This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

listening twice ( lua) to the same log on tshark

hi, i'm writing a lua script for tshark that has to run (using a listener) on a whole log once (or until it finds a specific packet) and then run on the log again and verifies it with the previously found data. i have managed to do so in wireshark using tap:remove() and then calling a function that opens a new listener. however, on tshark, the new listener doesnt start from the begining of the log but from where i stopped the first tap. thank you!

listener lua tap tshark wireshark

This question is marked "community wiki".

asked 15 Jul '14, 06:51

orenn
11●1●1●2
accept rate: 0%

One Answer:

Tshark doesn't work the same way as Wireshark in terms of reading capture files. By default tshark only reads a capture file once and only dissects+taps each frame once, whereas wireshark reads it multiple times and even lets Lua force a re-read using the reload() function, but that won't work in tshark. There is a command switch to make tshark process a capture file twice (using the "-2" command option switch), but I'm not sure it will help you at all.

answered 15 Jul '14, 14:13

Hadriel
2.7k●2●9●39
accept rate: 18%

edited 15 Jul '14, 14:13