Chapter 10. Lua Support in Wireshark

Table of Contents

10.1. Introduction
10.2. Example of Dissector written in Lua
10.3. Example of Listener written in Lua

10.1. Introduction

Wireshark has an embedded Lua interpreter. Lua is a powerful light-weight programming language designed for extending applications. Lua is designed and implemented by a team at PUC-Rio, the Pontifical Catholic University of Rio de Janeiro in Brazil. Lua was born and raised at Tecgraf, the Computer Graphics Technology Group of PUC-Rio, and is now housed at Both Tecgraf and are laboratories of the Department of Computer Science.

In Wireshark Lua can be used to write dissectors, taps, and capture file readers and writers.

Wireshark’s Lua interpreter starts by loading a file named init.lua in Wireshark’s global configuration directory. It is enabled by default. To disable Lua the line variable enable_lua should be set to false in init.lua. Wireshark 2.6 and earlier enabled and disabled Lua using the variable disable_lua. It is still supported, but is deprecated and support may be removed in a future release. enable_lua takes precedence over disable_lua.

If Lua is enabled Wireshark will then try to load a file named init.lua in the user’s personal configuration directory. Wireshark will also load all files with a .lua suffix from both the global and the personal plugins directory.

The command line option -X lua_script:file.lua can be used to load Lua scripts as well.

The Lua code will be executed once after all the protocol dissectors have been initialized and before reading any file.

Lua 5.2 is the current supported version, future releases might use Lua 5.3.

Wireshark for Windows uses a modified Lua runtime (lua-unicode) in order to support Unicode (UTF-8) filesystem paths. This brings consistency with other platforms (for example, Linux and macOS).