Stack Overflow
Stack Overflow

Questions tagged [wireshark-dissector]

A protocol dissector for Wireshark is what translates the bytes of a network package into human readable form. Use this tag when asking about writing a Wireshark protocol dissector. Also include the appropriate language tag.

A protocol dissector for Wireshark is what translates the bytes of a network package into human readable form. These dissectors can either be written in C or in the scripting language Lua, and can be either built-in or plugins.

314 questions
45
votes
3 answers

How can I add a custom protocol analyzer to wireshark?

I have a custom protocol that I'm looking at in wireshark. I thought it'd be useful if wireshark could disect it for me so that I don't have to decode the hex. Although I'm doing this in my program logs, wireshark captures the whole conversation…
hookenz
  • 36,432
  • 45
  • 177
  • 286
13
votes
5 answers

How do you test a Wireshark dissector?

When you write a dissector for Wireshark, how do you test it? Looking for the visual output in the UI is not sufficient for a none-trivial protocol. Is there a good way for unit testing of the dissector? EDIT: The structure of protocol frames is…
harper
  • 13,345
  • 8
  • 56
  • 105
8
votes
1 answer

how wireshark marks some packets as "tcp segment of a reassembled pdu"

I opened a pcap in wireshark and it displays a lot of packets as "tcp segment of a reassembled pdu". How wireshark is able to determine which tcp packets are segments of a reassembled pdu ? I am not able to find any header field or anything else by…
mezda
  • 3,537
  • 6
  • 30
  • 37
8
votes
1 answer

Wireshark Dissector in Lua

First of all, I'm new to Lua altogether, and this is my first attempt at writing a wireshark dissector. My protocol is straightforward - a 2 byte length field, followed by a string of that length. When I run the code through the Lua console,…
IgnoredAmbience
  • 103
  • 1
  • 8
7
votes
1 answer

Unable to see the plugin compiled in the custom wireshark run?

I am following the foo example given in the wireshark documentation. I am able to build the foo code plugin. I am using wireshark 3.0.1 version. In the workroot folder, I have updated the target - PLUGIN_SRC_DIRS - plugins/epan/foo just before…
Prawn Hongs
  • 441
  • 1
  • 5
  • 17
7
votes
1 answer

Reassembling packets in a Lua Wireshark Dissector

I'm trying to write a dissector for the Safari Remote Debug protocol which is based on bplists and have been reasonably successful (current code is here: https://github.com/andydavies/bplist-dissector). I'm running into difficultly with reassembling…
Andy Davies
  • 5,794
  • 2
  • 26
  • 21
7
votes
1 answer

how to edit wireshark pcap to change the order of packets

i have a pcap file captured using wireshark. suppose the pcap has 6 packets numbered from 1 to 6 as shown below. now i want to edit this pcap file so that i get the packets in some different order. For eg, if original pcap packets are…
mezda
  • 3,537
  • 6
  • 30
  • 37
7
votes
1 answer

frame contains "\x03\x00\x0e\xa8" display filter in wireshark displays packets not containing these bytes

i used the following filter in wireshark to find the packets containing these bytes : frame contains "\x03\x00\x0e\xa8" but when i see the result of this filter, it displays more than 1k packets which don't even contain these bytes. For example, it…
mezda
  • 3,537
  • 6
  • 30
  • 37
6
votes
2 answers

Wireshark Dissector: How to Identify Missing UDP Frames?

How do you identify missing UDP frames in a custom Wireshark dissector? I have written a custom dissector for the CQS feed (reference page). One of our servers gaps when receiving this feed. According to Wireshark, some UDP frames are never…
John Dibling
  • 99,718
  • 31
  • 186
  • 324
6
votes
1 answer

Wireshark doesn't distinguish ACSE and MMS PDUs

I am working with Message Manufacturing Specification (MMS) in wireshark. The tool is unable to dissect the ACSE layer. It doesn't show any error but it shows the ACSE data as a part of MMS i.e., after the presentation layer, MMS is displayed.…
user_abh
  • 357
  • 3
  • 6
  • 20
5
votes
1 answer

How to handle bit fields in Wireshark Lua dissector?

I need to dissect a bit mapped octet in a Wireshark lua dissector. The octet has format: bit 0: Concatenation (0=No concatenation, 1=Concatenation) bits 1..3: Reserved bits 4..7: Version I have successfully dissected it with: Concatenation_F =…
DavidA
  • 2,053
  • 6
  • 30
  • 54
5
votes
1 answer

How to create a Wireshark dissector for a custom protocol, without the need to recompile Wireshark

I'm looking for a long time to a way to compile and run a custom Wireshark dissector, without needing to recompile the entire wireshark project. Many places on the Web, require developers to write their plugins and link to Wireshark. However, I have…
Fernando
  • 1,477
  • 2
  • 14
  • 33
5
votes
4 answers

Count the number of packets with pyshark

In this code with pyshark import pyshark cap = pyshark.FileCapture(filename) i = 0 for idx, packet in enumerate(cap): i += 1 print i print len(cap._packets) i and len(cap._packets) give two different results. Why is that?
Bob
  • 10,741
  • 27
  • 89
  • 143
4
votes
2 answers

c++/c access multiple char arrays with different names and sizes

I am analysing a pcap file and i have exported a dissection as c Arrays in Wireshark, i need to extract some data from the bytes in question. However i do not know how i can access all those arrays. They look like this: /* Frame (73 bytes)…
Joao s
  • 150
  • 1
  • 8
4
votes
1 answer

How to get the TCP stream number with a listener?

I an analysing a very large PCAP holding many HTTP transactions, some of which interest me. I am using tshark with a Lua script essentially to query all packets that match a filter. tshark -X lua_script:filter.lua -r some.pcap -q So far so good.…
Martin Cowie
  • 2,788
  • 7
  • 38
  • 74
1
2 3
20 21