Wireshark Developers Guide

For Wireshark 1.99

Ulf Lamping <ulf.lamping[AT]web.de>

Luis E. Ontanon <luis[AT]ontanon.org>
Graham Bloice <graham.bloice[AT]trihedral.com>

Wireshark Developers Guide: For Wireshark 1.99

by Ulf Lamping, Luis E. Ontanon, and Graham Bloice
Copyright 2004-2014 Ulf Lamping, Luis E. Garcia Ontanon, Graham Bloice
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any
later version published by the Free Software Foundation.
All logos and trademarks in this document are property of their respective owners.

Preface ......................................................................................................................... x
1. Foreword .......................................................................................................... x
2. Who should read this document? .......................................................................... x
3. Acknowledgements ............................................................................................ x
4. About this document .......................................................................................... x
5. Where to get the latest copy of this document? ....................................................... xi
6. Providing feedback about this document ............................................................... xi
I. Wireshark Build Environment ....................................................................................... 1
1. Introduction ...................................................................................................... 2
1.1. Introduction ............................................................................................ 2
1.2. What is Wireshark? ................................................................................. 2
1.3. Supported Platforms ................................................................................. 2
1.3.1. Unix ........................................................................................... 2
1.3.2. Linux .......................................................................................... 2
1.3.3. Microsoft Windows ....................................................................... 3
1.4. Development and maintenance of Wireshark ................................................ 3
1.4.1. Programming languages used .......................................................... 3
1.4.2. Open Source Software ................................................................... 4
1.5. Releases and distributions ......................................................................... 4
1.5.1. Binary distributions ....................................................................... 4
1.5.2. Source code distributions ................................................................ 5
1.6. Automated Builds (Buildbot) ..................................................................... 5
1.6.1. Advantages .................................................................................. 5
1.6.2. What does the Buildbot do? ............................................................ 6
1.7. Reporting problems and getting help ........................................................... 6
1.7.1. Website ....................................................................................... 6
1.7.2. Wiki ........................................................................................... 6
1.7.3. FAQ ........................................................................................... 7
1.7.4. Other sources ............................................................................... 7
1.7.5. Mailing Lists ................................................................................ 7
1.7.6. Bug database (Bugzilla) ................................................................. 8
1.7.7. Q&A Site .................................................................................... 8
1.7.8. Reporting Problems ....................................................................... 8
1.7.9. Reporting Crashes on UNIX/Linux platforms ..................................... 9
1.7.10. Reporting Crashes on Windows platforms ........................................ 9
2. Quick Setup .................................................................................................... 10
2.1. UNIX: Installation ................................................................................. 10
2.2. Win32/64: Step-by-Step Guide ................................................................. 10
2.2.1. Install Microsoft C compiler and SDK ............................................ 10
2.2.2. Install Qt ................................................................................... 11
2.2.3. Install Cygwin ............................................................................ 11
2.2.4. Install PowerShell ....................................................................... 12
2.2.5. Optional: Install Chocolatey .......................................................... 12
2.2.6. Install Python ............................................................................. 12
2.2.7. Install Git .................................................................................. 12
2.2.8. Install and Prepare Sources ........................................................... 13
2.2.9. Open a Visual Studio Command Prompt .......................................... 13
2.2.10. Verify installed tools .................................................................. 14
2.2.11. Install Libraries ......................................................................... 15
2.2.12. Build Wireshark ........................................................................ 15
2.2.13. Debug Environment Setup ........................................................... 16
2.2.14. Optional: Create Users and Developers Guide ............................... 16
2.2.15. Optional: Create a Wireshark Installer ........................................... 16
3. Work with the Wireshark sources ........................................................................ 17
3.1. Introduction .......................................................................................... 17
3.2. The Wireshark Git repository ................................................................... 17
3.2.1. The web interface to the Git repository ............................................ 17
3.3. Obtain the Wireshark sources ................................................................... 18

iii

Wireshark Developers Guide

3.3.1. Git over SSH or HTTPS ............................................................... 18

3.3.2. Git web interface ......................................................................... 19
3.3.3. Buildbot Snapshots ...................................................................... 19
3.3.4. Released sources ......................................................................... 20
3.4. Update the Wireshark sources .................................................................. 20
3.4.1. Update Using Git ........................................................................ 20
3.4.2. Update Using Source Archives ...................................................... 20
3.5. Build Wireshark .................................................................................... 21
3.5.1. Building on Unix ........................................................................ 21
3.5.2. Win32 native .............................................................................. 21
3.6. Run generated Wireshark ........................................................................ 22
3.6.1. Unix/Linux ................................................................................. 22
3.6.2. Win32 native .............................................................................. 22
3.7. Debug your generated Wireshark .............................................................. 22
3.7.1. Unix/Linux ................................................................................. 22
3.7.2. Win32 native .............................................................................. 23
3.8. Make changes to the Wireshark sources ..................................................... 23
3.9. Contribute your changes ......................................................................... 23
3.9.1. Some tips for a good patch ........................................................... 24
3.9.2. Code Requirements ...................................................................... 24
3.9.3. Uploading your changes ............................................................... 25
3.9.4. Backporting a change ................................................................... 25
3.10. Apply a patch from someone else ........................................................... 26
3.10.1. Using patch .............................................................................. 26
3.11. Binary packaging ................................................................................. 26
3.11.1. Debian: .deb packages ................................................................ 26
3.11.2. Red Hat: .rpm packages .............................................................. 27
3.11.3. MAC OS X: .dmg packages ......................................................... 27
3.11.4. Win32: NSIS .exe installer .......................................................... 27
3.11.5. Win32: PortableApps .paf.exe package .......................................... 28
4. Tool Reference ................................................................................................ 29
4.1. Introduction .......................................................................................... 29
4.2. Windows PowerShell .............................................................................. 29
4.3. Chocolatey ............................................................................................ 29
4.4. Windows: Cygwin ................................................................................. 30
4.4.1. Add/Update/Remove Cygwin Packages ........................................... 30
4.5. GNU compiler toolchain (UNIX only) ....................................................... 31
4.5.1. gcc (GNU compiler collection) ...................................................... 31
4.5.2. gdb (GNU project debugger) ......................................................... 31
4.5.3. ddd (GNU Data Display Debugger) ................................................ 31
4.5.4. make (GNU Make) ...................................................................... 32
4.6. Microsoft compiler toolchain (Windows native) .......................................... 32
4.6.1. Toolchain Package Alternatives ..................................................... 32
4.6.2. cl.exe (C Compiler) ..................................................................... 33
4.6.3. nmake.exe (Make) ....................................................................... 34
4.6.4. link.exe (Linker) ......................................................................... 34
4.6.5. C-Runtime "Redistributable" Files .................................................. 34
4.6.6. Windows (Platform) SDK ............................................................. 35
4.6.7. HTML Help ............................................................................... 36
4.6.8. Debugger ................................................................................... 36
4.7. bash ..................................................................................................... 37
4.7.1. UNIX and Cygwin: GNU bash ...................................................... 37
4.7.2. Windows native: ......................................................................... 37
4.8. Python ................................................................................................. 37
4.9. Perl ..................................................................................................... 38
4.9.1. UNIX and Cygwin: Perl ............................................................... 38
4.9.2. Windows native: Perl ................................................................... 38
4.10. sed ..................................................................................................... 39

