4

I an analysing a very large PCAP holding many HTTP transactions, some of which interest me. I am using tshark with a Lua script essentially to query all packets that match a filter. 

tshark -X lua_script:filter.lua -r some.pcap  -q

So far so good. However, I am looking specifically for the value of a packet's TCP stream number which goes by the name tcp.stream inside Wireshark. Can anyone say what changes I require to filter.lua to print that? 

-- filter.lua
do
    local function init_listener()
        local tap = Listener.new("http","http contains someKeyValue && tcp.port eq 1234")
        function tap.reset()
        end
        function tap.packet(pinfo,tvb,ip)
            print("Found my packet ... now what?")
        end
        function tap.draw()
        end
    end
    init_listener()
end

The documentation on what pinfo, tvb and ip are is unforthcoming.

Martin Cowie
  • 2,788
  • 7
  • 38
  • 74

1 Answers1

8

You can access the TCP stream number through a Field.

local tcp_stream = Field.new("tcp.stream").value

The value of the Field is the value for the current packet. You don't need to create a new Field each time. This allows you to make the Field a constant and create a function that returns the TCP stream number of the current packet. It is also possible to call the Field value to get the FieldInfo value which may include additional useful information.

You want the filter.lua to look like:

-- filter.lua
do
    local function init_listener()
        local get_tcp_stream = Field.new("tcp.stream")
        local tap = Listener.new("http","http contains someKeyValue && tcp.port eq 1234")
        function tap.reset()
        end
        function tap.packet(pinfo,tvb,ip)
            print(tostring(get_tcp_stream()))
        end
        function tap.draw()
        end
    end
    init_listener()
end

https://www.wireshark.org/docs/wsdg_html_chunked/lua_module_Field.html#lua_class_Field

Matt Champion
  • 3,015
  • 1
  • 13
  • 13