luawireshark

How to write to custom Wireshark column via lua?

I'm trying to fill a custom column with infos via Lua in Wireshark.

What I've tried

local dienstname_f = ProtoField.string("customDienstname", "Dienstname")
local custom_proto = Proto("custom", "Custom Dienst")
custom_proto.fields = {dienstname_f}

function custom_proto.dissector(buffer, pinfo, tree)
    if (tostring(pinfo.src) == "10.0.0.0" and pinfo.src_port == 5000) or
       (tostring(pinfo.dst) == "10.0.0.0" and pinfo.dst_port == 5000) then
       
        pinfo.cols.info:set("Hallo2 von Lua!")
        pinfo.cols.customDienstname:set("MEIN SERVICE")

        local subtree = tree:add(custom_proto, "Custom Dienst")
        subtree:add(dienstname_f, "MEIN SERVICE")
    end
end

register_postdissector(custom_proto)

I'm aware that I am creating a custom protocol here and that works fine. What doesn't work is the writing to the customDienstname column. The column i created is of type "Custom", if that helps. The "Hallo2 von Lua!" text is just for verification if i reach that point - which it does and the Info column is correctly filled.

Any ideas if this is even possible and how to do it?

Solution

  • I've found the issues in my code. I had two issues.

    1. First I accidentally forgot a "." in the protofield name. It should have been "custom.Dienstname" instead of "customDienstname". It is always <protoName>.<fieldName>.s

    2. The custom column isn't written to by doing "pinfo.cols.customDienstname:set("MEIN SERVICE")" but instead as i had if already below it with "subtree:add(dienstname_f, "MEIN SERVICE")"

    After having done this, one needs to edit the custom column in Wireshark and in the "Fields" field enter <protoName>.<fieldName>, in my case it would be "custom.Dienstname".

    This worked perfectly. I even managed to extend it with logging and for it to use a json file as a mapping reference.

    Here is the functioning basic version only though, because that was the question initially. If someones interested I can post the extended one too.

    local dienstname_f = ProtoField.string("custom.Dienstname", "Dienstname")
local custom_proto = Proto("custom", "Custom Dienst")
custom_proto.fields = {dienstname_f}

function custom_proto.dissector(buffer, pinfo, tree)
    if (tostring(pinfo.src) == "10.0.0.0" and pinfo.src_port == 5000) or
       (tostring(pinfo.dst) == "10.0.0.0" and pinfo.dst_port == 5000) then
       
        local subtree = tree:add(custom_proto, "Custom Dienst")
        subtree:add(dienstname_f, "MEIN SERVICE")
    end
end

register_postdissector(custom_proto)