iv

Wireshark Developers Guide

4.10.1. UNIX and Cygwin: sed .............................................................. 39

4.10.2. Windows native: sed .................................................................. 39
4.11. Bison ................................................................................................. 39
4.11.1. UNIX or Cygwin: bison .............................................................. 39
4.11.2. Windows Native: Win flex-bison and bison .................................... 39
4.12. Flex ................................................................................................... 40
4.12.1. UNIX or Cygwin: flex ................................................................ 40
4.12.2. Windows Native: Win flex-bison and flex ...................................... 40
4.13. Git client ............................................................................................ 40
4.13.1. UNIX or Cygwin: git ................................................................. 40
4.13.2. Windows native: git ................................................................... 41
4.14. Git Powershell Extensions (optional) ....................................................... 41
4.15. Git GUI client (optional) ....................................................................... 41
4.16. patch (optional) .................................................................................... 41
4.16.1. UNIX and Cygwin: patch ............................................................ 41
4.16.2. Windows native: patch ............................................................... 42
4.17. Windows: GNU wget (optional) ............................................................. 42
4.18. Windows: GNU unzip (optional) ............................................................. 42
4.19. Windows: NSIS (optional) ..................................................................... 42
4.20. Windows: PortableApps (optional) .......................................................... 43
5. Library Reference ............................................................................................. 44
5.1. Introduction .......................................................................................... 44
5.2. Binary library formats ............................................................................ 44
5.2.1. Unix .......................................................................................... 44
5.2.2. Win32: MSVC ............................................................................ 44
5.2.3. Win32: cygwin gcc ...................................................................... 44
5.3. Win32: Automated library download ......................................................... 44
5.3.1. Initial download .......................................................................... 44
5.3.2. Update of a previous download ...................................................... 45
5.4. GTK+ / GLib / GDK / Pango / ATK / GNU gettext / GNU libiconv ................. 45
5.4.1. Unix .......................................................................................... 46
5.4.2. Win32 MSVC ............................................................................. 46
5.5. SMI (optional) ....................................................................................... 46
5.5.1. Unix .......................................................................................... 46
5.5.2. Win32 MSVC ............................................................................. 46
5.6. c-ares (optional) ..................................................................................... 46
5.6.1. Unix .......................................................................................... 46
5.6.2. Win32 MSVC ............................................................................. 46
5.7. zlib (optional) ....................................................................................... 46
5.7.1. Unix .......................................................................................... 46
5.7.2. Win32 MSVC ............................................................................. 47
5.8. libpcap/WinPcap (optional) ...................................................................... 47
5.8.1. Unix: libpcap .............................................................................. 47
5.8.2. Win32 MSVC: WinPcap ............................................................... 47
5.9. GnuTLS (optional) ................................................................................. 47
5.9.1. Unix .......................................................................................... 47
5.9.2. Win32 MSVC ............................................................................. 47
5.10. Gcrypt (optional) .................................................................................. 47
5.10.1. Unix ........................................................................................ 47
5.10.2. Win32 MSVC ........................................................................... 47
5.11. Kerberos (optional) ............................................................................... 47
5.11.1. Unix ........................................................................................ 48
5.11.2. Win32 MSVC ........................................................................... 48
5.12. LUA (optional) .................................................................................... 48
5.12.1. Unix ........................................................................................ 48
5.12.2. Win32 MSVC ........................................................................... 48
5.13. PortAudio (optional) ............................................................................. 48
5.13.1. Unix ........................................................................................ 48

Wireshark Developers Guide

5.13.2. Win32 MSVC ........................................................................... 48

5.14. GeoIP (optional) .................................................................................. 48
5.14.1. Unix ........................................................................................ 48
5.14.2. Win32 MSVC ........................................................................... 48
II. Wireshark Development ............................................................................................ 49
6. How Wireshark Works ...................................................................................... 50
6.1. Introduction .......................................................................................... 50
6.2. Overview .............................................................................................. 50
6.3. Capturing packets .................................................................................. 51
6.4. Capture Files ......................................................................................... 51
6.5. Dissect packets ...................................................................................... 51
7. Introduction ..................................................................................................... 52
7.1. Source overview .................................................................................... 52
7.2. Coding Style ......................................................................................... 52
7.3. The GLib library ................................................................................... 52
8. Packet capturing ............................................................................................... 53
8.1. How to add a new capture type to libpcap .................................................. 53
9. Packet dissection .............................................................................................. 54
9.1. How it works ........................................................................................ 54
9.2. Adding a basic dissector ......................................................................... 54
9.2.1. Setting up the dissector ................................................................ 54
9.2.2. Dissecting the details of the protocol ............................................... 56
9.2.3. Improving the dissection information .............................................. 59
9.3. How to handle transformed data ............................................................... 61
9.4. How to reassemble split packets ............................................................... 62
9.4.1. How to reassemble split UDP packets ............................................. 62
9.4.2. How to reassemble split TCP Packets ............................................. 65
9.5. How to tap protocols .............................................................................. 66
9.6. How to produce protocol stats .................................................................. 67
9.7. How to use conversations ........................................................................ 68
9.8. idl2wrs: Creating dissectors from CORBA IDL files .................................... 68
9.8.1. What is it? ................................................................................. 68
9.8.2. Why do this? .............................................................................. 69
9.8.3. How to use idl2wrs ..................................................................... 69
9.8.4. TODO ....................................................................................... 70
9.8.5. Limitations ................................................................................. 70
9.8.6. Notes ........................................................................................ 70
10. Lua Support in Wireshark ................................................................................ 71
10.1. Introduction ......................................................................................... 71
10.2. Example of Dissector written in Lua ........................................................ 71
10.3. Example of Listener written in Lua ......................................................... 72
10.4. Wiresharks Lua API Reference Manual ................................................... 73
10.5. Saving capture files .............................................................................. 73
10.5.1. Dumper .................................................................................... 73
10.5.2. PseudoHeader ........................................................................... 74
10.6. Obtaining dissection data ....................................................................... 75
10.6.1. Field ........................................................................................ 75
10.6.2. FieldInfo .................................................................................. 76
10.6.3. fieldinfo.len .............................................................................. 77
10.6.4. fieldinfo.offset ........................................................................... 77
10.6.5. fieldinfo.value ........................................................................... 77
10.6.6. fieldinfo.label ............................................................................ 77
10.6.7. fieldinfo.display ......................................................................... 78
10.6.8. fieldinfo.range ........................................................................... 78
10.6.9. fieldinfo.generated ..................................................................... 78
10.6.10. fieldinfo.name ......................................................................... 78
10.6.11. Global Functions ...................................................................... 78
10.7. GUI support ........................................................................................ 78

