Lua Scripts

ADVANCED TOPICS
ANALYZE PCAP
OBTAIN PCAP
GET STARTED
SharkFu
Scripting with Wireshark's Lua API
3 min |  Ross Jacobs |  March 3, 2019

Table of Contents

Quicklinks: Wireshark: Lua API docs | Lua Examples

Lua scripting allows you to dynamically access info that might not be available in Wireshark normally! Examples will be added at some point.

To use a lua script with tshark, use option -X lua_script:<path/to/script>.
Obligatory Hello World example, capturing one packet:

bash$ echo 'print("Hello World!")' > temp.lua
bash$ tshark -X lua_script:temp.lua -c 1
Hello World!
Capturing on 'Wi-Fi: en0'
    1   0.000000 178.33.111.155 → mbp.attlocal.net TLSv1.2 839 Application Data
5 packets dropped from Wi-Fi: en0
1 packet captured

Metaprogramming

There are two libraries I came across that are more metaprogramming that lua dissectors:

  • kaitai-to-wireshark: Convert a Kaitai struct binary file description to a Lua Plugin. Only some elements are supported.
  • pyreshark: Use Python instead of Lua to communicate with Wireshark. Limited to Python 2.6/ 2.7.

Lua Dissectors

I’ve compiled a list of the most popular lua dissectors on github.

Have a dissector you want added to this list? Has a dissector been merged into Wireshark? Make a pull request.

Repo Metrics

A ✔ is given for each of the following (in order of importance):

  • D: Has Documentation in the form a README. Ideally, this includes separate installation and usage sections.
  • T: One or more of: Test code / CICD / Examples folder
  • I: Has Issues opened or closed by a different user
  • R: Has github Release or version. Lacking one may mean that the project is not yet stable.
  • C: Has multiple Contributors (>1)

Star/Fork count in 2019 Aug [★] and can be converted to an in-browser javascript github API query. Repos below are on github and have at least 5 stars. None of these repos have been tested.

Note: Any derivative works of Wireshark MUST use a GPL2-compatible license.

Github Dissector List

Name Protocol D T I R C License Last Updated Forks Lang
protobuf_dissector protobuf MIT 2015-09 92 43 Lua
h264extractor H.264, opus GPL2 2016-06 66 32 Lua
SAP-Dissection-plug-in-for-Wireshark SAP Various GPL2 2019-05 51 21 C
suriwire Suricata Alert GPL3 2018-06 49 6 Lua
lightning-dissector Lightning Network (crypto) MIT 2019-05 41 6 Lua
ethereum_devp2p_wireshark_dissector devp2p (crypto) 2018-06 38 5 Lua
wireshark-plugins CAPN PROTO Apache2 2016-08 34 10 Lua
cautious-rotary-phone Erlang Trace Apache2 2018-06 24 2 Lua
wireshark-http-extra HTTP with extras 2011-09 23 6 Lua
wireshark-plugin Interface for Cloudshark GPL2 2019-01 20 6 Lua
hep-wireshark HEP3 GPL2 2019-01 13 8 Lua
WiresharkLIFXDissector LIFX GPL3 2018-02 12 0 Lua
wireshark-plugin-dash Dash (crypto) GPL2 2018-10 11 3 C
amos-ss16-proj3 DOIP AGPL3 2017-01 8 6 C
wireshark-plugin-mqtt MQTT GPL2 2014-02 8 4 None
wireshark-stomp-plugin STOMP GPL2 2017-05 7 4 Lua
wireshark-plugin-afdx AFDX GPL2 2019-06 6 1 C
tox_decoder Tox 2018-10 6 2 C
wireshark-plugin-rhcs Redhat Cert Protocols GPL2 2014-01 5 2 C
some-ip-dissector SOME/IP GPL2 2019-01 5 2 Lua
lppb protobuf GPL3 2016-03 5 2 Lua
rfc8450-vc2-dissector RFC8450 GPL2 2018-09 5 0 Lua