First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Tshark LUA Script

I am trying to run a Lua script (filtcols.lua) from tshark in the same way as I do from the Wireshark GUI (filtcols.info contains "string"), but I am getting a syntax error. How can I do that in the tshark?

moraist's avatar
9
moraist
asked 2021-02-14 01:03:28 +0000
cmaynard's avatar
11.1k
cmaynard
updated 2021-02-16 20:32:52 +0000
edit flag offensive 0 remove flag close merge delete

Comments

filtcols is a work around for fields that are available in tshark but not in wireshark.

Any reason for not using the _ws.col fields in tshark?

$ tshark -r captureFile.pcap -T fields -e _ws.col.Protocol -e _ws.col.Info

Chuckc's avatar Chuckc (2021-02-14 03:50:06 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

As Chuck mentions, the filtcols.lua script shouldn't be needed with tshark; however, if you really want to use it, then the following modified version of the filtcols.lua script does seem to work with tshark too. I'll let Chuck decide if it's worth updating on the Wireshark wiki or not, since it's his creation and I only tweaked it.

-- filtcols.lua
-- similar to _ws.col.protocol in tshark

local filtcols_info =
{
    version = "1.0.1",
    author = "Chuck Craft",
    description = "Support filtering on Protocol and Info columns",
}

set_plugin_info(filtcols_info)

-- we create a "protocol" for our tree
local filtcols_p = Proto("filtcols","Filterable Protocol/Info columns")

-- we create our fields
local col_protocol_field = ProtoField.string("filtcols.protocol", "Protocol column")
local col_info_field = ProtoField.string("filtcols.info", "Info column")

-- we add our fields to the protocol
filtcols_p.fields = { col_protocol_field, col_info_field }

-- variables to persist across all packets
local pkt_data = {} -- indexed per packet

pkt_data.protocol = {}
pkt_data.info = {}

-- let's do it!
function filtcols_p.dissector(tvb, pinfo, tree)

    -- Protocol Column
    local cols_protocol = tostring(pinfo.cols.protocol)
    if cols_protocol ~= "(protocol)" then
        --print (" Frame: " .. pinfo.number .. "; Protocol: " .. cols_protocol)
        if pkt_data.protocol[pinfo.number] == nil then
            pkt_data.protocol[pinfo.number] = cols_protocol
        end
    end
    tree:add(col_protocol_field, pkt_data.protocol[pinfo.number])

    -- Info Column
    local cols_info = tostring(pinfo.cols.info)
    if cols_info ~= "(info)" then
        --print (" Frame: " .. pinfo.number .. "; Info: " .. cols_info .. "\n")
        if pkt_data.info[pinfo.number] == nil then
            pkt_data.info[pinfo.number] = cols_info
        end
    end
    tree:add(col_info_field, pkt_data.info[pinfo.number])
end

-- then we register filtcols_p as a postdissector
register_postdissector(filtcols_p)
cmaynard's avatar
11.1k
cmaynard
answered 2021-02-16 22:00:37 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer