13.9. Saving Capture Files

13.9. Saving Capture Files
Prev	Chapter 13. Wireshark’s Lua API Reference Manual	Next

The classes/functions defined in this module are for using a Dumper object to make Wireshark save a capture file to disk. Dumper represents Wireshark’s built-in file format writers (see the wtap_name_to_file_type_subtype function).

(The wtap_filetypes table is deprecated, and should only be used in code that must run on Wireshark 3.4.3 and earlier 3.4 releases or in Wireshark 3.2.11 and earlier 3.2.x releases.)

To have a Lua script create its own file format writer, see the chapter titled "Custom file format reading/writing".

13.9.1. Dumper

13.9.1.1. Dumper.new(filename, [filetype], [encap])

Creates a file to write packets. Dumper:new_for_current() will probably be a better choice, especially for file types other than pcapng.

Arguments

filename: The name of the capture file to be created.

filetype (optional): The type of the file to be created - a number returned by wtap_name_to_file_type_subtype(). Defaults to pcapng. (The wtap_filetypes table is deprecated, and should only be used in code that must run on Wireshark 3.4.3 and earlier 3.4.x releases or in Wireshark 3.2.11 and earlier 3.2.x releases.)

encap (optional): The encapsulation to be used in the file to be created - a number entry from the wtap_encaps table. Defaults to per-packet encapsulation for pcapng (which doesn’t have file-level encapsulation; this will create IDBs on demand as necessary) and Ethernet encapsulation for other file types.

Returns

The newly created Dumper object

13.9.1.2. dumper:close()

Closes a dumper.

Errors

Cannot operate on a closed dumper

13.9.1.3. dumper:flush()

Writes all unsaved data of a dumper to the disk.

13.9.1.4. dumper:dump(timestamp, pseudoheader, bytearray)

Dumps an arbitrary packet. Note: Dumper:dump_current() will fit best in most cases.

Arguments

timestamp: The absolute timestamp the packet will have.

pseudoheader: The PseudoHeader to use.

bytearray: The data to be saved

13.9.1.5. dumper:new_for_current([filetype])

Creates a capture file using the same encapsulation as the one of the current packet.

Arguments

filetype (optional): The file type. Defaults to pcapng.

Returns

The newly created Dumper Object

Errors

Cannot be used outside a tap or a dissector

13.9.1.6. dumper:dump_current()

Dumps the current packet as it is.

Errors

Cannot be used outside a tap or a dissector

13.9.1.7. dumper:__tostring()

Returns a short label of the form Dumper: file_type=<name> encap=<name> while open, or Dumper: (closed) once Dumper:close() has run. Like the read-only attributes above, this deliberately bypasses checkDumper so a closed dumper is still inspectable from the debugger’s Variables view.

Returns

The string.

13.9.1.8. dumper.is_open

Mode: Retrieve only.

True while the dumper is open, false once Dumper:close() has run.

13.9.1.9. dumper.file_type

Mode: Retrieve only.

The numeric wiretap file-type- subtype (as returned by wtap_name_to_file_type_subtype()), or nil if the dumper is closed.

13.9.1.10. dumper.file_type_name

Mode: Retrieve only.

Short wiretap name of the file type (e.g. "pcapng"), or nil if the dumper is closed.

13.9.1.11. dumper.file_type_description

Mode: Retrieve only.

Human-readable description of the file type (e.g. "Wireshark/… - pcapng"), or nil if the dumper is closed.

13.9.1.12. dumper.encap

Mode: Retrieve only.

The numeric WTAP_ENCAP_* chosen at open time, or nil if the dumper is closed.

13.9.1.13. dumper.encap_name

Mode: Retrieve only.

Short wiretap name of the encapsulation (e.g. "ETHERNET"), or nil if the dumper is closed.

13.9.1.14. dumper.encap_description

Mode: Retrieve only.

Human-readable description of the encapsulation (e.g. "Ethernet"), or nil if the dumper is closed.

13.9.2. PseudoHeader

A pseudoheader to be used to save captured frames.

13.9.2.1. PseudoHeader.none()

Creates a "no" pseudoheader.

Returns

A null pseudoheader

13.9.2.2. PseudoHeader.eth([fcslen])

Creates an ethernet pseudoheader.

Arguments

fcslen (optional): The fcs length

Returns

The ethernet pseudoheader

13.9.2.3. PseudoHeader.atm([aal], [vpi], [vci], [channel], [cells], [aal5u2u], [aal5len])

Creates an ATM pseudoheader.

Arguments

aal (optional): AAL number

vpi (optional): VPI

vci (optional): VCI

channel (optional): Channel

cells (optional): Number of cells in the PDU

aal5u2u (optional): AAL5 User to User indicator

aal5len (optional): AAL5 Len

Returns

The ATM pseudoheader

13.9.2.4. PseudoHeader.mtp2([sent], [annexa], [linknum])

Creates an MTP2 PseudoHeader.

Arguments

sent (optional): True if the packet is sent, False if received.

annexa (optional): True if annex A is used.

linknum (optional): Link Number.

Returns

The MTP2 pseudoheader

13.9.2.5. pseudoheader:__pairs()

Iterate over the variant-specific fields of the pseudoheader (for example fcs_len on Ethernet pseudoheaders or aal/vpi/vci on ATM ones). Nothing is yielded for PseudoHeader.none.

13.9.2.6. pseudoheader.type

Mode: Retrieve only.

The pseudoheader variant as the internal lua_pseudoheader_type enum value (integer). Use PseudoHeader.type_name for the short string form ("none", "eth", "atm", …).

13.9.2.7. pseudoheader.type_name

Mode: Retrieve only.

Short string identifying the variant: "none", "eth", "atm", "mtp2", etc.

Prev	Up	Next
13.8. Post-Dissection Packet Analysis	Home	13.10. Wtap Functions For Handling Capture File Types