You have a custom protocol and would like to give your users the ability to visualize it in Wireshark? If your answer is yes, this post is for you.
I recommend using Wireshark’s embedded Lua interpreter, and its API for Lua. It is the easiest way to prototype dissectors which, for performance reasons, may later be rewritten in C. At the time of writing, I am still using Wireshark 1.2.1, but you might consider using the latest version.
Let us begin with some sample code.
Protocol dissector script in Lua
We use a chained dissector. A chained dissector dissects payload of an existing protocol such as payload of a protocol message destined to a particular TCP port. It receives the payload as an input parameter of the dissector function.
Running the Lua script in Wireshark
These are the steps required to test the code above
Edit and save the lua script above to any folder e.g. a file called
init.luain the Wireshark installation directory for editing. You will need Admin privileges on Windows Vista and 7.
Ensure that the following line in
init.luais commented out - skip step if Wireshark version is 1.4 or better
-- disable_lua = true; do return end;
Add the following lines to
init.luaat the very end
Change MYPROTO_SCRIPT_PATH to point to the folder where you saved the script in step 1
Load a capture file that has the packets of your custom protocol or start a live capture
Here’s a figure that shows the protocol dissector in action