Chapter 11. Lua Support in Wireshark

Table of Contents

11.1. Introduction
11.2. Example of Dissector written in Lua
11.3. Example of Listener written in Lua
11.4. Wireshark's Lua API Reference Manual
11.5. Saving capture files
11.5.1. Dumper
11.5.2. PseudoHeader
11.6. Obtaining dissection data
11.6.1. Field
11.6.2. FieldInfo
11.6.3. Global Functions
11.7. GUI support
11.7.1. ProgDlg
11.7.2. TextWindow
11.7.3. Global Functions
11.8. Post-dissection packet analysis
11.8.1. Listener
11.9. Obtaining packet information
11.9.1. Address
11.9.2. Column
11.9.3. Columns
11.9.4. NSTime
11.9.5. Pinfo
11.9.6. PrivateTable
11.10. Functions for new protocols and dissectors
11.10.1. Dissector
11.10.2. DissectorTable
11.10.3. Pref
11.10.4. Prefs
11.10.5. Proto
11.10.6. ProtoExpert
11.10.7. ProtoField
11.10.8. Global Functions
11.11. Adding information to the dissection tree
11.11.1. TreeItem
11.12. Functions for handling packet data
11.12.1. ByteArray
11.12.2. Tvb
11.12.3. TvbRange
11.13. Custom file format reading/writing
11.13.1. CaptureInfo
11.13.2. CaptureInfoConst
11.13.3. File
11.13.4. FileHandler
11.13.5. FrameInfo
11.13.6. FrameInfoConst
11.13.7. Global Functions
11.14. Directory handling functions
11.14.1. Dir
11.15. Utility Functions
11.15.1. Global Functions
11.16. Handling 64-bit Integers
11.16.1. Int64
11.16.2. UInt64
11.17. Binary encode/decode support
11.17.1. Struct
11.18. GLib Regular Expressions
11.18.1. GRegex

11.1. Introduction

Wireshark has an embedded Lua interpreter. Lua is a powerful light-weight programming language designed for extending applications. Lua is designed and implemented by a team at PUC-Rio, the Pontifical Catholic University of Rio de Janeiro in Brazil. Lua was born and raised at Tecgraf, the Computer Graphics Technology Group of PUC-Rio, and is now housed at Both Tecgraf and are laboratories of the Department of Computer Science.

In Wireshark Lua can be used to write dissectors, taps, and capture file readers and writers.

Wireshark's Lua interpreter starts by loading init.lua that is located in the global configuration directory of Wireshark. Lua is enabled by default. To disable Lua the line variable disable_lua should be set to true in init.lua.

After loading init.lua from the data directory if Lua is enabled Wireshark will try to load a file named init.lua in the user's directory.

Wireshark will also load all files with .lua suffix from both the global and the personal plugins directory.

The command line option -X lua_script:<file.lua> can be used to load Lua scripts as well.

The Lua code will be executed once after all the protocol dissectors have being initialized and before reading any file.