vi

Wireshark Developers Guide

10.7.1. ProgDlg ................................................................................... 78

10.7.2. TextWindow ............................................................................. 79
10.7.3. Global Functions ....................................................................... 82
10.8. Post-dissection packet analysis ............................................................... 84
10.8.1. Listener .................................................................................... 84
10.8.2. listener.packet ........................................................................... 85
10.8.3. listener.draw ............................................................................. 85
10.8.4. listener.reset .............................................................................. 85
10.9. Obtaining packet information ................................................................. 85
10.9.1. Address .................................................................................... 85
10.9.2. Column .................................................................................... 86
10.9.3. Columns ................................................................................... 87
10.9.4. NSTime ................................................................................... 87
10.9.5. nstime.secs ............................................................................... 88
10.9.6. nstime.nsecs .............................................................................. 88
10.9.7. Pinfo ....................................................................................... 89
10.9.8. pinfo.visited .............................................................................. 89
10.9.9. pinfo.number ............................................................................. 89
10.9.10. pinfo.len ................................................................................. 89
10.9.11. pinfo.caplen ............................................................................ 89
10.9.12. pinfo.abs_ts ............................................................................. 89
10.9.13. pinfo.rel_ts .............................................................................. 89
10.9.14. pinfo.delta_ts ........................................................................... 89
10.9.15. pinfo.delta_dis_ts ..................................................................... 89
10.9.16. pinfo.circuit_id ........................................................................ 89
10.9.17. pinfo.curr_proto ....................................................................... 90
10.9.18. pinfo.can_desegment ................................................................. 90
10.9.19. pinfo.desegment_len ................................................................. 90
10.9.20. pinfo.desegment_offset .............................................................. 90
10.9.21. pinfo.fragmented ...................................................................... 90
10.9.22. pinfo.in_error_pkt .................................................................... 90
10.9.23. pinfo.match_uint ...................................................................... 90
10.9.24. pinfo.match_string .................................................................... 90
10.9.25. pinfo.port_type ........................................................................ 90
10.9.26. pinfo.src_port .......................................................................... 91
10.9.27. pinfo.dst_port .......................................................................... 91
10.9.28. pinfo.dl_src ............................................................................. 91
10.9.29. pinfo.dl_dst ............................................................................. 91
10.9.30. pinfo.net_src ........................................................................... 91
10.9.31. pinfo.net_dst ........................................................................... 91
10.9.32. pinfo.src ................................................................................. 91
10.9.33. pinfo.dst ................................................................................. 91
10.9.34. pinfo.match ............................................................................. 91
10.9.35. pinfo.columns .......................................................................... 91
10.9.36. pinfo.cols ................................................................................ 92
10.9.37. pinfo.private ............................................................................ 92
10.9.38. pinfo.hi .................................................................................. 92
10.9.39. pinfo.lo .................................................................................. 92
10.9.40. pinfo.conversation .................................................................... 92
10.9.41. PrivateTable ............................................................................ 92
10.10. Functions for new protocols and dissectors .............................................. 92
10.10.1. Dissector ................................................................................ 93
10.10.2. DissectorTable ......................................................................... 94
10.10.3. Pref ....................................................................................... 96
10.10.4. Prefs ...................................................................................... 98
10.10.5. Proto ...................................................................................... 98
10.10.6. proto.dissector ......................................................................... 99
10.10.7. proto.prefs ............................................................................. 100

vii

Wireshark Developers Guide

10.10.8. proto.prefs_changed ................................................................

10.10.9. proto.init ...............................................................................
10.10.10. proto.name ...........................................................................
10.10.11. proto.description ...................................................................
10.10.12. proto.fields ..........................................................................
10.10.13. proto.experts ........................................................................
10.10.14. ProtoExpert ..........................................................................
10.10.15. ProtoField ............................................................................
10.10.16. Global Functions ..................................................................
10.11. Adding information to the dissection tree ..............................................
10.11.1. TreeItem ...............................................................................
10.12. Functions for handling packet data .......................................................
10.12.1. ByteArray .............................................................................
10.12.2. Tvb ......................................................................................
10.12.3. TvbRange .............................................................................
10.13. Custom file format reading/writing .......................................................
10.13.1. CaptureInfo ...........................................................................
10.13.2. captureinfo.encap ....................................................................
10.13.3. captureinfo.time_precision ........................................................
10.13.4. captureinfo.snapshot_length ......................................................
10.13.5. captureinfo.comment ...............................................................
10.13.6. captureinfo.hardware ...............................................................
10.13.7. captureinfo.os ........................................................................
10.13.8. captureinfo.user_app ...............................................................
10.13.9. captureinfo.hosts ....................................................................
10.13.10. captureinfo.private_table ........................................................
10.13.11. CaptureInfoConst ..................................................................
10.13.12. captureinfoconst.type .............................................................
10.13.13. captureinfoconst.snapshot_length .............................................
10.13.14. captureinfoconst.encap ...........................................................
10.13.15. captureinfoconst.comment ......................................................
10.13.16. captureinfoconst.hardware ......................................................
10.13.17. captureinfoconst.os ................................................................
10.13.18. captureinfoconst.user_app .......................................................
10.13.19. captureinfoconst.hosts ............................................................
10.13.20. captureinfoconst.private_table .................................................
10.13.21. File ....................................................................................
10.13.22. file.compressed .....................................................................
10.13.23. FileHandler ..........................................................................
10.13.24. filehandler.read_open .............................................................
10.13.25. filehandler.read .....................................................................
10.13.26. filehandler.seek_read .............................................................
10.13.27. filehandler.read_close ............................................................
10.13.28. filehandler.seq_read_close ......................................................
10.13.29. filehandler.can_write_encap ....................................................
10.13.30. filehandler.write_open ...........................................................
10.13.31. filehandler.write ....................................................................
10.13.32. filehandler.write_close ...........................................................
10.13.33. filehandler.type .....................................................................
10.13.34. filehandler.extensions ............................................................
10.13.35. filehandler.writing_must_seek .................................................
10.13.36. filehandler.writes_name_resolution ..........................................
10.13.37. filehandler.supported_comment_types .......................................
10.13.38. FrameInfo ............................................................................
10.13.39. frameinfo.time ......................................................................
10.13.40. frameinfo.data ......................................................................
10.13.41. frameinfo.rec_type ................................................................
10.13.42. frameinfo.flags .....................................................................

viii

100
100
100
100
100
100
100
101
111
111
111
116
116
119
120
126
126
126
126
126
127
127
127
127
127
127
128
128
128
128
128
129
129
129
129
129
129
131
131
131
132
132
132
133
133
133
134
134
134
134
134
135
135
135
135
136
136
136

Wireshark Developers Guide

10.13.43. frameinfo.captured_length ......................................................

10.13.44. frameinfo.original_length .......................................................
10.13.45. frameinfo.encap ....................................................................
10.13.46. frameinfo.comment ...............................................................
10.13.47. FrameInfoConst ....................................................................
10.13.48. frameinfoconst.time ...............................................................
10.13.49. frameinfoconst.data ...............................................................
10.13.50. frameinfoconst.rec_type .........................................................
10.13.51. frameinfoconst.flags ..............................................................
10.13.52. frameinfoconst.captured_length ...............................................
10.13.53. frameinfoconst.original_length ................................................
10.13.54. frameinfoconst.encap .............................................................
10.13.55. frameinfoconst.comment ........................................................
10.13.56. Global Functions ..................................................................
10.14. Directory handling functions ...............................................................
10.14.1. Dir .......................................................................................
10.15. Utility Functions ...............................................................................
10.15.1. Global Functions ....................................................................
10.16. Handling 64-bit Integers .....................................................................
10.16.1. Int64 ....................................................................................
10.16.2. UInt64 ..................................................................................
10.17. Binary encode/decode support .............................................................
10.17.1. Struct ...................................................................................
10.18. GLib Regular Expressions ..................................................................
10.18.1. GRegex ................................................................................
11. User Interface ...............................................................................................
11.1. Introduction .......................................................................................
11.2. The GTK library ................................................................................
11.2.1. GTK Version 2.x .....................................................................
11.2.2. GTK Version 3.x .....................................................................
11.2.3. Compatibility GTK versions ......................................................
11.2.4. GTK resources on the web ........................................................
11.3. GUI Reference documents ...................................................................
11.4. Adding/Extending Dialogs ...................................................................
11.5. Widget naming ..................................................................................
11.6. Common GTK programming pitfalls ......................................................
11.6.1. Usage of gtk_widget_show() / gtk_widget_show_all() .....................
12. This Documents License (GPL) ......................................................................

ix

136
136
136
136
137
137
137
137
137
138
138
138
138
138
138
138
141
141
143
143
149
155
156
158
159
165
165
165
165
166
166
166
166
167
167
167
167
168

Preface
1. Foreword
This book tries to give you a guide to start your own experiments into the wonderful world of
Wireshark development.
Developers who are new to Wireshark often have a hard time getting their development environment
up and running. This is especially true for Win32 developers, as a lot of the tools and methods used
when building Wireshark are much more common in the UNIX world than on Win32.
The first part of this book will describe how to set up the environment needed to develop Wireshark.
The second part of this book will describe how to change the Wireshark source code.
We hope that you find this book useful, and look forward to your comments.

