This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

adding a listener?

0

Hi, I am trying to customize a version of wireshark. I believe what I am trying to do is add a listener, but I'm not sure. I want to be able to take certain packets, including packets with errors, and send them over a socket to another application. I will need to do some customized processing of these packets, although I can either do that processing as part of wireshark, or I can do it on the other side of my socket.

Does it sound like I need to add a "Listener"?

If so, is adding a listener best done in a lua script, or by modifying the wireshark C code? In the lua documentation, I see information on adding a listener, but I did not see that in the wireshark development (C) documentation. I have used C/C++ for many years but have never used lua.

asked 17 Aug '11, 11:49

JVo's gravatar image

JVo
16558
accept rate: 0%

possible duplicate

(17 Aug '11, 22:08) helloworld

One Answer:

2

Yes, a Listener (aka "Tap") is appropriate for the task. I would pick Lua over C. Don't be afraid of Lua...it's easy to learn:

Lua vs C

Here are a few points:

PROS

  1. Bugs in Lua scripts are less likely to crash Wireshark. The few crashes I've seen are from bugs in underlying C code that the Lua API invokes.

  2. Lua scripts are compatible across multiple versions of Wireshark. On the other hand, it's recommended that C dissectors be re-compiled for the target Wireshark version to maintain compatibility.

  3. Lua development is faster than in C. Need to make a change? Edit the Lua script and restart Wireshark. (This ease of development is not seen for C dissectors.) A Wireshark installation, which includes a Lua interpreter, is all you need to run a Lua script. No need for compilers or specific versions of libraries.

CONS

  1. Lua scripts can be difficult to debug with Wireshark (there are few tools). You'll have to rely on print-outs to the console.

  2. Lua can be less efficient (performance and memory) than C, but that's inherent in scripting languages. You might not even notice unless you open huge pcaps.

  3. Lua can be less powerful than C because only a subset of Wireshark's functions are available to the Lua API, but you can use LuaAlien to invoke functions from libwireshark.dll/.so (or any other library). You probably won't need the unavailable functions anyway.

Sockets

See LuaSocket (or you can use LuaAlien to call your own C library).

answered 17 Aug '11, 22:07

helloworld's gravatar image

helloworld
3.1k42041
accept rate: 28%

Wow, thanks for a very thorough response. I will go through everything you gave me, and let you know when I have more specific questions.

I do like being able to debug C, and the fact that I already know C makes me think that for me, C development would be faster than Lua. But I also don't want to muck with something that might cause wireshark. So, I guess I'll explore my options for now. Okay, so a listener is a tap, huh? I still need to get a handle on the terminology I guess.

(18 Aug '11, 08:37) JVo

So, I'm also looking at adding various dissectors and will need to determine whether to do those in C or lua. It looks like using C provides me with an easy way to reassemble TCP packets: http://www.wireshark.org/docs/wsdg_html_chunked/ChDissectReassemble.html. Can I get TCP reassembly with lua?

(18 Aug '11, 16:29) JVo

When I said "Lua development is faster", I meant the time between making a change in code and seeing its effect in action (you simply restart Wireshark to see the change). This is opposed to the time it takes to re-compile a C dissector and re-deploy it. (Not to mention the time it takes to setup your dev environment for building Wireshark)

Then again, faster or not, I certainly agree that you should go with the language you're most comfortable with.

(18 Aug '11, 17:57) helloworld

Wireshark Lua does not expose the TCP reassembly function (namely tcp_dissect_pdus). However, you can use LuaAlien to invoke it.

(18 Aug '11, 18:02) helloworld

Cool, thanks! Okay, I'm getting a better handle on my options. :o)

(19 Aug '11, 12:20) JVo