User Guide
165
Chapter 11. Lua Support in Wireshark
11.1. Introduction
Wireshark has an embedded Lua interpreter. Lua is a powerful light-weight programming language
designed for extending applications. Lua is designed and implemented by a team at PUC-Rio, the Pontifical
Catholic University of Rio de Janeiro in Brazil. Lua was born and raised at Tecgraf, the Computer Graphics
Technology Group of PUC-Rio, and is now housed at Lua.org. Both Tecgraf and Lua.org are laboratories
of the Department of Computer Science.
In Wireshark Lua can be used to write dissectors and taps.
Wireshark's Lua interpreter starts by loading init.lua that is located in the global configuration directory
of Wireshark. Lua is enabled by default. To disable Lua the line variable disable_lua should be set to
true in init.lua.
After loading init.lua from the data directory if Lua is enabled Wireshark will try to load a file named
init.lua in the user's directory.
Wireshark will also load all files with .lua suffix from both the global and the personal plugins directory.
The command line option -X lua_script:<file.lua> can be used to load Lua scripts as well.
The Lua code will be executed once after all the protocol dissectors have being initialized and before
reading any file.
11.2. Example of Dissector written in Lua
do
local p_multi = Proto("multi","MultiProto");
local vs_protos = {
[2] = "mtp2",
[3] = "mtp3",
[4] = "alcap",
[5] = "h248",
[6] = "ranap",
[7] = "rnsap",
[8] = "nbap"
}
local f_proto = ProtoField.uint8("multi.protocol","Protocol",base.DEC,vs_protos)
local f_dir = ProtoField.uint8("multi.direction","Direction",base.DEC,{ [1] = "incoming", [0] = "outgoing"})
local f_text = ProtoField.string("multi.text","Text")
p_multi.fields = { f_proto, f_dir, f_text }
local data_dis = Dissector.get("data")
local protos = {
[2] = Dissector.get("mtp2"),
[3] = Dissector.get("mtp3"),
[4] = Dissector.get("alcap"),
[5] = Dissector.get("h248"),
[6] = Dissector.get("ranap"),
[7] = Dissector.get("rnsap"),
[8] = Dissector.get("nbap"),