2. Who should read this document?

The intended audience of this book is anyone going into the development of Wireshark.
This book is not intended to explain the usage of Wireshark in general. Please refer the Wireshark
Users Guide about Wireshark usage.
By reading this book, you will learn how to develop Wireshark. It will hopefully guide you around
some common problems that frequently appear for new (and sometimes even advanced) developers
of Wireshark.

3. Acknowledgements
The authors would like to thank the whole Wireshark team for their assistance. In particular, the authors
would like to thank:
Gerald Combs, for initiating the Wireshark project.
Guy Harris, for many helpful hints and his effort in maintaining the various contributions on the
mailing lists.
Frank Singleton from whose README.idl2wrs Section 9.8, idl2wrs: Creating dissectors from
CORBA IDL files is derived.
The authors would also like to thank the following people for their helpful feedback on this document:
XXX - Please give feedback :-)
And of course a big thank you to the many, many contributors of the Wireshark development
community!

4. About this document

This book was developed by Ulf Lamping and updated for VS2013 by Graham Bloice
It is written in AsciiDoc.
You will find some specially marked parts in this book:

Preface

This is a warning
You should pay attention to a warning, as otherwise data loss might occur.

This is a note
A note will point you to common mistakes and things that might not be obvious.

This is a tip
Tips will be helpful for your everyday work developing Wireshark.

5. Where to get the latest copy of this

document?
The latest copy of this documentation can always be found at: https://www.wireshark.org/docs/ in A4
PDF, US letter PDF, single HTML, and chunked HTML.

6. Providing feedback about this document

Should you have any feedback about this document, please send it to the authors through wiresharkdev[AT]wireshark.org.

xi

Part I. Wireshark Build Environment

Wireshark Build Environment
The first part describes how to set up the tools, libraries and source needed to generate Wireshark and how to do
some typical development tasks.

Chapter 1. Introduction
1.1. Introduction
This chapter will provide you with information about Wireshark development in general.

1.2. What is Wireshark?

Well, if you want to start Wireshark development, you might already know what Wireshark is doing. If
not, please have a look at the Wireshark Users Guide, which will provide a lot of general information
about it.

1.3. Supported Platforms

Wireshark currently runs on most UNIX platforms and various Windows platforms. It requires GTK
+, GLib, libpcap and some other libraries in order to run.
As Wireshark is developed in a platform independent way and uses libraries (such as the GTK+ GUI
library) which are available for a lot of different platforms, its thus available on a wide variety of
platforms.
If a binary package is not available for your platform, you should download the source and try to build
it. Please report your experiences to wireshark-dev[AT]wireshark.org.
Binary packages are available for at least the following platforms:

1.3.1. Unix
Apple Mac OS X
BeOS
FreeBSD
HP-UX
IBM AIX
NetBSD
OpenBSD
SCO UnixWare/OpenUnix
SGI Irix
Sun Solaris/Intel
Sun Solaris/Sparc
Tru64 UNIX (formerly Digital UNIX)

1.3.2. Linux
Debian GNU/Linux
Ubuntu

Introduction

Gentoo Linux
IBM S/390 Linux (Red Hat)
Mandrake Linux
PLD Linux
Red Hat Linux
Rock Linux
Slackware Linux
Suse Linux

1.3.3. Microsoft Windows

Thanks to the Win32 API, development on all Windows platforms will be done in a very similar
way. All Windows platforms referred to as Win32, Win or Windows may be used with the same
meaning. Older Windows versions are no longer supported by Wireshark. As Windows CE differs a
lot compared to the other Windows platforms mentioned, Wireshark will not run on Windows CE and
there are no plans to support it.
Also the 64 bit Windows version are now supported by Wireshark. Although not all libraries are made
64 bit ready yet, basic operations are all available.
Windows 8.1 / Windows Server 2012 R2
Windows 8 / Windows Server 2012
Windows 7 / Windows Server 2008 R2
Windows Vista / Windows Server 2008
Windows XP / Windows Server 2003

1.4. Development and maintenance of

Wireshark
Wireshark was initially developed by Gerald Combs. Ongoing development and maintenance of
Wireshark is handled by the Wireshark core developers, a loose group of individuals who fix bugs
and provide new functionality.
There have also been a large number of people who have contributed protocol dissectors and other
improvements to Wireshark, and it is expected that this will continue. You can find a list of the people
who have contributed code to Wireshark by checking the About dialog box of Wireshark, or have a
look at the https://www.wireshark.org/about.html#authors page on the Wireshark web site.
The communication between the developers is usually done through the developer mailing list, which
can be joined by anyone interested in the development activities. At the time this document was
written, more than 500 persons were subscribed to this mailing list!
It is strongly recommended to join the developer mailing list, if you are going to do any Wireshark
development. See Section 1.7.5, Mailing Lists about the different Wireshark mailing lists available.

1.4.1. Programming languages used

Most of Wireshark is implemented in plain ANSI C. A notable exception is the code in ui/qt, which
is written in C++.

Introduction

The typical task for a new Wireshark developer is to extend an existing, or write a new dissector for a
specific network protocol. As (almost) any dissector is written in plain old ANSI C, a good knowledge
about ANSI C will be sufficient for Wireshark development in almost any case.
So unless you are going to change the build process of Wireshark itself, you wont come in touch with
any other programming language than ANSI C (such as Perl or Python, which are used only in the
Wireshark build process).
Beside the usual tools for developing a program in C (compiler, make, ), the build process uses some
additional helper tools (Perl, Python, Sed, ), which are needed for the build process when Wireshark
is to be build and installed from the released source packages. If Wireshark is installed from a binary
package, none of these helper tools are needed on the target system.

1.4.2. Open Source Software

Wireshark is an open source software (OSS) project, and is released under the GNU General Public
License (GPL). You can freely use Wireshark on any number of computers you like, without worrying
about license keys or fees or such. In addition, all source code is freely available under the GPL.
Because of that, it is very easy for people to add new protocols to Wireshark, either as plugins, or built
into the source, and they often do!
You are welcome to modify Wireshark to suit your own needs, and it would be appreciated if you
contribute your improvements back to the Wireshark community.
You gain three benefits by contributing your improvements back to the community:
Other people who find your contributions useful will appreciate them, and you will know that you
have helped people in the same way that the developers of Wireshark have helped you and other
people.
The developers of Wireshark might improve your changes even more, as theres always room for
improvement. Or they may implement some advanced things on top of your code, which can be
useful for yourself too.
The maintainers and developers of Wireshark will maintain your code as well, fixing it when API
changes or other changes are made, and generally keeping it in tune with what is happening with
Wireshark. So if Wireshark is updated (which is done often), you can get a new Wireshark version
from the website and your changes will already be included without any effort for you.
The Wireshark source code and binary packages for some platforms are all available on the download
page of the Wireshark website: https://www.wireshark.org/download.html.

1.5. Releases and distributions

The officially released files can be found at: https://www.wireshark.org/download.html. A new
Wireshark version is released after significant changes compared to the last release are completed or a
serious security issue is encountered. The typical release schedule is about every 4-8 weeks (although
this may vary).
There are two kinds of distributions: binary and source; both have their advantages and disadvantages.

1.5.1. Binary distributions

Binary distributions are usually easy to install (as simply starting the appropriate file is usually the
only thing to do). They are available for the following systems:
Windows (.exe file). The typical Windows end user is used to get a setup.exe file which will install
all the required things for him.

