Wireshark-dev: Re: [Wireshark-dev] my purpose [for building with support for Lua in Linux (Ubun

From: Vincent Randal <vtrandal@xxxxxxxxx>
Date: Sat, 22 May 2021 14:46:17 -0600


On Sat, May 22, 2021 at 3:51 AM Guy Harris <gharris@xxxxxxxxx> wrote:
On May 21, 2021, at 8:03 PM, Vincent Randal <vtrandal@xxxxxxxxx> wrote:

> I've plans to use Lua to control tshark behavior in scripts, IF ... I can get Wireshark to build with support for Lua in Ubuntu 20.4, ... But so far I am not having any luck. I found this piece of documentation that says ...
> "Wireshark contains an embedded Lua 5.2 interpreter ..."
> I believe that's true for Windows but not Linux.

On an Ubuntu 20.04 system (virtual machine):

ubu20-04$ apt list | egrep wireshark

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

libndpi-wireshark/focal 2.6-5 amd64
libvirt-wireshark/focal-updates 6.0.0-0ubuntu8.9 amd64
libwireshark-data/focal,focal,now 3.2.3-1 all [installed,automatic]
libwireshark-dev/focal 3.2.3-1 amd64
libwireshark13/focal,now 3.2.3-1 amd64 [installed,automatic]
wireshark-common/focal,now 3.2.3-1 amd64 [installed,automatic]
wireshark-dev/focal 3.2.3-1 amd64
wireshark-doc/focal,focal 3.2.3-1 all
wireshark-gtk/focal 3.2.3-1 amd64
wireshark-qt/focal,now 3.2.3-1 amd64 [installed]
wireshark/focal,now 3.2.3-1 amd64 [installed,automatic]

so it has Wireshark installed from an Ubuntu package.

ubu20-04$ which tshark
/bin/tshark

so if I just run "tshark" from the command line, it runs the version installed from the standard Ubuntu package.

ubu20-04$ tshark --version
TShark (Wireshark) 3.2.3 (Git v3.2.3 packaged as 3.2.3-1)

Copyright 1998-2020 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.64.2, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua
5.2.4, with GnuTLS 3.6.13 and PKCS #11 support, with Gcrypt 1.8.5, with MIT
Kerberos, with MaxMind DB resolver, with nghttp2 1.40.0, with brotli, with LZ4,
with Zstandard, with Snappy, with libxml2 2.9.10.

Running on Linux 5.8.0-53-generic, with Intel(R) Core(TM) i9-9980HK CPU @
2.40GHz (with SSE4.2), with 7932 MB of physical memory, with locale en_US.UTF-8,
with libpcap version 1.9.1 (with TPACKET_V3), with GnuTLS 3.6.13, with Gcrypt
1.8.5, with brotli 1.0.7, with zlib 1.2.11, binary plugins supported (0 loaded).

Built using gcc 9.3.0.

so it *is* built with Lua support ("with Lua 5.2.4" in the "Compiled ... with" string).

So it is certainly possible to build Lua support into Wireshark if you're building it for Linux - the Ubuntu maintainers have done so.

If, however, you want to build your *own* version of Wireshark from source, and have it include feature XXX, you must make sure that all the *developer* packages needed for feature XXX are installed - having the end-user packages is *not* enough, as that provides only enough files to allow programs *already compiled* with those packages to run, it's *not* enough to compile programs using them, as it doesn't, for example, include header files.

On Debian, and on Debian-based distributions such as Ubuntu, the easiest way to do that is to run

        tools/debian-setup.sh --install-optional

which will attempt to install all packages needed to build Wireshark *and* all packages not required to build Wireshark, but required to add certain features to the Wireshark you're building, such as Lua support.

Once you have done that.

> I have lots of questions:
> 1. Before running cmake how can I tell the appropriate "with-lua" sort of switch is enabled?

By making sure that the appropriate package for Lua is installed.  That's liblua5.2-dev.

The easiest way to make sure it's installed is to run

        tools/debian-setup.sh --install-optional
Thank you. Graham had the same suggestion. This helped tremendously. I was doing it the hard way trying to manage dependencies myself.

before running CMake.

> 2. After running cmake how can I tell I got what I wanted i.e. that it found Lua and make will build with support for Lua?

Check the output of CMake to see if it says, in the list shown after "-- The following OPTIONAL packages have been found:":

        * LUA (required version >= 5.1)
Thank you. After running [tools/debian-detup.sh --install-optional] then I did indeed see LUA in the OPTIONAL packages that were found.

> 3. If it does not find Lua how do I fix that?

Make sure liblua5.2-dev is installed.  (If you've already run CMake before running tools/debian-setup.sh --install-optional, you *might* have to remove the directory in which you ran it, create a new directory in which to do the build, and re-run CMake, so that there isn't any cached "sorry, I didn't find Lua" indication left around.)
Thank you. I did have to remove the build directory and re-run cmake in a fresh new (empty) directory.

> 4. When the build succeeds how do I compensate for the difference sudo and non-sudo seem to have on tshark? Non-sudo invokation runs my lua scripts. Sudo invocations don't.

Don't run with sudo.  You should *NEVER* run TShark or Wireshark under sudo.  To quote section 3.11.1 "Packaging Guidelines":

        https://www.wireshark.org/docs/wsdg_html_chunked/ChSrcBinary.html#ChSrcVersioning

of the Wireshark Developer's Guide:

        Privileges
        All function calls that require elevated privileges are in dumpcap.

        WIRESHARK CONTAINS OVER THREE MILLION LINES OF SOURCE CODE. DO NOT RUN THEM AS ROOT. <== Got it Thanks!

Instead, run CMake with the option -DDUMPCAP_INSTALL_OPTION=capabilities.  Then, if you install Wireshark with "sudo cmake install", it will install the dumpcap program with sufficient Linux capabilities to do capturing on network interfaces.
Thank you. That works. And -DDUMPCAP_INSTALL_OPTION=suid also seems to work. Now, I've got tshark running Lua scripts and dissecting packets. 

Unfortunately, if you want to do captures by running Wireshark or TShark from the *build* directory, just giving the dumpcap binary in the build directory may not work; I suspect the problem is that the run-time linker determines that dumpcap is being run with elevated privileges and refuses to look in arbitrary places - including the build directory - for shared libraries, so dumpcap doesn't start up.

> 5. And assuming (with some help) I get past the above issues, how much control can lua scripts expert over tshark and Wireshark?

To see what Lua scripts can do, see Chapter 10 "Lua Support in Wireshark":

        https://www.wireshark.org/docs/wsdg_html_chunked/wsluarm.html

and Chapter 11 "Wireshark’s Lua API Reference Manual":

        https://www.wireshark.org/docs/wsdg_html_chunked/wsluarm_modules.html

of the Wireshark developer's guide.

If what you want to do is *not* there, then a Lua script probably *can't* do it.
Exactly. I should set my expectations accordingly. Thank you.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe