Wireshark is popular protocol analyzer used for network or other packet based protocols. It uses dissectors for each protocol. The protocols are builtin but wireshark provides lua interface to define and register new dissectors.

Generating pcap with scapy Link to heading

I am using scapy to generate pcap for made-up protocol with two fields name and len. In this example, I am generating 2 packets in pcap.

from scapy.all import *

class Disney(Packet):
    name = "DisneyPacket "
    fields_desc=[
                ShortField("len",0),
                StrLenField('name',"")
                ]

pkt=[ Disney(len=6, name="foobar"),
        Disney(len=7, name="hhhfffk")]

wrpcap('disney.pcap', pkt, append=True, linktype=DLT_NULL)

Dissector Link to heading

To install the dissector, it is copied to ~/.local/lib/wireshark/plugins/. wireshark (and tshark) load the lua scripts on start up.

cp t.lua ~/.local/lib/wireshark/plugins/t.lua

The dissector defines 2 fields len and name. and eventually registers the proto with register_postdissector. The dissector adds the two fields to wireshark tree with subtree:add_le

print("loaded")

local myproto = Proto("swapper","Dummy proto to edit info column")
-- the dissector function callback

len      = ProtoField.int32("swapper.len", "len", base.DEC)
name     = ProtoField.string("swapper.name", "name")

myproto.fields = { len, name }

 function myproto.dissector(buffer,pinfo,tree)

  length = buffer:len()
  if length == 0 then return end

  pinfo.cols.protocol = myproto.name

  local subtree = tree:add(myproto, buffer(), "swapper Protocol")

  subtree:add(len, buffer(0,2))
  s = tonumber(buffer(0,2))
  print(s)
  subtree:add_le(name, buffer(2,s))
end

register_postdissector(myproto)

Running tshark

tshark -V -r disney.pcap

and voila!

Frame 1: 8 bytes on wire (64 bits), 8 bytes captured (64 bits)
Null/Loopback
    Type: Unknown (0x666f)
Data (4 bytes)

0000  6f 62 61 72                                       obar
    Data: 6f626172
    [Length: 4]
swapper Protocol
    len: 6
    name: foobar

Frame 2: 9 bytes on wire (72 bits), 9 bytes captured (72 bits)
Null/Loopback
    Type: Unknown (0x6868)
Data (5 bytes)

0000  68 66 66 66 6b                                    hfffk
    Data: 686666666b
    [Length: 5]
swapper Protocol
    len: 7
    name: hhhfffk