Introduction

Win32 PAF (.paf.exe file). Another Windows end user method is to get a portable application file
which will install all the required things for him.
Debian (.deb file). A user of a Debian Package Manager (DPKG) based system obtains a .deb file
from which the package manager checks the dependencies and installs the software.
Red Hat (.rpm file). A user of a Red Hat Package Manager (RPM) based system obtains an .rpm
file from which the package manager checks the dependencies and installs the software.
MAC OS X (.dmg file). The typical MAC OS X end user is used to get a .dmg file which will install
all the required things for him. The other requirement is to have the X11.app installed.
Solaris. A Solaris user obtains a file from which the package manager (PKG) checks the
dependencies and installs the software.
However, if you want to start developing with Wireshark, the binary distributions wont be too helpful,
as you need the source files, of course.
For details about how to build these binary distributions yourself, e.g. if you need a distribution for a
special audience, see Section 3.11, Binary packaging.

1.5.2. Source code distributions

Its still common for UNIX developers to give the end user a source tarball and let the user compile
it on their target machine (configure, make, make install). However, for different UNIX (Linux)
distributions its becoming more common to release binary packages (e.g. .deb or .rpm files) these
days.
You should use the released sources if you want to build Wireshark from source on your platform for
productive use. However, if you going to develop changes to the Wireshark sources, it might be better
to use the latest GIT sources. For details about the different ways to get the Wireshark source code
see Section 3.3, Obtain the Wireshark sources.
Before building Wireshark from a source distribution, make sure you have all the tools and libraries
required to build. The following chapters will describe the required tools and libraries in detail.

1.6. Automated Builds (Buildbot)

The Wireshark Buildbot automatically rebuilds Wireshark on every change of the source code
repository and indicates problematic changes. This frees the developers from repeating (and annoying)
work, so time can be spent on more interesting tasks.

1.6.1. Advantages
Recognizing (cross platform) build problems - early. Compilation problems can be narrowed down
to a few commits, making a fix much easier.
"Health status" overview of the sources. A quick look at: http://buildbot.wireshark.org/trunk/ gives
a good "feeling" if the sources are currently "well". On the other hand, if all is "red", an update of
a personal source tree might better be done later
"Up to date" binary packages are available. After a change was committed to the repository, a binary
package / installer is usually available within a few hours at: https://www.wireshark.org/download/
automated/. This can be quite helpful, e.g. a bug reporter can easily verify a bugfix by installing
a recent build.
Automated regression tests. In particular, the fuzz tests often indicate "real life" problems that are
otherwise hard to find.

Introduction

1.6.2. What does the Buildbot do?

The Buildbot will do the following (to a different degree on the different platforms):
Check out from the source repository
Build
Create binary packages and installers
Create source packages and run distribution checks
Run regression tests
Each step is represented at the status page by a rectangle, green if it succeeded or red if it failed. Most
steps provide a link to the corresponding console logfile, to get additional information.
The Buildbot runs on a platform collection that represents the different "platform specialties" quite
well:
Windows 8.1 x86 (Win32, little endian, Visual Studion 2013)
Windows 7 x86-64 (Win64, little endian, VS 2013)
Ubuntu x86-64 (Linux, little endian, gcc)
Solaris SPARC (Solaris, big endian, gcc)
Mac OS-X PPC (BSD, big endian, gcc)
Mac OS-X x86 (BSD, little endian, Clang)
Mac OS-X x86-64 (BSD, little endian, Clang)
and two buildslaves that run static code analysis to help spot coding issues:
Visual Studio Code Analysis (Win64, little endian, VS 2013)
Clang Code Analysis (Linux, little endian, Clang)
Each platform is represented at the status page by a single column, the most recent entries are at the top.

1.7. Reporting problems and getting help

If you have problems, or need help with Wireshark, there are several places that may be of interest
to you (well, beside this guide of course).

1.7.1. Website
You will find lots of useful information on the Wireshark homepage at https://www.wireshark.org/.

1.7.2. Wiki
The Wireshark Wiki at http://wiki.wireshark.org/ provides a wide range of information related to
Wireshark and packet capturing in general. You will find a lot of information not part of this
developers guide. For example, there is an explanation how to capture on a switched network, an
ongoing effort to build a protocol reference and a lot more.
And best of all, if you would like to contribute your knowledge on a specific topic (maybe a network
protocol you know well), you can edit the wiki pages by simply using your webbrowser.

Introduction

1.7.3. FAQ
The "Frequently Asked Questions" will list often asked questions and the corresponding answers.
Before sending any mail to the mailing lists below, be sure to read the FAQ, as it will often answer
any questions you might have. This will save yourself and others a lot of time. Keep in mind that a
lot of people are subscribed to the mailing lists.
You will find the FAQ inside Wireshark by clicking the menu item Help/Contents and selecting the
FAQ page in the upcoming dialog.
An online version is available at the Wireshark website: https://www.wireshark.org/faq.html. You
might prefer this online version as its typically more up to date and the HTML format is easier to use.

1.7.4. Other sources

If you dont find the information you need inside this book, there are various other sources of
information:
The file doc/README.developer and all the other README.xxx files in the source code. These
are various documentation files on different topics

Read the README

README.developer is packed full with all kinds of details relevant to the developer
of Wireshark source code. Its companion file README.dissector advises you around
common pitfalls, shows you basic layout of dissector code, shows details of the APIs
available to the dissector developer, etc.
The Wireshark source code
Tool documentation of the various tools used (e.g. manpages of sed, gcc, etc.)
The different mailing lists. See Section 1.7.5, Mailing Lists

1.7.5. Mailing Lists

There are several mailing lists available on specific Wireshark topics:
wireshark-announce

This mailing list will inform you about new program releases, which
usually appear about every 4-8 weeks.

wireshark-users

This list is for users of Wireshark. People post questions about

building and using Wireshark, others (hopefully) provide answers.

wireshark-dev

This list is for Wireshark developers. People post questions about

the development of Wireshark, others (hopefully) provide answers.
If you want to start developing a protocol dissector, join this list.

wireshark-bugs

This list is for Wireshark developers. Every time a change to the bug
database occurs, a mail to this mailing list is generated. If you want
to be notified about all the changes to the bug database, join this list.
Details about the bug database can be found in Section 1.7.6, Bug
database (Bugzilla).

wireshark-commits

This list is for Wireshark developers. Every time a change to the GIT
repository is checked in, a mail to this mailing list is generated. If you
want to be notified about all the changes to the GIT repository, join

Introduction

this list. Details about the GIT repository can be found in Section 3.2,
The Wireshark Git repository.
You can subscribe to each of these lists from the Wireshark web site: https://www.wireshark.org/lists/.
From there, you can choose which mailing list you want to subscribe to by clicking on the Subscribe/
Unsubscribe/Options button under the title of the relevant list. The links to the archives are included
on that page as well.

The archives are searchable

You can search in the list archives to see if someone previously asked the same question
and maybe already got an answer. That way you dont have to wait until someone
answers your question.

1.7.6. Bug database (Bugzilla)

The Wireshark community collects bug reports in a Bugzilla database at https://bugs.wireshark.org/.
This database is filled with manually filed bug reports, usually after some discussion on wiresharkdev, and automatic bug reports from the buildbot tools.

1.7.7. Q&A Site

The Wireshark Q and A site at http://ask.wireshark.org/ offers a resource where questions and answers
come together. You have the option to search what questions were asked before and what answers
were given by people who knew about the issue. Answers are graded, so you can pick out the best
ones easily. If your issue isnt discussed before you can post one yourself.

