Wireshark-users: Re: [Wireshark-users] LUA-script in Tshark

From: "Maynard, Chris" <Christopher.Maynard@xxxxxxx>
Date: Mon, 3 Aug 2020 15:08:09 +0000
> -----Original Message-----
> From: Wireshark-users <wireshark-users-bounces@xxxxxxxxxxxxx> On
> Behalf Of Gisle Vanem
> Sent: Saturday, August 1, 2020 2:54 AM
> To: wireshark-users <wireshark-users@xxxxxxxxxxxxx>
> Subject: [Wireshark-users] LUA-script in Tshark
>
> Hello list.
>
> I use this .lua-script:
>    https://github.com/VE3NEA/Afedri-Dissector/blob/master/afedri.lua
>
> to dissect traffic to/from my newly acquired short-wave radio.
> First I used windump to generate a 4GByte capture (10 minutes of control +
> data on port 50000). Then wanting to see the details of these Afedri
> protocols, I started Tshark in verbose mode (-V):
>    tshark -X afedri.lua -V -O Afedri,Afedri-iq -c20 -r recording-1.pcap | less
>
> But I get lines like:
>
>    Frame 1-3: the 3-way TCP handshake. Why does tshark print this when I
>       used the '-O' option.

The -O option only causes the specific protocols to be expanded, but it doesn't prevent the summary lines from being printed for all frames.  If you only want Afedri or Afedri-IQ protocols displayed, then you should use a display filter (e.g., -Y "afedri or afedri-iq")  to limit the frames displayed.  Incidentally, if you use -O, you don't need -V.  You can think of -V as expanding all protocols and -O as only expanding those specific protocols you list.  In fact, this is what the man page says about the option:

-O <protocols>

    Similar to the -V option, but causes TShark to only show a detailed view of the comma-separated list of protocols specified, and show only the top-level detail line for all other protocols, rather than a detailed view of all protocols. Use the output of "tshark -G protocols" to find the abbreviations of the protocols you can specify.

>    Frame 4: 63 bytes on wire (504 bits), 63 bytes captured (504 bits)
>    Ethernet II, Src: ASUSTekC_81:2e:ea (e0:3f:49:81:2e:ea), Dst:
> e6:1f:35:31:35:30 (e6:1f:35:31:35:30)
>    Internet Protocol Version 4, Src: 10.0.0.10, Dst: 10.0.0.50
>    Transmission Control Protocol, Src Port: 51974, Dst Port: 50000, Seq: 1, Ack:
> 1, Len: 9
>    Afedri Protocol Data
>
>    Frame 5: 63 bytes on wire (504 bits), 63 bytes captured (504 bits)
>    Ethernet II, Src: e6:1f:35:31:35:30 (e6:1f:35:31:35:30), Dst:
> ASUSTekC_81:2e:ea (e0:3f:49:81:2e:ea)
>    Internet Protocol Version 4, Src: 10.0.0.50, Dst: 10.0.0.10
>    Transmission Control Protocol, Src Port: 50000, Dst Port: 51974, Seq: 1, Ack:
> 10, Len: 9
>    Afedri Protocol Data
>    ....

This is strange.  You *should* be seeing the Afedri details; it's almost as if the name of the protocol doesn't match so you're not seeing expanded details.  When I place the afedri.lua script in my Wireshark plugins directory and run "tshark -G protocols | grep Afedri", I get:

Afedri TCP Control Protocol     AFEDRI  afedri
Afedri UDP Data Protocol        AFEDRI-IQ       afedri-iq

So is this case-sensitive?  Maybe try with lower-case instead?
tshark -X afedri.lua -O afedri,afedri-iq -c20 -r recording-1.pcap | less

If that doesn't help, then do you get Afedri details if you omit Afedri-iq from the -O option?  Do you get Afedri details with only -V and no -O?

> All-though I get details for the data-protocol (which use UDP):
>    Frame 20: 1070 bytes on wire (8560 bits), 1070 bytes captured (8560 bits)
>    Ethernet II, Src: e6:1f:35:31:35:30 (e6:1f:35:31:35:30), Dst:
> ASUSTekC_81:2e:ea (e0:3f:49:81:2e:ea)
>    Internet Protocol Version 4, Src: 10.0.0.50, Dst: 10.0.0.10
>    User Datagram Protocol, Src Port: 50000, Dst Port: 50000
>    Afedri Protocol Data
>        header: 0x8404 (16-Bit data, large packet)
>        sequence number: 58371 (0xE403)
>        I/Q data, 256 2x16-bit samples
>             (  -176,    -40)(   169,      3)(   110,   -131)(  -110,   -133)
>             (    24,    192)(   129,   -142)(  -115,      4)(    81,    138)
>             (   131,    -88)(  -216,   -141)(  -105,    115)(    95,    -78)
>             (    89,   -187)(    -6,    115)(   119,    -58)(  -119,    -55)
>             ...
>
> I'd like more packet details, but only for protocols specified with '-O'. Is this
> an issue with the Afedri.lua script, Tshark or did I use the script wrong? Is this
> possible?

Possibly you used the script wrong if the name of the protocol specified for the -O option is case-sensitive.  And as I pointed out above, you are seeing other frames because -O doesn't limit summary lines; you need a display filter -Y for that.  The script itself does have at least one problem though, and that is that it doesn't handle TCP reassembly.  I don't know if this protocol data could ever span more than one TCP data segment, but if so, dissection won't work properly in those cases, so it'd probably be better if the script were modified to handle reassembly regardless.

> PS. The page at https://wiki.wireshark.org/Lua
>      specifies one has to use '-X lua_script:file'. That prefix seems
>      not needed.

The prefix is definitely needed.  I think you may have the script stored in a file location that tshark automatically picks up, for example in %APPDATA%\Wireshark\plugins.  Try running Wireshark and check "Help -> About Wireshark -> Plugins"; if Wireshark lists afedri.lua there, then tshark will also see it by default too.  Of course, if that's the case then you don't need to bother specifying the "-X lua_script:file" option at all.

>
> --
> --gv



Hopefully at least some of this helps.
-- Chris










CONFIDENTIALITY NOTICE: This message is the property of International Game Technology PLC and/or its subsidiaries and may contain proprietary, confidential or trade secret information. This message is intended solely for the use of the addressee. If you are not the intended recipient and have received this message in error, please delete this message from your system. Any unauthorized reading, distribution, copying, or other use of this message or its attachments is strictly prohibited.