Wireshark mailing list archives
Re: LUA-script in Tshark
From: "Maynard, Chris via Wireshark-users" <wireshark-users () wireshark org>
Date: Mon, 3 Aug 2020 15:08:09 +0000
-----Original Message----- From: Wireshark-users <wireshark-users-bounces () wireshark org> On Behalf Of Gisle Vanem Sent: Saturday, August 1, 2020 2:54 AM To: wireshark-users <wireshark-users () wireshark org> Subject: [Wireshark-users] LUA-script in Tshark Hello list. I use this .lua-script: https://github.com/VE3NEA/Afedri-Dissector/blob/master/afedri.lua to dissect traffic to/from my newly acquired short-wave radio. First I used windump to generate a 4GByte capture (10 minutes of control + data on port 50000). Then wanting to see the details of these Afedri protocols, I started Tshark in verbose mode (-V): tshark -X afedri.lua -V -O Afedri,Afedri-iq -c20 -r recording-1.pcap | less But I get lines like: Frame 1-3: the 3-way TCP handshake. Why does tshark print this when I used the '-O' option.
The -O option only causes the specific protocols to be expanded, but it doesn't prevent the summary lines from being
printed for all frames. If you only want Afedri or Afedri-IQ protocols displayed, then you should use a display filter
(e.g., -Y "afedri or afedri-iq") to limit the frames displayed. Incidentally, if you use -O, you don't need -V. You
can think of -V as expanding all protocols and -O as only expanding those specific protocols you list. In fact, this
is what the man page says about the option:
-O <protocols>
Similar to the -V option, but causes TShark to only show a detailed view of the comma-separated list of protocols
specified, and show only the top-level detail line for all other protocols, rather than a detailed view of all
protocols. Use the output of "tshark -G protocols" to find the abbreviations of the protocols you can specify.
Frame 4: 63 bytes on wire (504 bits), 63 bytes captured (504 bits) Ethernet II, Src: ASUSTekC_81:2e:ea (e0:3f:49:81:2e:ea), Dst: e6:1f:35:31:35:30 (e6:1f:35:31:35:30) Internet Protocol Version 4, Src: 10.0.0.10, Dst: 10.0.0.50 Transmission Control Protocol, Src Port: 51974, Dst Port: 50000, Seq: 1, Ack: 1, Len: 9 Afedri Protocol Data Frame 5: 63 bytes on wire (504 bits), 63 bytes captured (504 bits) Ethernet II, Src: e6:1f:35:31:35:30 (e6:1f:35:31:35:30), Dst: ASUSTekC_81:2e:ea (e0:3f:49:81:2e:ea) Internet Protocol Version 4, Src: 10.0.0.50, Dst: 10.0.0.10 Transmission Control Protocol, Src Port: 50000, Dst Port: 51974, Seq: 1, Ack: 10, Len: 9 Afedri Protocol Data ....
This is strange. You *should* be seeing the Afedri details; it's almost as if the name of the protocol doesn't match so you're not seeing expanded details. When I place the afedri.lua script in my Wireshark plugins directory and run "tshark -G protocols | grep Afedri", I get: Afedri TCP Control Protocol AFEDRI afedri Afedri UDP Data Protocol AFEDRI-IQ afedri-iq So is this case-sensitive? Maybe try with lower-case instead? tshark -X afedri.lua -O afedri,afedri-iq -c20 -r recording-1.pcap | less If that doesn't help, then do you get Afedri details if you omit Afedri-iq from the -O option? Do you get Afedri details with only -V and no -O?
All-though I get details for the data-protocol (which use UDP):
Frame 20: 1070 bytes on wire (8560 bits), 1070 bytes captured (8560 bits)
Ethernet II, Src: e6:1f:35:31:35:30 (e6:1f:35:31:35:30), Dst:
ASUSTekC_81:2e:ea (e0:3f:49:81:2e:ea)
Internet Protocol Version 4, Src: 10.0.0.50, Dst: 10.0.0.10
User Datagram Protocol, Src Port: 50000, Dst Port: 50000
Afedri Protocol Data
header: 0x8404 (16-Bit data, large packet)
sequence number: 58371 (0xE403)
I/Q data, 256 2x16-bit samples
( -176, -40)( 169, 3)( 110, -131)( -110, -133)
( 24, 192)( 129, -142)( -115, 4)( 81, 138)
( 131, -88)( -216, -141)( -105, 115)( 95, -78)
( 89, -187)( -6, 115)( 119, -58)( -119, -55)
...
I'd like more packet details, but only for protocols specified with '-O'. Is this
an issue with the Afedri.lua script, Tshark or did I use the script wrong? Is this
possible?
Possibly you used the script wrong if the name of the protocol specified for the -O option is case-sensitive. And as I pointed out above, you are seeing other frames because -O doesn't limit summary lines; you need a display filter -Y for that. The script itself does have at least one problem though, and that is that it doesn't handle TCP reassembly. I don't know if this protocol data could ever span more than one TCP data segment, but if so, dissection won't work properly in those cases, so it'd probably be better if the script were modified to handle reassembly regardless.
PS. The page at https://wiki.wireshark.org/Lua specifies one has to use '-X lua_script:file'. That prefix seems not needed.
The prefix is definitely needed. I think you may have the script stored in a file location that tshark automatically picks up, for example in %APPDATA%\Wireshark\plugins. Try running Wireshark and check "Help -> About Wireshark -> Plugins"; if Wireshark lists afedri.lua there, then tshark will also see it by default too. Of course, if that's the case then you don't need to bother specifying the "-X lua_script:file" option at all.
-- --gv
Hopefully at least some of this helps. -- Chris CONFIDENTIALITY NOTICE: This message is the property of International Game Technology PLC and/or its subsidiaries and may contain proprietary, confidential or trade secret information. This message is intended solely for the use of the addressee. If you are not the intended recipient and have received this message in error, please delete this message from your system. Any unauthorized reading, distribution, copying, or other use of this message or its attachments is strictly prohibited. ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Re: LUA-script in Tshark Maynard, Chris via Wireshark-users (Aug 03)