1.7.8. Reporting Problems

Test with the latest version
Before reporting any problems, please make sure you have installed the latest version
of Wireshark. Reports on older maintenance releases are usually met with an upgrade
request.
If you report problems, provide as much information as possible. In general, just think about what you
would need to find that problem, if someone else sends you such a problem report. Also keep in mind
that people compile/run Wireshark on a lot of different platforms.
When reporting problems with Wireshark, it is helpful if you supply the following information:
1. The version number of Wireshark and the dependent libraries linked with it, e.g. Qt, GTK+, etc.
You can obtain this with the command wireshark -v.
2. Information about the platform you run Wireshark on.
3. A detailed description of your problem.
4. If you get an error/warning message, copy the text of that message (and also a few lines before and
after it, if there are some), so others may find the build step where things go wrong. Please dont
give something like: "I get a warning when compiling x" as this wont give any direction to look at.

Dont send large files

Do not send large files (>100KB) to the mailing lists, just place a note that further data
is available on request. Large files will only annoy a lot of people on the list who are
not interested in your specific problem. If required, you will be asked for further data by
the persons who really can help you.

Introduction

Dont send confidential information

If you send captured data to the mailing lists, or add it to your bug report, be sure it
doesnt contain any sensitive or confidential information, such as passwords. Visibility
of such files can be limited to certain groups in the Bugzilla database though.

1.7.9. Reporting Crashes on UNIX/Linux platforms

When reporting crashes with Wireshark, it is helpful if you supply the traceback information (besides
the information mentioned in Section 1.7.8, Reporting Problems).
You can obtain this traceback information with the following commands:
$ gdb `whereis wireshark | cut -f2 -d: | cut -d' ' -f2` core >& bt.txt
backtrace
^D
$

Using GDB
Type the characters in the first line verbatim. Those are back-tics there.
backtrace is a gdb command. You should enter it verbatim after the first line shown
above, but it will not be echoed. The ^D (Control-D, that is, press the Control key and
the D key together) will cause gdb to exit. This will leave you with a file called bt.txt in
the current directory. Include the file with your bug report.
If you do not have gdb available, you will have to check out your operating systems
debugger.
You should mail the traceback to the wireshark-dev mailing list, or attach it to your bug report.

1.7.10. Reporting Crashes on Windows platforms

You can download Windows debugging symbol files (.pdb) from the following locations:
32-bit Windows: https://www.wireshark.org/download/win32/all-versions/
64-bit Windows: https://www.wireshark.org/download/win64/all-versions/
Files are named "Wireshark-pdb-winbits-x.y.z.zip" to match their corresponding "Wireshark-winbitsx.y.z.exe" installer packages.

Chapter 2. Quick Setup

2.1. UNIX: Installation
All the tools required are usually installed on a UNIX developer machine.
If a tool is not already installed on your system, you can usually install it using the package in your
distribution: aptitude, yum, Synaptic, etc.
If an install package is not available or you have a reason not to use it (maybe because its simply
too old), you can install that tool from source code. The following sections will provide you with the
webpage addresses where you can get these sources.

2.2. Win32/64: Step-by-Step Guide

A quick setup guide for Win32 and Win64 with recommended configuration.

Warning
Unless you know exactly what you are doing, you should strictly follow the
recommendations below.

2.2.1. Install Microsoft C compiler and SDK

You need to install, in exactly this order:
1. C compiler: Download and install "Microsoft Visual Studio 2013 Community Edition." This is a
small download that then downloads all the other required parts (which are quite large).
Uncheck all the optional components (unless you want to use them for purposes other than Wireshark).
You can use Chocolatey to install Visual Studio:
PS$>cinst VisualStudioCommunity2013

You can use other Microsoft C compiler variants

Its possible to compile Wireshark with a wide range of Microsoft C compiler variants.
For details see Section 4.6, Microsoft compiler toolchain (Windows native)!

Dont use gcc or Clang

Compiling with gcc or Clang is not recommended and will certainly not work (at least
without a lot of advanced tweaking). For further details on this topic, see Section 4.5,
GNU compiler toolchain (UNIX only).
Why is this recommended? While this is a huge download, Visual Studio 2013 Community Edition is
the only free (as in beer) versions that includes the Visual Studio integrated debugger. Visual Studio
2013 is also used to create official Wireshark builds, so it will likely have fewer development-related
problems.
For VS2010 You will need some extra items:
1. Windows SDK for Windows 7, if you want to build 64-bit binaries for Windows 7: Download and
install "Microsoft Windows SDK for Windows 7."
10

Quick Setup

In case the install of the SDK fails go to software management and remove the VC++ 2010 runtime
and redist packages (dont worry, they will be added back via the service pack later). If installation
of the SDK still fails, there may be a permission problem. See here for a solution.
2. C compiler service pack: Download and install "Microsoft Visual Studio 2010 Service Pack 1."
This is a very large download.
3. Microsoft Visual C++ 2010 Service Pack 1 Compiler Update for the Windows SDK 7.1, if you
want to build 64-bit binaries for Windows 7: Download and install "Microsoft Visual C++ 2010
Service Pack 1 Compiler Update for the Windows SDK 7.1."
4. If you will be building 64-bit binaries those items must be installed in that order as installing the
Microsoft Visual Studio 2010 Service Pack 1 can, if youve installed the Microsoft Windows SDK
for Windows 7, remove the 64-bit compilers, as per http://support.microsoft.com/?kbid=2519277
the Microsoft Knowledge Base article "FIX: Visual C++ compilers are removed when you upgrade
Visual Studio 2010 Professional or Visual Studio 2010 Express to Visual Studio 2010 SP1 if
Windows SDK v7.1 is installed". The release notes for the Microsoft Visual C++ 2010 Service Pack
1 Compiler Update for the Windows SDK 7.1 say that, to ensure that your system has a supported
configuration, you must install the items in the order specified above. If you have Microsoft Update
installed, so that the Windows update process will update software other than components of
Windows, and thus will update Visual Studio, you may need to disable it until after all of the above
are installed, to make sure it doesnt install Visual Studio 2010 SP1 out of order.

2.2.2. Install Qt
The main Wireshark application uses the Qt windowing toolkit. To install Qt download the Online
Installer from the Qt Project download page and select a component that matches your target system
and compiler. For example, the msvc2013 64-bit OpenGL component is used to build the official
64-bit packages.
Note that the Qt package also includes the Qt Creator IDE, which is useful for designing graphical
components and includes an interactive debugger. Youll need to build Wireshark using nmake before
youll be able to build the Wireshark project (uiqtWireshark.pro), however.
You can also use Chocolatey to install Qt (there are packages for x86 & x64 and various MSVC
compilers, e.g.
PS$>cinst qt-sdk-windows-x86-msvc2013_opengl

2.2.3. Install Cygwin

On 32-bit Windows, download the 32-bit Cygwin installer and start it. On 64-bit Windows, download
the 64-bit Cygwin installer and start it.
At the "Select Packages" page, youll need to select some additional packages which are not installed
by default. Navigate to the required Category/Package row and, if the package has a "Skip" item in
the "New" column, click on the "Skip" item so it shows a version number for:
Archive/unzip
Devel/bison (or install Win flex-bison - see Chocolatey below)
Devel/flex (or install Win flex-bison - see Chocolatey below)
Devel/git (recommended - see discussion about using Git below)
Interpreters/perl
Utils/patch (only if needed) (may be Devel/patch instead)
Web/wget

11

Quick Setup

asciidoc
You might also have to install
Interpreters/m4
if installing Devel/bison doesnt provide a working version of Bison. If m4 is missing bison will fail.
After clicking the Next button several times, the setup will then download and install the selected
packages (this may take a while).
Why is this recommended? Cygwins bash version is required, as no native Win32 version is available.
As additional packages can easily be added, Perl and other packages are also used.

2.2.4. Install PowerShell

PowerShell 2.0 or later is required for building Wireshark and the NSIS package. Windows 7 and later
include compatible versions.
If you are running Windows Vista and have thus far managed to not install PowerShell 2.0, either
directly or via anything that requires it, you must now install PowerShell 2.0. You can download it
from https://www.microsoft.com/powershell

2.2.5. Optional: Install Chocolatey

As an alternative to Cygwin you can install some packages using Chocolatey, a native package
manager for Windows. Wiresharks build environment currently supports the winflexbison package
but support for more packages should appear in the future.

