Wireshark is popular protocol analyzer used for network or other packet based protocols. It uses dissectors
for each protocol. The protocols are builtin but wireshark provides lua interface to define and register new dissectors.
Generating pcap with scapy Link to heading
I am using scapy to generate pcap for made-up protocol with two fields name
and len
. In this example, I am generating 2 packets in pcap.
from scapy.all import *
class Disney(Packet):
name = "DisneyPacket "
fields_desc=[
ShortField("len",0),
StrLenField('name',"")
]
pkt=[ Disney(len=6, name="foobar"),
Disney(len=7, name="hhhfffk")]
wrpcap('disney.pcap', pkt, append=True, linktype=DLT_NULL)
Dissector Link to heading
To install the dissector, it is copied to ~/.local/lib/wireshark/plugins/
. wireshark (and tshark) load the lua scripts on start up.
cp t.lua ~/.local/lib/wireshark/plugins/t.lua
The dissector defines 2 fields len
and name
. and eventually registers the proto with register_postdissector
. The dissector adds the two fields to wireshark tree with subtree:add_le
print("loaded")
local myproto = Proto("swapper","Dummy proto to edit info column")
-- the dissector function callback
len = ProtoField.int32("swapper.len", "len", base.DEC)
name = ProtoField.string("swapper.name", "name")
myproto.fields = { len, name }
function myproto.dissector(buffer,pinfo,tree)
length = buffer:len()
if length == 0 then return end
pinfo.cols.protocol = myproto.name
local subtree = tree:add(myproto, buffer(), "swapper Protocol")
subtree:add(len, buffer(0,2))
s = tonumber(buffer(0,2))
print(s)
subtree:add_le(name, buffer(2,s))
end
register_postdissector(myproto)
Running tshark
tshark -V -r disney.pcap
and voila!
Frame 1: 8 bytes on wire (64 bits), 8 bytes captured (64 bits)
Null/Loopback
Type: Unknown (0x666f)
Data (4 bytes)
0000 6f 62 61 72 obar
Data: 6f626172
[Length: 4]
swapper Protocol
len: 6
name: foobar
Frame 2: 9 bytes on wire (72 bits), 9 bytes captured (72 bits)
Null/Loopback
Type: Unknown (0x6868)
Data (5 bytes)
0000 68 66 66 66 6b hfffk
Data: 686666666b
[Length: 5]
swapper Protocol
len: 7
name: hhhfffk