First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Is there any difference in the way tshark and wireshark execute lua?

I want to print some needed logs through lua, the code is as follows.

The result obtained when tshark executes is correct.

When I open redis.pcap with wireshark I get a result that is repeated many times.

I would like to understand the reason for this difference and how should I modify my code for wireshark to work correctly

thank you very much

windows tshark : tshark -X lua_Script:hello.lu -r redis.pcap

lu.log:

2 0.000299000
3 0.000019000
5 0.000442000

wireshark lu.log:

2 0.000299000
3 0.000019000
5 0.000442000
2 0.000299000
3 0.000019000
5 0.000442000
2 0.000299000
3 0.000019000
5 0.000442000
2 0.000299000
3 0.000019000
5 0.000442000

hello.lua:

 T_gre_proto = Proto("test_pro","Test ")    
      tcp_ack = Field.new("tcp.analysis.ack_rtt")
      frame_num = Field.new("frame.number")
      file = io.open("C:\\Program Files\\Wireshark\\lu.log", 'w')

 function T_gre_proto.dissector(buffer,pinfo,tree)
     if tcp_ack() then
      frame_v = frame_num().value
      ttcp_v = tcp_ack().value

       file:write(string.format("%s %s\n",frame_v,ttcp_v) )

       file:flush()  

      end

  end

  register_postdissector(T_gre_proto)
leelli's avatar
3
leelli
asked 2022-07-06 02:01:52 +0000, updated 2022-07-06 17:20:49 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Is there any difference ...

Yes

Wireshark dissects packets in what it calls 'two-pass' dissection.

If you add -2 to the tshark command line and a print(pinfo.visited) to the T_gre_proto.dissector you will see that tshark can be a multi pass dissector also.

In addition to the WSDG description above about two-pass, see:
What's the difference between a dissector, post-dissector and tap?

There is an example in A post-dissector example using pinfo.visited to only process on the first pass through.

    log("Visited: " .. tostring(pinfo.visited))

    if not pinfo.visited then
Chuckc's avatar
3k
Chuckc
answered 2022-07-06 03:48:41 +0000
edit flag offensive 0 remove flag delete link
more

Comments

thank you very much for your reply But I still don't understand how to solve it, can I modify the hello.lua to solve it?

leelli's avatar leelli (2022-07-06 17:21:19 +0000) edit
more
  • delete

This will run the postdissector just once when the packet is dissected the first time.

function T_gre_proto.dissector(buffer,pinfo,tree)
    if tcp_ack() and not pinfo.visited then
Chuckc's avatar Chuckc (2022-07-06 17:43:04 +0000) edit
more
  • delete

Problem solved, thank you very much for your guidance

leelli's avatar leelli (2022-07-07 01:56:23 +0000) edit
more
  • delete

hi Chuckc I found that no matter where I write file:close(), it will report an error or write less data. Where should I close the file?

T_gre_proto = Proto("test_pro","Test ")    
      tcp_ack = Field.new("tcp.analysis.ack_rtt")
      frame_num = Field.new("frame.number")
      file = io.open("C:\\Program Files\\Wireshark\\lu.log", 'w')

 function T_gre_proto.dissector(buffer,pinfo,tree)
     if tcp_ack()  and not pinfo.visited then  
      frame_v = frame_num().value
      ttcp_v = tcp_ack().value

       file:write(string.format("%s %s\n",frame_v,ttcp_v) )

       file:flush()  
          end
      end

  end

  register_postdissector(T_gre_proto)
leelli's avatar leelli (2022-07-07 12:53:34 +0000) edit
more
  • delete

How is the Lua script being called - Wireshark Gui, Wireshark CLI, TShark CLI?

Chuckc's avatar Chuckc (2022-07-07 14:24:42 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer