How to improve workflow for creating a Lua-based Wireshark dissector

Asked 31/8, 2010 at 23:8 Answered 25/3, 2018 at 16:15

workflow lua restart wireshark read-eval-print-loop

I've finally created a Dissector for my UDP protocol in Lua for Wireshark, but the work flow is just horrendous. It consists of editing my custom Lua file in my editor, then double-clicking my example capture file to launch Wireshark to see the changes. If there was an error, Wireshark informs me via dialogs or a red line in the Tree analysis sub-pane. I then re-edit my custom Lua file and then close that Wireshark instance, then double-click my example capture file again. It's like compiling a C file and only seeing one compiler error at a time.

Is there a better (faster) way of looking at my changes, without having to restart Wireshark all the time?

At the time, I was using Wireshark 1.2.9 for Windows with Lua enabled.

Testimony answered 31/8, 2010 at 23:8 Comment(7)

Are there any useful lua dissector tutorials and class documentation? – Muirhead 21/11, 2010 at 17:33

@Muirhead Classes and functions are documented at wireshark.org/docs/wsdg_html_chunked/wsluarm_modules.html – Ormond 3/4, 2016 at 22:0

@Ormond Yes, there is a list of classes and functions. But it was asked for a workflow instead of that list. – Muirhead 4/4, 2016 at 5:53

@Muirhead There is a very simple example in the previous chapter, the wiki and also a SharkFest presentation on Lua dissectors by Hadriel (Tuesday session 11). – Ormond 4/4, 2016 at 12:37

@Ormond You missed it again, sorry. There is no request for an (even simple) example. It's a request for for workflow improvement. – Muirhead 4/4, 2016 at 12:44

@Muirhead The original question was answered below, I posted the links for future readers. Reload Lua plugins should be the way to go if its bugs are fixed. – Ormond 4/4, 2016 at 14:34

@Ormond So if you want to address future readers why do you write @harper? – Muirhead 16/4, 2016 at 16:2

The best way to automate this is by using command line. Yep, use tshark instead of loading gui thingy.

If your lua script is called "proto.lua" and it defines an protocol called "MyProto" that uses port 8888, you can test your dissector using:

tshark -X lua_script:proto.lua -O MyProto -V -f "port 8888"

-V option makes tshark print all the info of all protocols.
-O option filters the -V option to make it show all the info only on the listed(CSV) protocols.
-f option filters all packets that doesn't conform to the rule. In this case any packet that is not from the right port.

Ness answered 9/11, 2011 at 8:30 Comment(0)

The latest Wireshark release comes with a primitive console for running lua script. It can be found under Tools -> Lua -> Evaluate. From there, you should be able to reload your dissector by running dofile(). You'll also have to remove the previous version of your dissector.

Here's an example for a TCP-based dissector.

local tcp_dissector_table = DissectorTable.get("tcp.port")
tcp_dissector_table:remove(pattern, yourdissector)
yourdissector = nil

dofile("c:/path/to/dissector.lua")

I recommend placing this code in a function inside your file.

Now there's a problem with this answer: If your script created a Proto object, it seems that you can't create it again with the same id. The constructor for the Proto class calls the C function proto_register_protocol() (see epan/wslua/wslua_proto.c). I can't find any lua function that will unregister the protocol. In fact, I can't even find a C function to unregister it.

Roxy answered 6/6, 2013 at 2:0 Comment(1)

"In fact, I can't even find a C function to unregister it." There isn't one - without Lua, there's no mechanism for registering dissectors (or other plugins) at any time other than startup time, so there was no need for unregistering. With Lua, it might make sense to add that (and add some IDE capabilities to Wireshark for Lua - I think somebody has an IDE written in Lua that could perhaps be used for this). – Mulligrubs 6/6, 2013 at 2:44

You might be able to write a trivial wrapper function that Wireshark loads, and have it just load the real file from disk (e.g. via dofile()). This could probably "trick" Wireshark into always reloading your Lua code until you're more comfortable with it and can remove this hack.

Byelorussian answered 1/1, 2011 at 17:47 Comment(0)

I've been facing the same problem for quite a while, so I have decided to create a tool that would help me streamline that "horrendous workflow". The tool in question is Wirebait. It is designed to let you run your Lua dissectors as you write them without Wireshark.

It is very quick and easy to install and use. All you have to do is load the Wirebait module and add a five liner snippet on top of your dissector script. Then if you use an IDE such as ZeroBrane Studio, Wirebait allows you to literally write and debug your code on the fly, no need for wireshark. If you don't even have a pcap file, you can use a hexadecimal string representing the data you want to dissect.

Pewit answered 25/3, 2018 at 16:15 Comment(0)

Recommended topics

Hot tags