2.2.6. Install Python

Get the Python 2.7 installer from http://python.org/download/ and install Python into the default
location (C:\Python27).
Why is this recommended? Cygwins Python package doesnt work on some machines, so the Win32
native package is recommended (and its faster). Note that Python 3.x isnt currently supported.

2.2.7. Install Git

Please note that the following is not required to build Wireshark but can be quite helpful when working
with the sources.
Working with the Git source repositories is highly recommended, see Section 3.3, Obtain the
Wireshark sources. It is much easier to update a personal source tree (local repository) with Git rather
than downloading a zip file and merging new sources into a personal source tree by hand. It also makes
first-time setup easy and enables the Wireshark build process to determine your current source code
revision.
There are several ways in which Git can be installed. Most packages are available at the URLs below
or via Chocolatey. Note that many of the GUI interfaces depend on the command line version.

2.2.7.1. The Official Windows Installer

The official command-line installer is available at http://msysgit.github.io/.

2.2.7.2. Git Extensions

Git Extensions is a native Windows graphical Git client for Windows. You can download the installer
from http://code.google.com/p/gitextensions/.

12

Quick Setup

2.2.7.3. TortoiseGit
TortoiseGit is a native Windows graphical Git similar to TortoiseSVN. You can download the installer
from http://code.google.com/p/tortoisegit/.

2.2.7.4. Command Line client via Chocolatey

The command line client can be installed (and updated) using Chocolatey:
PS$> cinst git

2.2.7.5. Others
A list of other GUI interfaces for Git can be found at http://git-scm.com/downloads/guis

2.2.8. Install and Prepare Sources

Make sure everything works
Its a good idea to make sure Wireshark compiles and runs at least once before you start
hacking the Wireshark sources for your own project. This example uses Git Extensions
but any other Git client should work as well.
Download sources Download Wireshark sources into C:\Development\wireshark using either the
command line or Git Extensions:
Using the command line:
>cd C:\Development
>git clone https://code.wireshark.org/review/wireshark

Using Git extensions:

1. Open the Git Extensions application. By default Git Extensions will show a validation checklist at
startup. If anything needs to be fixed do so now. You can bring up the checklist at any time via
Tools # Settings.
2. In the main screen select Clone repository. Fill in the following:
Repository to clone: https://code.wireshark.org/review/wireshark
Destination: Your top-level development directory, e.g. C:\Development.
Subdirectory to create: Anything youd like. Usually wireshark.

Check your paths

Make sure your repository path doesnt contain spaces.
3. Click the Clone button. Git Extensions should start cloning the Wireshark repository.

2.2.9. Open a Visual Studio Command Prompt

From the Start Menu (or Start Screen), navigate to the Visual Studio 2013 Visual Studio Tools
directory and choose the Command Prompt appropriate for the build you wish to make, e.g. VS2013
x86 Native Tools Command Prompt for a 32 bit version.

Pin the items to the Task Bar

Pin the Command Prompt you use to the Task Bar for easy access.

13

Quick Setup

All subsequent operations take place in this Command Prompt window.

1. Set environment variables to control the build.
Set the following environment variables, using paths and values suitable for your installation:
>
>
>
>

set
set
set
set

CYGWIN=nodosfilewarning
WIRESHARK_BASE_DIR=C:\Development
WIRESHARK_TARGET_PLATFORM=win32 or win64 as required
QT5_BASE_DIR=C:\Qt\Qt5.3.0\5.3\msvc2013

> set WIRESHARK_VERSION_EXTRA=-YourExtraVersionInfo

If you are using a version of Visual Studio earlier than VS2012 then you must set an additional env
var, e.g. for VS2010 set the following:
> set VisualStudioVersion=10.0

Setting these variables could be added to a batch file to be run after you open the Visual Studio
Tools Command Prompt.
2. Change to the correct source directory
> cd C:\Development\wireshark

to jump into the source directory

2.2.10. Verify installed tools

After youve installed the Wireshark sources (see Section 3.3, Obtain the Wireshark sources),
you can check the correct installation of all tools by using the verify_tools target of the
Makefile.nmake from the source package.

Dependencies ahead
You will need the Wireshark sources and some tools (nmake, bash) installed, before this
verification is able to work.
Enter at the Visual Studio Command prompt line:
> nmake -f Makefile.nmake verify_tools

This will check for the various tools needed to build Wireshark:
Microsoft (R) Program Maintenance Utility Version 12.00.21005.1
Copyright (C) Microsoft Corporation. All rights reserved.

ERROR: The contents of 'E:\Wireshark\Wireshark-win32-libs\current_tag.txt' is (unknown).

It should be 2014-10-01.
Checking for required applications:
cl: /cygdrive/c/Program Files (x86)/Microsoft Visual Studio 12.0/VC/BIN/cl
link: /cygdrive/c/Program Files (x86)/Microsoft Visual Studio 12.0/VC/BIN/link
nmake: /cygdrive/c/Program Files (x86)/Microsoft Visual Studio 12.0/VC/BIN/nmake
bash: /usr/bin/bash
bison: /usr/bin/bison
flex: /usr/bin/flex
env: /usr/bin/env
grep: /usr/bin/grep
/usr/bin/find: /usr/bin/find
peflags: /usr/bin/peflags
perl: /usr/bin/perl
C:\Python27\python.exe: /cygdrive/c/Python27/python.exe
C:\Qt\Qt5.3.0\5.3\msvc2013\bin\qmake: /cygdrive/c/Qt/Qt5.3.0/5.3/msvc2013/bin/qmake
sed: /usr/bin/sed
unzip: /usr/bin/unzip

14

Quick Setup

wget: /usr/bin/wget

The "ERROR" at the start occurs because you havent yet downloaded the third party libraries and it
can be ignored at this stage. If you have problems with all the first three items (cl, link, nmake), check
that you opened a Visual Studio Command Prompt Section 2.2.9, Open a Visual Studio Command
Prompt.
Unfortunately, the link command is defined both in Cygwin and in MSVC, each with completely
different functionality. Youll need the MSVC link. If your link command looks something like: /
usr/bin/link the link command of Cygwin takes precedence over the MSVC one. To fix this, you
can change your PATH environment setting or simply rename link.exe in Cygwin. If you rename
it, make sure to remember that a Cygwin update may provide a new version of it.
Make sure that the other tools found are the Cygwin versions. Some build problems have been caused
by incompatible versions of grep and unzip provided by other installed applications.

2.2.11. Install Libraries

1. If youve closed the Visual Studio Command Prompt prepare it again.
2. Run
> nmake -f Makefile.nmake setup

to download and install libraries using wget. This may take a while.
3. If the download fails you may be behind a restrictive firewall. See the proxy comment in
Section 4.17, Windows: GNU wget (optional).
Note that 32-bit versions of the software require 32-bit versions of the libraries and that 64-bit versions
require 64-bit libraries. The build process creates independent directories for each as needed. See
Section 2.2.9, Open a Visual Studio Command Promptfor how to open the required Visual Studio
Command Prompt and WIRESHARK_TARGET_PLATFORM to select either a 32- or 64-bit build.

2.2.12. Build Wireshark

Now its time to build Wireshark!
1. If youve closed the Visual Studio Command Prompt prepare it again.
2. Run
> nmake -f Makefile.nmake all

to build Wireshark.
3. Wait for Wireshark to compile. This will take a while, and there will be a lot of text output in the
command prompt window
4. For the QT version run C:\Development\wireshark\wireshark-qt-release
\Wireshark.exe and make sure it starts.
5. For the older GTK version
gtk2\Wireshark-gtk.exe.

run

C:\Development\wireshark\wireshark-

6. Open Help # About. If it shows your "private" program version, e.g.: Version 1.99.x-myprotocol123
congratulations! You have compiled your own version of Wireshark!

