This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Adding/appending packet comments in pcapng file with the Lua API

0

I looked through the API and coulnd find anything about adding/appending comments to pcapng files. I need to lable 12mb of data...

asked 08 May '16, 15:23

13utters's gravatar image

13utters
11336
accept rate: 0%

edited 09 May '16, 06:57

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572

I looked through the API

Which API?

(08 May '16, 15:41) Guy Harris ♦♦

https://wiki.wireshark.org/LuaAPI

(08 May '16, 15:48) 13utters

One Answer:

1

Check out captureinfo.comment and frameinfo.comment in the Developer's Guide.

answered 09 May '16, 07:32

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

I have trouble writing a new captureinfo.comment to the file my tab listing on. I only found examples of writing to .txt files, can u show me the way to do it ?

(12 May '16, 07:32) 13utters
1

Oh, shoot. It looks like that whole section I pointed you to is about writing file handlers in Lua. PCAPNG files are already handled by the C code.

So: my answers's no good. I don't see a method to access PCAPNG comments in Lua.

[I'd vote down my answer but apparently I'm not allowed!]

(12 May '16, 14:18) JeffMorriss ♦

Hi JeffMorriss,

I am not sure where i go from there..

Is there a way to add comments to specific packets (e.g all ip.addr == 8.8.8.8) in ANSI C ? Do you have a good source for wireshark ANSI C ? Will lua be able to handle PCAPNG ?

(18 May '16, 15:15) 13utters

Just to make sure... you need the automatically generated comments to be stored into the pcapng file so that the resulting file could be open using any other Wireshark fresh installation and the comments would be there.

I.e. distributing a Lua post-dissector along with the pcapng file, which would add expert info or protocol fields during dissection, thus allowing packet filtering on the presence or contents of these forged fields, would not do the trick for you, correct?

(19 May '16, 04:46) sindy

My task is to label specific packets with a specific comments. Is the packet malicious or a consequences of malicious traffic and an identifier (attack_<protocol_n>:<[mal|con]_N>). My result will be fed into a machine learning algorithmus, to teach it how different attacks can look like.

(19 May '16, 05:54) 13utters
1

Do you need to be doing this in Wireshark? Who is inputting the comments--a human or a computer?

I worked on one project where we used packet comments to give the user some information. We just wrote the PCAPNG file directly--it's not that hard.

Or could you use editcap -a <frame.comment>?

(19 May '16, 06:57) JeffMorriss ♦
1

I understand @13utters' workflow the way that he needs to use Wireshark's dissection capabilities, further enhanced using Lua post-dissectors, to generate the packet classifications, but then the raw packet data, not packet dissections, shall be fed to the expert system together with the classifications. So I could still imagine two files could be used for this purpose - the original input pcapng and it's companion csv file which would be a result of a tshark run over the original input and contain only frame numbers (or timestamps or both as frame numbers are not explicitly stored in the pcapng and the timestamps may not be unique) and the classifications. Alternatively, "empty" classifications could be used, so that each frame of the original pcapng would have a classification on its own line of text, and either the expert system would handle this file set directly, or a script would read the original input pcapng and the classifications file synchronously and generate an output pcapng with comments.

(19 May '16, 07:11) sindy

@JeffMorriss I dont have to do it in Wireshark/Lua (thought it would be easy) and the comments can be written by computers, but humans have to decide weather the packet is malicious in this context or else, but the amount of data is to large to be handled by a human alone.

Just gave editcap a quick look and it seems to to do the job maybe (still need to get the speficic frame.number and feed it into editcap)

@sindy I guess i have to learn about tshark creating csv files to understand your answer.

(19 May '16, 08:14) 13utters

not too much to learn, see below:

tshark -r "c:\Users\your_login\Captures\in.cap" -T fields -e frame.number -e ip.dst -E separator=, > out.csv creates the following contents of out.csv:

1,10.20.127.53
2,212.47.21.121
3,10.20.127.53
4,10.20.127.53
5,212.47.21.121
6,212.47.21.121
...

So your Lua post-dissector would create a single field (named e.g. classification) for those packets which are worth it, and you would replace -e ip.dst with -e classification in the example above. For those packets for which the Lua script would create the field, its value would be output to the file after the packet number; for the rest, only the packet number would be printed. By adding -Y classification, you would prevent these "packet number only" lines from being written to the output file.

Or, vice versa, you could let the Lua post-dissector create the classification field for every single packet, except that it would contain some special "don't care" value for packets which the expert system should ignore. In that case, you could omit the -e frame.number and you would get just the classification string for each packet, so the merging script could simply be reading one packet from the pcap file and one line from the list of classifications at a time, rather than keep track of packet numbers.

(19 May '16, 12:55) sindy
showing 5 of 9 show 4 more comments