This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Lua open_capture_file in tshark

0

I want to parse all files in a directory using a Lua tap. The tap is already working, but the problem now is opening snoop files from Lua in tshark. When I try this:

for filename in Dir.open("D:/snoop/","snoop")
do
    local logfile = filename..".csv"
    open_capture_file(filename)
end

I see:

tshark: Lua: Error during loading:
 [string "lua_tap_1.lua"]:88: open_capture_file: GUI not available
Capturing on Microsoft
0 packets captured

Is there anything like open_capture_file() for tshark (not GUI)?

asked 22 May '12, 05:31

tciops's gravatar image

tciops
6225
accept rate: 0%

edited 22 May '12, 06:27

helloworld's gravatar image

helloworld
3.1k42041

One Answer:

0

No, there is no Lua function to open a capture file in tshark (as can be seen in the Wireshark User Manual and wiki). Instead, you can use a shell script to pass the files to tshark for Lua tap processing. This would replace the Lua that opens the .snoop files.

For example, this bash script (tested in OSX) passes all .snoop files in the current directory to tshark (one file at a time), where tap.lua processes the file contents.

for x in *.snoop; do tshark -q -Xlua_script:/path/to/tap.lua -r "$x"; done

Parameters:

  • -q = silences the packet info output from processing the capture file
  • -Xlua_script = loads a Lua script (unnecessary if file is already in Lua initialization path)
  • -r = opens a capture file, prints packet info, and then exits

EDIT: No need for -v when -r is provided. In fact, -v prevents -r from doing anything.

answered 22 May '12, 06:24

helloworld's gravatar image

helloworld
3.1k42041
accept rate: 28%

edited 23 May '12, 13:20

tested in OSX

...but it should work on all UN*Xes, and should work with other Bourne-compatible shells (Bourne shell, Korn shell, etc.) It should work on Windows with, for example, the Cygwin Bourne shell or other Bourne-compatible shells for Windows, although /path/to/tap.lua would become drive_and:\path\to\tap.lua.

(22 May '12, 11:26) Guy Harris ♦♦

for windows:

FOR /F "tokens=*" %F IN ('dir /b c:\temp\*.snoop') DO tshark.exe -q -r %F -Xlua_script:c:\temp\tap.lua

(22 May '12, 12:22) Kurt Knochner ♦

Or with Windows PowerShell:

ls C:\temp\*.snoop | % { tshark -q -r "$_.FullName" "-Xlua_script:C:\temp\tap.lua" }

(23 May '12, 02:00) grahamb ♦