Calling a Lua Dissector on a file

Question

Hi all,

I've been using Wireshark for a while and also building LUA dissectors for some proprietary protocols. Before you can use a dissector, you need to add it to the appropriate dissector table. I would like to use the abilities from Wireshark to represent the contents of a binary file, similar to "ASN.1 Basic Encoding Rules(.)" however I do not know if it is possible to register a dissector for use as file dissector. I can understand that the dissectors are called on packets read, however this would make it very powerfull in some occasions.

Thanks and best regards,

Sjoerd

Answer 1

however I do not know if it is possible to register a dissector for use as file dissector.

No, that's not possible.

however this would make it very powerfull in some occasions.

Yes, and that's why a similar project has already been started (TFShark - Terminal FileShark)

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9607

Maybe you want to take a look at that and probably contribute ideas and/or code.

Regards
Kurt

Answer 2

It is possible to register a dissector for the file in Lua, but involves two steps:

Register a FileHandler which accepts a file and provides a MIME encapsulation type.
Register a heuristics dissector for the MIME file encapsulation table and add your dissector in there.

I am working on a Zip Archive file dissector for Lua, but you can probably adjust this template to your needs: https://git.lekensteyn.nl/peter/wireshark-notes/commit/?id=bad766a9ef81f7267cdb8e4f82db692a83ba2f9a

Examples of usage:

tshark -Xlua_script:file-zip.lua -r sample.zip
wireshark -Xlua_script:file-zip.lua -r sample.zip

Other examples of a FileHandler can be found in the Wireshark source tree (test/lua/acme_file.lua and test/lua/pcap_file.lua).