On Thu, Mar 16, 2017 at 08:45:34PM +0000, Kunal Thakrar wrote:
> Hi Peter,
>
> So if using the Lua API, if I put a script which primes the fields I
> am interested in within the plugins folder I will be able to access
> information such as the IP addresses (to see which TCP connection it
> was part of) and any information about the HTTP packets (obviously if
> it was, in fact, part of a TCP connection).
Yes, here you can find some examples of doing this in Lua:
https://github.com/Lekensteyn/lglaf/blob/master/lglaf.lua
https://git.lekensteyn.nl/peter/wireshark-notes/tree/lua/r8152.lua
See "usb_transfer_type". Note that the number of returned values may be
larger than 1. In case you want to access all addresses, you could try
something like:
local ip_addr = Field.new("ip.addr")
local my_proto = Proto.new("my_proto", "My Proto")
function my_proto.dissect(tvb, pinfo, tree)
-- Note: Lua language feature: if my_proto returns more than 1
-- item, using it as last element of the array results in
-- appending all returned values to this array
local fields = { my_proto() }
-- ...
end
register_postdissector(my_proto)
Alternatively, use ip.src and ip.dst for specific addresses (but note
that in case of tunneled traffic you may still have multiple
occurrences).
--
Kind regards,
Peter Wu
https://lekensteyn.nl