How to get TCP stream number with listener?

Question

How to get TCP stream number with listener?

I am analyzing a very large PCAP containing many HTTP transactions, some of which interest me. I use tsharkwith Lua script to request all packages matching filter.

tshark -X lua_script:filter.lua -r some.pcap  -q

So far so good. However, I am looking specifically at the value of the TCP stream packet number, which goes by name tcp.streaminside Wireshark. Can you tell me what changes I need filter.luato print?

-- filter.lua
do
    local function init_listener()
        local tap = Listener.new("http","http contains someKeyValue && tcp.port eq 1234")
        function tap.reset()
        end
        function tap.packet(pinfo,tvb,ip)
            print("Found my packet ... now what?")
        end
        function tap.draw()
        end
    end
    init_listener()
end

Documentation of that pinfo, tvband ipis inappropriate.

+4

lua wireshark wireshark-dissector

Martin Cowie Mar 09 '17 at 12:54

source share

1 answer

Matt Champion · Accepted Answer · 2017-03-09T13:26:23+0000

TCP Field.

local tcp_stream = Field.new("tcp.stream").value

Field - . Field . Field , TCP . Field, FieldInfo, .

, filter.lua :

-- filter.lua
do
    local function init_listener()
        local get_tcp_stream = Field.new("tcp.stream")
        local tap = Listener.new("http","http contains someKeyValue && tcp.port eq 1234")
        function tap.reset()
        end
        function tap.packet(pinfo,tvb,ip)
            print(tostring(get_tcp_stream()))
        end
        function tap.draw()
        end
    end
    init_listener()
end

https://www.wireshark.org/docs/wsdg_html_chunked/lua_module_Field.html#lua_class_Field

How to get TCP stream number with listener?

More articles: