This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to change lua io.output (custom log file) every 5 minutes

0

Hi, I'm using tshark and lua to extract datafields from diameter protocol in endless loop and saving them into log file. It works great. But now I need to create new logfile every 5 minutes. I can change io.output inside tap.packet functions but it's not accurate since it's called only when there is a packet. I check How to use a timer in lua, but I'm not able to combine it with my code. Please, can you help me? Thanks. btw To create 5min pcaps and process them it's not a option for me.

My code (very simplified):

local tap = Listener.new(nil, "diameter")
local sid_field = Field.new("diameter.Session-Id")
local logfile = "diameter_log_"..os.date("%Y%m%d%H%M%S")
io.output(logfile)

function tap.packet(pinfo, tvb)
local sid_field_ = sid_field()
io.write(tostring(sid_field_))
end

asked 04 Dec ‘12, 08:59

lojza's gravatar image

lojza
1111
accept rate: 0%

Hello everybody, thank you for your help. Let me redefine my question: Only possibility to check the time (with os.clock()) is when tap.packet() is called. Right?

Just remark: I’m running under Linux and what stated helloworld is right, but I prefer new logfile exactly every 5 minutes (even empty) rather then non-empty files randomly generated (as packets arrive)

New idea: I’m thinking about definition of new “more busy” (tcp) tap and check time inside it. E.g.:

local tap_busy = Listener.new(nil, "tcp")
function tap_busy.packet(pinfo, tvb)
—- check time & change io.write here —-
end

But maybe it brings more trouble then benefits. Thank you :-)

(05 Dec ‘12, 05:00) lojza

Only possibility to check the time (with os.clock()) is when tap.packet() is called. Right?

If you run on linux: Yes.
If you run on Windows: No (see winapi).

New idea: I'm thinking about definition of new "more busy" (tcp) tap and check time inside it. E.g.:

Yes, that's possible, but as you said, it will possibly cause other problems (resource consumption).

(05 Dec '12, 05:10) Kurt Knochner ♦

Ok. But I have to ask: how are empty files useful? If you need to track quiet time periods, there are simpler and more elegant ways of handling that (e.g., logging this fact in a file).

Your "new" idea's code snippet looks like the same idea suggested in StackOverflow (in that it just checks the time inside tap.packet()).

(05 Dec '12, 07:44) helloworld

It's just my approach (obsession) :-) Idea is same, but applied on tcp which occurs more frequently than diameter.

(06 Dec '12, 01:02) lojza

2 Answers:

0

as it's said in the stackoverflow question, there are no real timers in Lua itself. So, the only way to implement it, is to call os.clock() within the tap.packet function and then change the file descriptor after 5 minutes. However: You said, that this is not accurate enough, so I guess it's not an option for you.

There is a Lua module called winapi which allows you to create a real timer in Lua, by using the Win32 API.

https://github.com/stevedonovan/winapi/downloads
http://stevedonovan.github.com/winapi/examples/test-timer.lua.html

The bad news: You can't use that module with Wireshark, as it's compiled with a different compiler version. And even if you compile it yourself, I'm not sure if the integration of Lua into Wireshark would allow to use that module!

So, I'm sorry, but your options are kind of limited. You could use an external program to monitor your logfile. That program runs independently of tshark and checks the log file for modifications every second. If there is a change, it will extract the delta since the last change. Now, that external tool can write a new consolidated log file at every interval you need.

Regards
Kurt

answered 04 Dec '12, 13:24

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Actually, you can use the winapi module and the test-timer.lua script in Wireshark/Tshark (I've confirmed with winapi-1.4.1-51gcc.zip, in Windows 7, and tshark 1.9.0 SVN Rev 45747).

And yes, Wireshark Lua let you use practically any library as long as it's for the same version of Lua. The current Windows releases of Wireshark officially support Lua 5.1.

(04 Dec '12, 17:40) helloworld

nice! I did not test the gcc version of the library.

@lojza: Now you have a solution. Use the test-timer.lua script as a starting point. Set a timer to 5 minutes. If the timer fires, change the file descriptor and you should get a new file every 5 minutes.

(04 Dec '12, 18:21) Kurt Knochner ♦

0

I don't think a timer (or a concurrent task) is truly necessary here. If I understand correctly, you need the log to rollover every 5 minutes, but a rollover should only occur if you indeed have something to log (so checking the time in tap.packet() would be correct). Otherwise, you would rollover blank files if, for example, you didn't see a packet for several 5-minute periods. Let's consider an example:

  1. You don't know what time it is until you get a packet (i.e., you can only check the time (with os.clock()) when tap.packet() is called).
  2. For exactly 5 minutes, a packet arrives every 27 seconds, which fits 11.111 periods in 5 minutes (which means you'll get 11 packets per file). On the 11th packet, the duration you calculated was still less than 5 minutes, so you don't rollover.
  3. No packets arrive for the next 10 minutes. No rollover occurs because you need another packet to determine that you've passed the 5-minute mark.
  4. A packet arrives. You calculate the duration to be at least 5 minutes, so you rollover to a new file.

In that timespan, you have 2 useful non-empty files. So, I think the answer from StackOverflow is the right one.

answered 04 Dec '12, 18:33

helloworld's gravatar image

helloworld
3.1k42041
accept rate: 28%