wireshark

How to force Wireshark's all_field_infos() function gather all the fields?


My goal is make a automatic capture file analysis using the fields what I see in Wireshark's Packet Details window. I used tshark and a Lua script which was created based on the Lua examples.

I used for testing a single frame file as input. Here is my script and tshark parameters how I used in Windows command line:

tshark.exe -q -r ecat_single.pcapng -X lua_script:field_extractor.lua

The field_extractor script:

-- this is our tap
local ecatTap = Listener.new();

local function remove()
    -- this way we remove the listener that otherwise will remain running indefinitely
    ecatTap:remove();
end

-- calling tostring() on random FieldInfo's can cause an error, so this func handles it
local function getstring(finfo)
    local ok, val = pcall(tostring, finfo)
    if not ok then val = "(unknown)" end
    return val
end

-- this function will be called once for each packet
function ecatTap.packet(pinfo,tvb,tapinfo)
    --
    local fields = { all_field_infos() }
    --
    for ix, finfo in ipairs(fields) do
        --
        -- The name and value of field will be printed unconditionally.
        print("[" .. ix .. "] " .. finfo.name .. " = " .. getstring(finfo) )--.. "\n")

        -- Here follow operations depending on the finfo value.
        if finfo.name == "ecat.cmd" then
            if finfo.value == 4 then
                print("FPRD command has found!")
                -- ...
            end
        end 
    end        
end

The output of this script:

[1] esl = 01:01:05:10:00:00:80:20:ac:60:64:2d:00:00:00:00
[2] eth = 00:e0:f4:2d:de:66:10:70:05:01:00:00:88:a4
[3] ecatf = 10:10
[4] ecat = 04:16:01:01:0c:08:04:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[5] ecat.subframe.pad_bytes = 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00

The fields that returned by the all_field_infos() function do not contain the information what I can see in the Packet Details window. The data was there but it seemed it was not dissected. The description of the all_field_infos() states that only the fields are collected what is filled by the underlying code. It was not entirely clear what this means, until I tried the -V command line option, which prints packet details.

With this option I access all the fields what I need to my purpose, but prints all the packet information to the command line console. The capture files what analyze it could be a huge amount of text data and I could not silence via -q/-Q option.

My question is how can I force the all_field_infos() function to provide me all the fields without flood the command window?


Solution

  • The solution was found by reading the related documentation more carefully. The Listener's new method has optional parameters and one of them influcences the underlying field generation.

    Listener.new([tap], [filter], [allfields])

    allfields (optional)
    Whether to generate all fields. The default is false. Note: This impacts performance.

    The modification what is needed in the script above:

    local ecatTap = Listener.new(nil, nil, true)

    Now all the fields what are in GUI's Packet Details window, are generated. However, I was who was unaware of this parameter, I leave here this question and the answer because I did not find similar solution among examples and it could be helpful for others.