I am working with a "real time" data analysis toolchain which is separated into two parts. The first part fetches the data to be analyzed, packs it into a UDP packet and sends it to another host. The second part, running on the aforementioned host, receives the UDP packets and performs analysis on the received packets. By "real time" I mean that the output of the analysis toolchain should appear live to a human user, thus latencies of up to 100 ms are acceptable.
I am looking into making a new data source available to the receiving part. The data that I am looking for are being transferred on an Ethercat bus, which I can sniff. Wireshark/tshark have a dissector for Ethercat packets. With that said, it's really simple to get at the data in a script running within Wireshark/tshark. Since I have little control over the second part of the analysis, I cannot readily modify the second part to sniff Ethercat frames via pcap or somesuch.
Is it possible to send UDP packets from a script running in Wireshark/tshark?
Wireshark's Lua doesn't have a way to do that available out-of-the-box, but it's stock Lua so you can write a wireshark Lua script which itself can import (i.e., use require) any other Lua script or compiled Lua dll/so library. So, for example, you could use the LuaSocket library to send packets from within your wireshark Lua script.
Note that there is no event loop available to Wireshark Lua scripts, so receiving packets via LuaSocket isn't going to work, afaik. But since you're talking about sending over UDP, and sending only when the Wireshark Lua script will get invoked (i.e., because you'd do the send() call inside a tap or dissector), I think it should work. If it does/doesn't please post back, because this question comes up now and then and it would be good to know.
Related
Our company has a big investment in Lua dissectors for all of the proprietary protocols our hardware uses, and which we sniff in Wireshark. This makes Wireshark a very useful tool for live analysis and for where a user was recording with Wireshark and saved the capture for later analysis. The same data that we sniff with Wireshark is also logged to binary files in a process not involving Wireshark. My task is to create a process to parse (dissect) the binary log files and output them as JSON, and I would like to leverage our existing Lua dissectors if possible and not rewrite dissectors (in whatever appropriate language), which will be a big effort to create and maintain in parallel with the Lua scripts. But I don't think Lua Wireshark dissectors can run outside of Wireshark, because they have dependencies on all of the Wireshark prototypes like Proto and Protofield, etc. that are injected by Wireshark at runtime.
Here are the possibilities I've thought of. Are any of them feasible?
Somehow I would find Wireshark Lua files with all of the logic that is
injected automatically when the Luas are running in Wireshark.
I would write Lua scripts that would be referenced by our existing
scripts, to overload the logic injected automatically by Wireshark.
In both options 1 and 2, the Wireshark classes would return the
parsed data to my program, which would emit it as JSON.
I would write a converter from our
binary log files to Wireshark .pcapng files and spawn instances
of Wireshark in a batch process, to consume and dissect the .pcapng files with the Lua files and
write the output to JSON or XML file.
Update: In a development potentially in favor of option #3, I can run tshark.exe (command-line utility which comes with Wireshark) to dump packets from a .pcapng file to the standard output. But only the equivalent of the Information column in Wireshark is output, not the dissected pane. If I specify one of our Lua files on the command line with the option:
-X lua_script:[my lua file]
I see the same sorts of errors from tshark that I was seeing when running the Lua scripts directly from Lua:
...dissector.lua:16: bad argument #2 to 'Proto' (Proto_new: there cannot be two protocols with the same description)
I am currently trying to read some PCAP files using WinPCAP-API.
With this example I managed to read the data, timestamp and length. But I do not get how to read the source and destination IP-adresses and ports?
But I do not get how to read the source and destination IP-adresses and ports?
By dissecting the raw packet data that WinPcap gives you; libpcap/WinPcap provide no APIs for dissecting raw packet data (because different libpcap/WinPcap applications have different needs - an intrusion detection application such as Snort and a packet analyzer such as tcpdump or Wireshark do different things with the data).
See, for example, libtins as a C++ library for doing packet dissection, or the libpcap tutorial for an example of how to do the dissecting yourself.
I need to analyze the wireless traffic occurring in Ch 1 of 802.11g. I have captured all the traffic logs using NETMON as test.cap file.
Q: How can extract the information using tshark to suitable format so that it can be used for further post processing?
I have captured all the activity in Ch11 but in wireshark it shows only 802.11 in protocol.
That usually means "the traffic is encrypted and Wireshark doesn't have enough information to decrypt it"; it does represent activity.
So if you're capturing on channel 11, an I/O graph in Wireshark, rather than anything extracted using TShark and further processed, should suffice to show the level of activity on that channel. You'd only have to dissect it if you want to see what type of traffic, at a higher level, that activity is, but it sounds as if you just care about activity, no matter what the packets are.
I want to parse packets captured by wireshark offline using libpcap. I am capturing packets from a wireless network in monitor mode. I have read that "libpcap" can be used to capture and parse packets captured in the ethernet. Can it be used for wireless networks too? If yes, can anyone suggest me some tutorial? and if No, which library is suitable for it and how to use it?
libpcap, and its Windows port, WinPcap can be used to capture network traffic (in fact, they're what Wireshark uses to capture network traffic), as well as to read a capture file in pcap format (the default format for Wireshark's existing releases) and, in libpcap 1.1 and later, to read some capture files in pcap-ng format (the default format for the current development version of Wireshark; it should write out files that libpcap 1.1 and later can read).
They can handle a number of network types, including Ethernet and Wi-Fi.
They do not, however, support parsing any packet types; that's the job of the code that uses them, whether it's tcpdump/WinDump, Wireshark, or some other application. There's a library called WiFiPcap that is:
A C++ wrapper around libpcap that parses 802.11 frames, and the most common layer 3 (IPv4, IPv6, ARP) and layer 4 protocols (TCP, UDP, ICMP) contained within them. Also works without link-layer headers. Works in Linux and Windows.
(copied from its web page, but edited to fix the protocol layer numbers to match the OSI model).
I have not looked at it, but it might do what you want.
There might also be other libraries that could be used to parse the packets.
I'm writing a dissector for a protocol that I have to work with. This protocol runs atop TCP and is stateful.
In order to dissect the fields correctly, I need to identify which endpoint opened the TCP connection (the client).
Is there a way to get this info from the tcp dissector? Would I have to write a tap? I'm not so clear on how to do this in lua.
Cross posted on the Wireshark stack site here.
To write stateful protocol dissector in Lua you can use closures to store state information.
you can easily decipher which endpoint started conversation if you analyse flags SYN/SYN+ACK for the first packets of given TCP stream # (which is generated by TCP dissector).
To make this work you should install a post dissector and check for 'tcp.stream' field.
You can checkout that technique in sources of my small Lua wireshark dissector to capture HTTP state information