Wireshark mailing list archives
Re: Alert on captured packet
From: Tony Trinh <tony19 () gmail com>
Date: Mon, 9 Jan 2012 21:56:47 -0500
Yes, a Lua tap can do this. For example, you can use the following script to beep 3 times when it detects UDP packet lengths between 1034 and 1037. The beeps can get annoying. local _filter = 'udp.length > 1034 and udp.length < 1037' local function make_tap(filter) local tap = Listener.new(nil, filter) function tap.packet() -- beep 3 times for i=1,3 do print '\007' end -- you can also show a message box here with -- new_dialog() or report_failure(), but you'll -- need a flag to prevent opening a whole bunch -- of message boxes end return tap end -- If not running from Wireshark, enable the tap immediately, then -- abort, or else we'll get an error below for trying to do GUI -- stuff from the command line. if not gui_enabled() then make_tap(_filter) return end local function make_win() local tap = nil local win = TextWindow.new("Watcher") local function remove_tap() if tap then tap:remove() end tap = nil end win:set("Press Start to begin watching") win:set_atclose(remove_tap) win:add_button("Start", function() if tap then report_failure("Already started") return end win:set("Watching for:\n" .. _filter) tap = make_tap(_filter) end) win:add_button("Stop", function() if not tap then report_failure("Not started") return end remove_tap() win:set("Press Start to begin watching") end) end register_menu("Lua/Test", make_win, MENU_TOOLS_UNSORTED or 8) On Mon, Jan 9, 2012 at 10:59 AM, Harper <Helge.Kruse-nospam () gmx net> wrote:
I have a protocol, where the same request is sent again and again. Suddenly a request is answered with another reponse as it done usually. I have configured Wireshark to use multiple files to capture all the data. Now I want to get an alert (message box, email, anything else) when this event occurs. This can be done by manually look in each capture file. But this is a bit cumbersome. Can this be done with Wireshark tools or with an plug-in? Probably a LUA plug-in could do this? The creteria for the alert should be something like udp.length > 1034 and udp.length< 1037 Thanks, Harper ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org ?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Alert on captured packet Harper (Jan 09)
- Re: Alert on captured packet j.snelders (Jan 09)
- Re: Alert on captured packet Tony Trinh (Jan 09)