Wireshark-dev: Re: [Wireshark-dev] Wireshark-dev: Re: Lua embedded into C++
From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Fri, 17 Mar 2017 12:31:54 +0100
On Thu, Mar 16, 2017 at 08:45:34PM +0000, Kunal Thakrar wrote:
> Hi Peter,
> 
> So if using the Lua API, if I put a script which primes the fields I
> am interested in within the plugins folder I will be able to access
> information such as the IP addresses (to see which TCP connection it
> was part of) and any information about the HTTP packets (obviously if
> it was, in fact, part of a TCP connection).

Yes, here you can find some examples of doing this in Lua:
https://github.com/Lekensteyn/lglaf/blob/master/lglaf.lua
https://git.lekensteyn.nl/peter/wireshark-notes/tree/lua/r8152.lua

See "usb_transfer_type". Note that the number of returned values may be
larger than 1. In case you want to access all addresses, you could try
something like:

    local ip_addr = Field.new("ip.addr")
    local my_proto = Proto.new("my_proto", "My Proto")
    function my_proto.dissect(tvb, pinfo, tree)
        -- Note: Lua language feature: if my_proto returns more than 1
        -- item, using it as last element of the array results in
        -- appending all returned values to this array
        local fields = { my_proto() }
        -- ...
    end
    register_postdissector(my_proto)

Alternatively, use ip.src and ip.dst for specific addresses (but note
that in case of tunneled traffic you may still have multiple
occurrences).
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl