My goal is make a automatic capture file analysis using the fields what I see in Wireshark's Packet Details window. I used tshark and a Lua script which was created based on the Lua examples.
I used for testing a single frame file as input. Here is my script and tshark parameters how I used in Windows command line:
tshark.exe -q -r ecat_single.pcapng -X lua_script:field_extractor.lua
The field_extractor script:
-- this is our tap
local ecatTap = Listener.new();
local function remove()
-- this way we remove the listener that otherwise will remain running indefinitely
ecatTap:remove();
end
-- calling tostring() on random FieldInfo's can cause an error, so this func handles it
local function getstring(finfo)
local ok, val = pcall(tostring, finfo)
if not ok then val = "(unknown)" end
return val
end
-- this function will be called once for each packet
function ecatTap.packet(pinfo,tvb,tapinfo)
--
local fields = { all_field_infos() }
--
for ix, finfo in ipairs(fields) do
--
-- The name and value of field will be printed unconditionally.
print("[" .. ix .. "] " .. finfo.name .. " = " .. getstring(finfo) )--.. "\n")
-- Here follow operations depending on the finfo value.
if finfo.name == "ecat.cmd" then
if finfo.value == 4 then
print("FPRD command has found!")
-- ...
end
end
end
end
The output of this script:
[1] esl = 01:01:05:10:00:00:80:20:ac:60:64:2d:00:00:00:00
[2] eth = 00:e0:f4:2d:de:66:10:70:05:01:00:00:88:a4
[3] ecatf = 10:10
[4] ecat = 04:16:01:01:0c:08:04:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
[5] ecat.subframe.pad_bytes = 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
The fields that returned by the all_field_infos() function do not contain the information what I can see in the Packet Details window. The data was there but it seemed it was not dissected. The description of the all_field_infos() states that only the fields are collected what is filled by the underlying code. It was not entirely clear what this means, until I tried the -V command line option, which prints packet details.
With this option I access all the fields what I need to my purpose, but prints all the packet information to the command line console. The capture files what analyze it could be a huge amount of text data and I could not silence via -q/-Q option.
My question is how can I force the all_field_infos() function to provide me all the fields without flood the command window?
The solution was found by reading the related documentation more carefully. The Listener's new method has optional parameters and one of them influcences the underlying field generation.
Listener.new([tap], [filter], [allfields])
allfields (optional)
Whether to generate all fields. The default is false. Note: This impacts performance.
The modification what is needed in the script above:
local ecatTap = Listener.new(nil, nil, true)
Now all the fields what are in GUI's Packet Details window, are generated. However, I was who was unaware of this parameter, I leave here this question and the answer because I did not find similar solution among examples and it could be helpful for others.