You have a custom protocol and would like to give your users the ability to visualize it in Wireshark? If your answer is yes, this post is for you.
I recommend using Wireshark’s embedded Lua interpreter, and its API for Lua. It is the easiest way to prototype dissectors which, for performance reasons, may later be rewritten in C. At the time of writing, I am still using Wireshark 1.2.1, but you might consider using the latest version.
Let us begin with some sample code.
Protocol dissector script in Lua
We use a chained dissector, it adds functionality to dissect packets of an existing protocol, such as packets destined to a particular tcp port. It receives only the payload part of the original protocol packet as the input buffer in the dissector function.
Running the Lua script in Wireshark
Here are the steps required to get the above code running. If your Wireshark version is 1.4 or better, skip step 3.
- Edit and save the lua script above to any folder (e.g. c:\myproto) and call the file myproto.lua
- Open init.lua in the Wireshark installation directory for editing. You will need Admin privileges on Windows Vista and 7.
- Comment out the following line in init.lua (single line comments begin with
disable_lua = true; do return end;
- Add the following lines to init.lua (at the very end):
- Change MYPROTO_SCRIPT_PATH to point to the folder where you saved the script in step 1
- Run Wireshark
- Load a capture file that has the packets of your custom protocol or start a live capture
Here’s a figure that shows the protocol dissector in action.