Wireshark-dev: Re: [Wireshark-dev] my purpose [for building with support for Lua in Linux (Ubun

From: Guy Harris <gharris@xxxxxxxxx>
Date: Sat, 22 May 2021 02:50:39 -0700
On May 21, 2021, at 8:03 PM, Vincent Randal <vtrandal@xxxxxxxxx> wrote:

> I've plans to use Lua to control tshark behavior in scripts, IF ... I can get Wireshark to build with support for Lua in Ubuntu 20.4, ... But so far I am not having any luck. I found this piece of documentation that says ...
> "Wireshark contains an embedded Lua 5.2 interpreter ..."
> I believe that's true for Windows but not Linux.

On an Ubuntu 20.04 system (virtual machine):

ubu20-04$ apt list | egrep wireshark

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

libndpi-wireshark/focal 2.6-5 amd64
libvirt-wireshark/focal-updates 6.0.0-0ubuntu8.9 amd64
libwireshark-data/focal,focal,now 3.2.3-1 all [installed,automatic]
libwireshark-dev/focal 3.2.3-1 amd64
libwireshark13/focal,now 3.2.3-1 amd64 [installed,automatic]
wireshark-common/focal,now 3.2.3-1 amd64 [installed,automatic]
wireshark-dev/focal 3.2.3-1 amd64
wireshark-doc/focal,focal 3.2.3-1 all
wireshark-gtk/focal 3.2.3-1 amd64
wireshark-qt/focal,now 3.2.3-1 amd64 [installed]
wireshark/focal,now 3.2.3-1 amd64 [installed,automatic]

so it has Wireshark installed from an Ubuntu package.

ubu20-04$ which tshark
/bin/tshark

so if I just run "tshark" from the command line, it runs the version installed from the standard Ubuntu package.

ubu20-04$ tshark --version
TShark (Wireshark) 3.2.3 (Git v3.2.3 packaged as 3.2.3-1)

Copyright 1998-2020 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.64.2, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua
5.2.4, with GnuTLS 3.6.13 and PKCS #11 support, with Gcrypt 1.8.5, with MIT
Kerberos, with MaxMind DB resolver, with nghttp2 1.40.0, with brotli, with LZ4,
with Zstandard, with Snappy, with libxml2 2.9.10.

Running on Linux 5.8.0-53-generic, with Intel(R) Core(TM) i9-9980HK CPU @
2.40GHz (with SSE4.2), with 7932 MB of physical memory, with locale en_US.UTF-8,
with libpcap version 1.9.1 (with TPACKET_V3), with GnuTLS 3.6.13, with Gcrypt
1.8.5, with brotli 1.0.7, with zlib 1.2.11, binary plugins supported (0 loaded).

Built using gcc 9.3.0.

so it *is* built with Lua support ("with Lua 5.2.4" in the "Compiled ... with" string).

So it is certainly possible to build Lua support into Wireshark if you're building it for Linux - the Ubuntu maintainers have done so.

If, however, you want to build your *own* version of Wireshark from source, and have it include feature XXX, you must make sure that all the *developer* packages needed for feature XXX are installed - having the end-user packages is *not* enough, as that provides only enough files to allow programs *already compiled* with those packages to run, it's *not* enough to compile programs using them, as it doesn't, for example, include header files.

On Debian, and on Debian-based distributions such as Ubuntu, the easiest way to do that is to run

	tools/debian-setup.sh --install-optional

which will attempt to install all packages needed to build Wireshark *and* all packages not required to build Wireshark, but required to add certain features to the Wireshark you're building, such as Lua support.

Once you have done that.

> I have lots of questions:
> 1. Before running cmake how can I tell the appropriate "with-lua" sort of switch is enabled?

By making sure that the appropriate package for Lua is installed.  That's liblua5.2-dev.

The easiest way to make sure it's installed is to run

	tools/debian-setup.sh --install-optional

before running CMake.

> 2. After running cmake how can I tell I got what I wanted i.e. that it found Lua and make will build with support for Lua?

Check the output of CMake to see if it says, in the list shown after "-- The following OPTIONAL packages have been found:":

	* LUA (required version >= 5.1)

> 3. If it does not find Lua how do I fix that?

Make sure liblua5.2-dev is installed.  (If you've already run CMake before running tools/debian-setup.sh --install-optional, you *might* have to remove the directory in which you ran it, create a new directory in which to do the build, and re-run CMake, so that there isn't any cached "sorry, I didn't find Lua" indication left around.)

> 4. When the build succeeds how do I compensate for the difference sudo and non-sudo seem to have on tshark? Non-sudo invokation runs my lua scripts. Sudo invocations don't.

Don't run with sudo.  You should *NEVER* run TShark or Wireshark under sudo.  To quote section 3.11.1 "Packaging Guidelines":

	https://www.wireshark.org/docs/wsdg_html_chunked/ChSrcBinary.html#ChSrcVersioning

of the Wireshark Developer's Guide:

	Privileges
	All function calls that require elevated privileges are in dumpcap.

	WIRESHARK CONTAINS OVER THREE MILLION LINES OF SOURCE CODE. DO NOT RUN THEM AS ROOT.

Instead, run CMake with the option -DDUMPCAP_INSTALL_OPTION=capabilities.  Then, if you install Wireshark with "sudo cmake install", it will install the dumpcap program with sufficient Linux capabilities to do capturing on network interfaces.

Unfortunately, if you want to do captures by running Wireshark or TShark from the *build* directory, just giving the dumpcap binary in the build directory may not work; I suspect the problem is that the run-time linker determines that dumpcap is being run with elevated privileges and refuses to look in arbitrary places - including the build directory - for shared libraries, so dumpcap doesn't start up.

> 5. And assuming (with some help) I get past the above issues, how much control can lua scripts expert over tshark and Wireshark?

To see what Lua scripts can do, see Chapter 10 "Lua Support in Wireshark":

	https://www.wireshark.org/docs/wsdg_html_chunked/wsluarm.html

and Chapter 11 "Wireshark’s Lua API Reference Manual":

	https://www.wireshark.org/docs/wsdg_html_chunked/wsluarm_modules.html

of the Wireshark developer's guide.

If what you want to do is *not* there, then a Lua script probably *can't* do it.