Wireshark-users: [Wireshark-users] LUA-script in Tshark
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Gisle Vanem <gisle.vanem@xxxxxxxxx>
Date: Sat, 1 Aug 2020 08:54:03 +0200
Hello list.

I use this .lua-script:
  https://github.com/VE3NEA/Afedri-Dissector/blob/master/afedri.lua

to dissect traffic to/from my newly acquired short-wave radio.
First I used windump to generate a 4GByte capture (10 minutes
of control + data on port 50000). Then wanting to see the details
of these Afedri protocols, I started Tshark in verbose mode (-V):
  tshark -X afedri.lua -V -O Afedri,Afedri-iq -c20 -r recording-1.pcap | less

But I get lines like:

  Frame 1-3: the 3-way TCP handshake. Why does tshark print this when I
     used the '-O' option.

  Frame 4: 63 bytes on wire (504 bits), 63 bytes captured (504 bits)
  Ethernet II, Src: ASUSTekC_81:2e:ea (e0:3f:49:81:2e:ea), Dst: e6:1f:35:31:35:30 (e6:1f:35:31:35:30)
  Internet Protocol Version 4, Src: 10.0.0.10, Dst: 10.0.0.50
  Transmission Control Protocol, Src Port: 51974, Dst Port: 50000, Seq: 1, Ack: 1, Len: 9
  Afedri Protocol Data

  Frame 5: 63 bytes on wire (504 bits), 63 bytes captured (504 bits)
  Ethernet II, Src: e6:1f:35:31:35:30 (e6:1f:35:31:35:30), Dst: ASUSTekC_81:2e:ea (e0:3f:49:81:2e:ea)
  Internet Protocol Version 4, Src: 10.0.0.50, Dst: 10.0.0.10
  Transmission Control Protocol, Src Port: 50000, Dst Port: 51974, Seq: 1, Ack: 10, Len: 9
  Afedri Protocol Data
  ....


All-though I get details for the data-protocol (which use UDP):
  Frame 20: 1070 bytes on wire (8560 bits), 1070 bytes captured (8560 bits)
  Ethernet II, Src: e6:1f:35:31:35:30 (e6:1f:35:31:35:30), Dst: ASUSTekC_81:2e:ea (e0:3f:49:81:2e:ea)
  Internet Protocol Version 4, Src: 10.0.0.50, Dst: 10.0.0.10
  User Datagram Protocol, Src Port: 50000, Dst Port: 50000
  Afedri Protocol Data
      header: 0x8404 (16-Bit data, large packet)
      sequence number: 58371 (0xE403)
      I/Q data, 256 2x16-bit samples
           (  -176,    -40)(   169,      3)(   110,   -131)(  -110,   -133)
           (    24,    192)(   129,   -142)(  -115,      4)(    81,    138)
           (   131,    -88)(  -216,   -141)(  -105,    115)(    95,    -78)
           (    89,   -187)(    -6,    115)(   119,    -58)(  -119,    -55)
           ...

I'd like more packet details, but only for protocols specified with
'-O'. Is this an issue with the Afedri.lua script, Tshark or did I use
the script wrong? Is this possible?

PS. The page at https://wiki.wireshark.org/Lua
    specifies one has to use '-X lua_script:file'. That prefix seems
    not needed.

--
--gv