This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Calculate delta time between two packets from Lua dissector and display on a graph

0

I've developed a Lua dissector for a custom protocol on top of the UDP protocol. Each initial packet sent will contain a reference number followed by a response message containing the same reference number, I would like to calculate the delta time between the two matching reference number packets and display on a graph.

Currently I'm exporting the data to excel to calculate the delta and displaying on a graph, this is time consuming and I want to to make it more automated, but as a newbie to Wireshark development I'm not quite sure if it has the capabilities or the best way to achieve this task.

Any advice would be much appreciated.

asked 10 Sep '14, 07:12

chriswaddell87's gravatar image

chriswaddell87
16114
accept rate: 0%

One Answer:
active answersoldest answersnewest answerspopular answers
2

Calculating the time delta in a Wireshark Lua script is not hard, but there is no way to have the results be graphed by Wireshark, other than to export the data to a file like you are now. Supporting such a thing has been on my to-do list (for the Qt version of Wireshark, not GTK, fwiw).

To calculate the delta time, you'd use a Lua table. The table's keys would be your protocol's reference numbers, and the values would be the time (use Lua's built-in os.time() or os.clock()). So when you get a request packet, you insert a new entry in the table of the ref number as the key and the current time as the value, and when you get a response you look up the ref number in the table, and subtract the entry's time value from current time. (actually you'll want to do the lookup first on the request too, in case the request is retransmitted, since you want to use the originally transmitted request time presumably)

Also remember to clear the table before each run of the capture, so that it won't grow forever as people open/close capture files or start/restart live capturing of your protocol. The easiest way to do this is to clear the table (i.e., reset the variable to a new table) in the myproto.init() function for your new protocol. The init() function is automatically called by Wireshark, similar to the dissector() one, but it's called each time a new capture file is opened or a live capture is started.

permanent link

answered 10 Sep '14, 07:48

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

I would have to check the refNumber against two other variables to rule out if it was a repeat message and then use each frame.time_relative value. I can't use the refNubmer as a key, due to some message types containing the same refNumber which would overwrite the original key. At what stage should the Lua table be implemented, at the dissector or listener ?

(11 Sep '14, 10:47) chriswaddell87

That's up to you really - I mean the Lua variable holding the table needs to be defined outside of both the dissector and listener functions, since it needs to live for the duration; but you can add/lookup in it in the dissector or listener. (note: be aware that a dissector will be called multiple times for the same packet)

(12 Sep '14, 07:37) Hadriel
1

I have a LUA script where I just want to run some code on Wireshark's first scan of the packets. I use the statement:

if not pinfo.visited then

As you'd expect, pinfo.visited is not set on the first scan.

(14 Sep '14, 02:06) PaulOfford
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×637
×431
×248
×100
×72

question asked: 10 Sep '14, 07:12

question was seen: 4,133 times

last updated: 14 Sep '14, 02:06

Related questions

Protocol analyzer for validating custom network protocol

Dissect payload data as IP packet in Lua custom dissector

Failed to change the width size of midde column in Graph Analysis.

Crashing issue when running Lua dissector after upgrading from wireshark 1.0.0

Input for a dissector

TCPdSTAT for Wireshark?

Displaying gaps or drops in private UDP sequence numbers

Does Wireshark ignore metamethod __index of table?

Lua Dissector for the whole Frame

Making a dissector that filters packets

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A