paperlined.org
sysadmin > network

document updated 16 years ago, on Feb 14, 2008

Often Wireshark does just about everything you'd ever need. But sometimes you want to do something very specific, or very application-focused. So you want to pipe the output of Wireshark to a Perl script, perhaps.

Perl

It used to be difficult/impossible to get the output of tcpdump/wireshark into Perl, under Windows. Now, it's easy. tshark just works.

If you're interested in lots of details of a smaller number of packets, it's very useful to output in PDML format, and have a generic Perl parser that will suck in ALL of the data about every packet.

Lua

Network traffic can contain a LOT of data. You want to trim it down using the capture + display filters if you can. But sometimes you can't. Then what?

Use tshark's built-in Lua to do all your work. Lua already has all the wireshark API hooks, and Lua avoids the convert-binary-to-text and then convert-text-back-to-binary cycle that is necessary with Perl. (granted, it's not totally necessary to do this &mash; there are Net::TcpDumpLog or Net::Pcap — but sometimes it's a pain to have to install extra perl modules).

Notes:

once Lua has been properly enabled, the menu Tools>Lua>Evaluate will appear in the Wireshark GUI
in the evaluate window, you can type something like this to load in a specific file:
```
dofile("c:/src/lua/helloworld.lua")
```
The official documentation could be better.
- The biggest problem, surprisingly, isn't that the documentation has holes in it, rather that it's hard to find what you're looking for in the wall of text. This is vastly improved by using this GreaseMonkey script. (see here for additional help installing a Greasemonkey script in Mozilla/Firefox/etc)
- it may help to have the .c source code handy, it's actually pretty readable and sometimes contains more comments than the documentation itself does