This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

IP info with ‘xml’ filter?

0

Hi, I'm trying to extract SOAP payloads with timestamps and source/dest IP addresses and ports with the following code:

local tap = Listener.new(nil, "xml", true)
local xml_field = Field.new("xml")

function tap.packet(pinfo,tvb,tapinfo)
local xml_string = string.gsub(tostring(xml_field().value), "(..)",
function(c) c=tonumber(c,16); if c==13 or c==10 then c=0 end; return string.char(c) end)
print( table.concat( {
os.date("%Y-%m-%d %H:%M:%S", pinfo.abs_ts) .. string.sub(select(2,math.modf(pinfo.abs_ts)), 2,8),
tostring(ip_dst), –  pinfo.cols.src_port, pinfo.cols.dst, pinfo.cols.dst_port,
xml_string
}, "|" ) )
end


function tap.reset()
– file:close()
end

I’ve succeeded in converting the XML data and timestamps, but tapinfo comes as nil. How can I have the IP addresses+ports?

asked 08 Oct ‘14, 14:47

arielCo's gravatar image

arielCo
16114
accept rate: 0%

One Answer:

1

The Listener tapinfo is only populated for some specific Listener tap types, such as ip, tcp, udp, or http types... but not for a frame tap type, which is what you're creating since you passed nil for the first argument of Listener.new().

Is there some specific reason you want to tap the frame instead of the IP packet, or even TCP segment? Because doing "Listener.new("ip", "xml", true)" would get you the tapinfo for IP-layer including addresses, but not port numbers. Doing "Listener.new("tcp", "xml", true)" would get you the tapinfo for TCP-layer, which would include IP addresses as well as TCP port numbers.

Alternatively, you don't need to get the IP addresses+ports from the tapinfo - you can instead just get them from explicit field extractors, like this:

local tap = Listener.new(nil, "xml", true)
local f_ip_src   = Field.new("ip.src")
local f_ip_dst   = Field.new("ip.dst")
local f_src_port = Field.new("tcp.srcport")
local f_dst_port = Field.new("tcp.dstport")

function tap.packet(pinfo,tvb)
local ip_src   = f_ip_src().value
local ip_dst   = f_ip_dst().value
local src_port = f_src_port().value
local dst_port = f_dst_port().value

Note that the above is just example code - in a real script one would do verification checks to make sure each field extractor returns something before calling its value attribute, etc.

answered 09 Oct ‘14, 07:35

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

Thank you - both approaches work but I’m still somewhat confused. Where can I find a concept-level description of dissectors and listeners? The Wiki starts with code examples and jumps to the API reference, but nothing about what they actually do and their relationship; it’s all copying and trial/error.

(09 Oct ‘14, 10:17) arielCo

Hmmm… it depends on what more you want to know. The main Wireshark Lua wiki page has links to wiki pages about Dissectors and Listener taps, and also links to the sample script page which has links to a few tutorial scripts. There’s a dissector tutorial script, for example, with details about how/why things are done.

So if those places don’t answer your questions, I think the best thing would be for you to ask your questions here on the Q&A site (as separate new topics, not inside this topic), and I or others will try answering them; then we can update the wiki’s with the answers if it makes sense to.

(09 Oct ‘14, 11:39) Hadriel