
if json_data["status"] then
subtree:add(ws_status, json_data["status"])
end
if json_data["payload"] then
local payload_subtree = subtree:add(ws, "Payload")
parse_json(json_data["payload"], payload_subtree)
end
end
end
Have you looked at the Wireshark JSON dissector (Routines for JSON dissection)?