This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Inbound and Outbound traffic

0

Hi, I'm writing a Lua program to process data that captured by tshark, and I'm in need for a filter to separate inbound traffic from outbound traffic in our network to process each group alone. Can some one help me in this, because I'm new in both: Lua and Wireshark. Thanks

asked 25 Jan '12, 22:39

Leena's gravatar image

Leena
51171821
accept rate: 0%

edited 26 Jan '12, 00:46

One Answer:

0

I'm assuming you're interested in IP traffic only.

You would create two taps (aka "Listeners") -- one filtered for incoming packets to your host and another for outgoing:

local HOST_IP = '1.2.3.4'

local tap_in = Listener.new(nil, 'ip.dst=='..HOST_IP)
local tap_out = Listener.new(nil, 'ip.src=='..HOST_IP)


– handles packets going to $HOST_IP
function tap_in.packet(pinfo, buf)
print('#'..pinfo.number, '<IN>', tostring(buf))
end


– handles packets going out from $HOST_IP
function tap_out.packet(pinfo, buf)
print('#'..pinfo.number, '<OUT>', tostring(buf))
end


Copy this file to a temporary directory (e.g., /tmp/test.lua), and run it from TShark as follows:

$ tshark -Xlua_script:/tmp/test.lua

You can also load this from Wireshark (as shown in a recent post).

answered 02 Feb ‘12, 18:53

helloworld's gravatar image

helloworld
3.1k42041
accept rate: 28%