This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Calculate delta time between two packets from Lua dissector and display on a graph

I've developed a Lua dissector for a custom protocol on top of the UDP protocol. Each initial packet sent will contain a reference number followed by a response message containing the same reference number, I would like to calculate the delta time between the two matching reference number packets and display on a graph.

Currently I'm exporting the data to excel to calculate the delta and displaying on a graph, this is time consuming and I want to to make it more automated, but as a newbie to Wireshark development I'm not quite sure if it has the capabilities or the best way to achieve this task.

Any advice would be much appreciated.

lua dissector analysis packet graph

asked 10 Sep '14, 07:12

chriswaddell87
16●1●1●4
accept rate: 0%

One Answer:

Calculating the time delta in a Wireshark Lua script is not hard, but there is no way to have the results be graphed by Wireshark, other than to export the data to a file like you are now. Supporting such a thing has been on my to-do list (for the Qt version of Wireshark, not GTK, fwiw).

To calculate the delta time, you'd use a Lua table. The table's keys would be your protocol's reference numbers, and the values would be the time (use Lua's built-in os.time() or os.clock()). So when you get a request packet, you insert a new entry in the table of the ref number as the key and the current time as the value, and when you get a response you look up the ref number in the table, and subtract the entry's time value from current time. (actually you'll want to do the lookup first on the request too, in case the request is retransmitted, since you want to use the originally transmitted request time presumably)

Also remember to clear the table before each run of the capture, so that it won't grow forever as people open/close capture files or start/restart live capturing of your protocol. The easiest way to do this is to clear the table (i.e., reset the variable to a new table) in the myproto.init() function for your new protocol. The init() function is automatically called by Wireshark, similar to the dissector() one, but it's called each time a new capture file is opened or a live capture is started.

answered 10 Sep '14, 07:48

Hadriel
2.7k●2●9●39
accept rate: 18%

I would have to check the refNumber against two other variables to rule out if it was a repeat message and then use each frame.time_relative value. I can't use the refNubmer as a key, due to some message types containing the same refNumber which would overwrite the original key. At what stage should the Lua table be implemented, at the dissector or listener ?

(11 Sep '14, 10:47) chriswaddell87

That's up to you really - I mean the Lua variable holding the table needs to be defined outside of both the dissector and listener functions, since it needs to live for the duration; but you can add/lookup in it in the dissector or listener. (note: be aware that a dissector will be called multiple times for the same packet)

(12 Sep '14, 07:37) Hadriel

I have a LUA script where I just want to run some code on Wireshark's first scan of the packets. I use the statement:

if not pinfo.visited then

As you'd expect, pinfo.visited is not set on the first scan.

(14 Sep '14, 02:06) PaulOfford