This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi, I am trying to create custom dissector for Modbus protocol in Lua. The issue that I am facing is that even though the dissectors work fine, it is taking wireshark a very long time to load the file and apply filters. I suspect that the reason behind the lag is that the dissectors come into action thus causing the lag. The same issue is present even when I try to apply filters based on certain port numbers or other things. Hence I wanted to know if is any way the dissector code could be optimized to load the files faster and to reduce the time to process the captures after a filter is applied. The capture files that I am using as test data are approximately 250 MB each.

Thanks.

asked 08 Aug '16, 10:53

shobhit_garg91's gravatar image

shobhit_garg91
169914
accept rate: 0%

What are you trying to add to dissection that the built-in Modbus dissector doesn't do?

As part of my SharkFest presentation looking at 3 ways to write a dissector I compared Lua and C dissector performance and found Lua to be ~2.5 slower than C, so if performance is an issue, then you'll have to move to C.

(09 Aug '16, 02:16) grahamb ♦

Hi, the modbus protocol used at my place has additional layers, hence it cannot be dissected using the modbus dissector provided with Wireshark. Hence I wanted to know if there could be some way to optimize the lua code. Is there any way to generate the byte code from the lua dissectors, such that the byte code could used instead of the dissector as I believe it might cause some enhancement in the performance. Thanks.

(09 Aug '16, 10:49) shobhit_garg91

Is there any way to generate the byte code from the lua dissectors, such that the byte code could used instead of the dissector

What do you mean by "byte code"? The byte code is generated from the Lua dissectors, by the Lua library, and is what's used. As the Lua compiler man page says, "Precompiling does not imply faster execution because in Lua chunks are always compiled into bytecodes before being executed." - all that would happen with precompiling with luac is "faster loading, protecting source code from accidental user changes, and off-line syntax checking."

(11 Aug '16, 19:34) Guy Harris ♦♦

Lua already has a thin interface with the C layer, have you started profiling which parts are exactly expensive? Try disabling some parts of the Lua code and measure the required time. Baseline is an empty dissection function (or even no Lua dissector at all).

With tshark and the time builtin or program on Linux you could execute your dissector and obtain the running time as follows:

time tshark -r your.pcap -Xlua_script:your-dissector.lua >/dev/null

For profiling the dissection time in the GUI, you can look at the time in the bottom right ("Load time").

Conversion between Lua and Wireshark types are possibly more expensive too, so avoid calling tvb():raw() multiple times for example, instead store it in a Lua variable which you then refer.

Other possible optimizations:

  • Enhance the C dissector. If the changes to your Modbus captures are not proprietary, it may be beneficial to others as well.
  • If your Lua processing code is very expensive, because it involves a lot of string copying (including string concatenation) or decryption, consider creating a C extension for specific parts. I had a capture where moving the decryption routines to C reduced the runnting time by a factor 22.
permanent link

answered 09 Aug '16, 14:38

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

Hi, Thank you for your inputs. Unfortunately I cannot update the Modbus dissector as my modbus data is proprietary. I am using windows environment (I am working as a coop with a company) and in that I have made sure not to use tvb():raw() multiple times. I also tried with removing parts of dissector code but still it is pretty slow. The intriguing part is that I have created similar dissectors for other protocols, which work absolutely fine and fast. With regards to the modbus dissectors, the load time that is generally displayed is around 1 and a half minutes but it takes over more than 5 minutes to dissect the capture.

Thanks.

(11 Aug '16, 11:43) shobhit_garg91

Can you compare the loading time of the same capture with any Modbus dissection off, with your Lua dissector enabled, and with the "embedded" Modbus dissector enabled instead? Or is your Lua one an add-on to the embedded one?

(11 Aug '16, 13:07) sindy

Hi, I compared the loading time with and without the dissector in action. There is a huge time difference in the loading time in both the scenarios. I was thinking of creating a local copy of the buffer (payload in the packet) and using it to dissect the message instead of using the buffer repeatedly, since others have commented that reading from the buffer repeatedly is an expensive operation. I am however not sure if it would make any difference in the loading times.

Thanks.

(15 Aug '16, 08:02) shobhit_garg91

I am however not sure if it would make any difference in the loading times.

You won't be until you try :-)

(15 Aug '16, 08:17) sindy
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×637
×431
×349
×165

question asked: 08 Aug '16, 10:53

question was seen: 2,184 times

last updated: 15 Aug '16, 08:17

p​o​w​e​r​e​d by O​S​Q​A