How to add filter to field in Wireshark

Question

I'm trying to add a filter to a field in Wireshak.
My dissector name is: "basic".
it has 3 fields - field1, field2, field3.
each field can have a value of string.
I want that on Wireshark i'll be able to filter by a particular field, for example: basic.field1. (just the same as you look for tcp.len)

How can i do this?

Answer 1

You must declare the fields, assign them to your protocol and add them to the tree when appropriate. There are currently 2 different types of strings supported by Lua, those of type ftypes.STRING, which is used for strings of a known, fixed length, and type ftypes.STRINGZ, which is a NULL (zero)-terminated string, so how you declare the fields will depend upon which of the 2 types they are.

Unfortunately, despite the documentation listing ftypes.UINT_STRING as a supported type, it isn't as can be seen in the source code for wslua_proto_field.c. This type of string is applicable when a length field precedes the string to indicate the length of the string in bytes. In any case, it isn't currently available for Lua-based dissectors.

So, as an example, let's suppose your protocol uses UDP/33333 as its transport and port number, and its 3 fields consist of each of the 3 types of strings described above, namely:

• field1: a fixed-length string of 12 bytes.
• field2: a NULL-terminated string of arbitrary length.
• field3: a counted string preceded by a 2 byte length field in big-endian (network) byte order.

Given these assumptions, the following will dissect the packets:

-- Protocol
local p_basic = Proto("basic", "Basic Protocol")

-- Fields
local f_basic_field1 = ProtoField.string("basic.field1", "Field1")
local f_basic_field2 = ProtoField.stringz("basic.field2", "Field2")
local f_basic_field3 = ProtoField.string("basic.field3", "Field3")

p_basic.fields = { f_basic_field1, f_basic_field2, f_basic_field3 }

-- Dissection
function p_basic.dissector(buf, pinfo, tree)
    local basic_tree = tree:add(p_basic, buf(0,-1))

    pinfo.cols.protocol:set("BASIC")

    basic_tree:add(f_basic_field1, buf(0, 12))

    local strz = buf(12):stringz()
    local field2_len = string.len(strz) + 1
    basic_tree:add(f_basic_field2, buf(12, field2_len))

    local field3_len = buf:range(12 + field2_len, 2):uint()
    basic_tree:add(f_basic_field3, buf(12 + field2_len + 2, field3_len))
end

-- Registration
local udp_table = DissectorTable.get("udp.port")
udp_table:add(33333, p_basic)

If you want to test this, first save the above lua code to a file such as basic.lua in your personal plugins directory (Found via Help -> About Wireshark -> Folders -> Personal Plugins). You can then use the following hex bytes to test it:

0000  00 0e b6 00 00 02 00 0e b6 00 00 01 08 00 45 00
0010  00 37 00 00 40 00 40 11 b5 ea c0 00 02 65 c0 00
0020  02 66 82 35 82 35 00 23 22 32 48 65 6c 6c 6f 20
0030  77 6f 72 6c 64 21 48 69 20 74 68 65 72 65 00 00
0040  04 42 79 65 21

Save these bytes into a text file, e.g., basic.txt. Start Wireshark and import the file via File -> Import from Hex Dump... -> Filename:basic.txt -> OK. You should see the 3 fields dissected as part of the "Basic Protocol".

For further help with Lua dissectors, you might want to refer to one or more of the following:

• Wireshark Lua (wiki page)
• Wireshark Lua Examples (wiki page)
• Wireshark Lua Dissectors (wiki page)
• Wireshark Contributed scripts, macros, colouring rules and plugins (wiki page)
• Chapter 10. Lua Support in Wireshark (Wireshark Developer's Guide)
• https://www.wireshark.org/docs/wsdg_html_chunked/wsluarm_modules.html (Wireshark Developer's Guide)
• Wireshark Lua API Reference Manual Addendum (wiki page)
• Lua Directory
• Sharkfest '15 presentation and accompanying YouTube video, by Graham Bloice