Tip
If compilation fails for suspicious reasons after you changed some source files try to
"distclean" the sources and make "all" again

15

Quick Setup

2.2.13. Debug Environment Setup

You can debug using the Visual Studio Debugger or WinDbg. See the section on using the Debugger
Tools.

2.2.14. Optional: Create Users and Developers Guide

Detailed information to build these guides can be found in the file docbook\README.txt in the
Wireshark sources.

2.2.15. Optional: Create a Wireshark Installer

Note: You should have successfully built Wireshark before doing the following.
If you want to build your own wireshark-win32-1.99.x-myprotocol123.exe, youll need NSIS.
1. NSIS: Download and install NSIS
You may check the MAKENSIS setting in the file config.nmake in the Wireshark sources. Note that
the 32-bit version of NSIS will work for both 32-bit and 64-bit versions of Wireshark.
2. If youve closed the Visual Studio Command Prompt prepare it again.
3. Run
> nmake -f Makefile.nmake packaging

to build a Wireshark installer.

4. Run

> C:\Development\wireshark\packaging\nsis\wireshark-win32-wireshark-major-minor-version:[].x-mypr

to test your new installer. Its a good idea to test on a different machine than the developer machine.
Note that if youve built an x64 version, the installer will be named accordingly.

16

Chapter 3. Work with the Wireshark

sources
3.1. Introduction
This chapter will explain how to work with the Wireshark source code. It will show you how to:
Get the source
Compile it on your machine
Submit changes for inclusion in the official release
This chapter will not explain the source file contents in detail, such as where to find specific
functionality. This is done in Section 7.1, Source overview.

3.2. The Wireshark Git repository

Git is used to keep track of the changes made to the Wireshark source code. The code is stored inside
Wireshark projects Git repository located at a server at the wireshark.org domain.
Changes to the official repository are managed using the Gerrit code review sytem. Gerrit makes it
easy to test and discuss changes before they are pushed to the main repository. For an overview of
Gerrit see the Quick Introduction.
Why Git? Git is a fast, flexible way of managing source code. It allows large scale distributed
development and ensures data integrity.
Why Gerrit? Gerrit makes it easy to contribute. You can sign in with any OpenID provider and
push your changes. Its usable from both the web and command line and is integrated with many
popular tools.

Git is our third revision conrol system

Wireshark originally used Concurrent Versions System (CVS) and migrated to
Subversion in July 2004. The Subversion repository was subsequently migrated to Git
in January 2014.
Using Wiresharks Git repository you can:
Keep your private sources up to date with very little effort
Get a mail notification when the official source code changes
Get the source files from any previous release (or any other point in time)
Have a quick look at the sources using a web interface
See which person changed a specific piece of code
and much more

3.2.1. The web interface to the Git repository

If you need a quick look at the Wireshark source code you can browse the most recent file versions
in the master branch using Gitweb:

17

Work with the Wireshark sources

https://code.wireshark.org/review/gitweb?p=wireshark.git;a=tree
You can also view commit logs, branches, tags, and past revisions:
https://code.wireshark.org/review/gitweb?p=wireshark.git
Like most revision control systems, Git uses branching to manange different copies of the source code
and allow parallel development. Wireshark uses the following branches for official releases:
master: Main feature development and odd-numbered "feature" releases.
master-x.y: Stable release maintenance. For example, master-1.10 is used to manage the 1.10.x
official releases.

3.3. Obtain the Wireshark sources

There are several ways to obtain the sources from Wiresharks Git repository.

Check out from the master branch using Git.

Using Git is much easier than synchronizing your source tree by hand using any of the
snapshot methods mentioned below. Git merges changes into your personal source tree
in a very comfortable and quick way. So you can update your source tree several times
a day without much effort.

Keep your sources up to date

The following ways to retrieve the Wireshark sources are sorted in decreasing source
timeliness. If you plan to commit changes youve made to the sources, its a good idea
to keep your private source tree as current as possible.
The age mentioned in the following sections indicates the age of the most recent change in that set
of the sources.

3.3.1. Git over SSH or HTTPS

Recommended for development purposes.
Age: a few minutes.
You can use a Git client to download the source code from Wiresharks code review system. Anyone
can clone from the anonymous URL:
https://code.wireshark.org/review/wireshark
If you create a Gerrit account you can clone from an authenticated URL:
ssh://[email protected]:29418/wireshark
https://[email protected]/review/wireshark
SSH lets you use Gerrit on the command line. HTTP lets you access the repository in environments
that block the Gerrit SSH port (29418). At the time of this writing (early 2014) we recommend that
you use the SSH interface. However, this may change as more tools take advantage of Gerrits HTTP
REST API.
The following example shows how to get up and running on the command line. See Section 4.13, Git
client for information on installing and configuring graphical Git and Gerrit clients.
1. Sign in to https://code.wireshark.org/review using OpenID. In the upper right corner of the web
page, click on your account name and select Settings.

18

Work with the Wireshark sources

2. Under Profile set a username. This will be the username that you use for SSH access. For the steps
below well assume that your username is henry.perry.
3. Select SSH Public Keys and add one or more keys. You will typically upload a key for each
computer that you use.
4. Install git-review. This is an installable package in many Linux distributions. You can also install
it as a Python package. (This step isnt strictly necessary but it makes working with Gerrit much
easier.)
5. Now on to the command line. First, make sure git works:
$ git --version

6. If this is your first time using Git, make sure your username and email address are configured. This
is particularly important if you plan on uploading changes.
$ git config --global user.name "Henry Perry"
$ git config --global user.email [email protected]

7. Next, clone the Wireshark master:

$ git clone ssh://[email protected]:29418/wireshark

The checkout only has to be done once. This will copy all the sources of the latest version (including
directories) from the server to your machine. This may take some time depending on the speed of
your internet connection.
8. Then set up the git pre-commit hook and the push address:
$ cd wireshark
$ cp tools/pre-commit .git/hooks/
$ git config --add remote.origin.push HEAD:refs/for/master

This will run a few basic checks on commit to make sure that the code does not contain trivial
errors. It will also warn if it is out of sync with its master copy in the tools/ directory. The change
in the push address is necessary: We have an asymmetric process for pulling and pushing because
of gerrit.
9. Initialize git-review.
$ git review -s

This prepares your local repository for use with Gerrit, including installing the commit-msg hook
script.

3.3.2. Git web interface

Recommended for informational purposes only, as only individual files can be downloaded.
Age: a few minutes (same as anonymous Git access).
The entire source tree of the Git repository is available via a web interface at https://
code.wireshark.org/review/gitweb?p=wireshark.git. You can view each revision of a particular file,
as well as diffs between different revisions. You can also download individual files but not entire
directories.

3.3.3. Buildbot Snapshots

Recommended for development purposes, if direct Git access isnt possible (e.g. because of a
restrictive firewall).
Age: some number of minutes (a bit older than the Git access).

19

Work with the Wireshark sources

The buildbot server will automatically start to generate a snapshot of Wiresharks source tree after
a source code change is committed. These snapshots can be found at https://www.wireshark.org/
download.htmlautomated/src/.
If Git access isnt possible, e.g. if the connection to the server isnt possible because of a corporate
firewall, the sources can be obtained by downloading the buildbot snapshots. However, if you are
going to maintain your sources in parallel to the "official" sources for some time, its recommended to
use the anonymous (or authenticated) Git access if possible (believe it, it will save you a lot of time).

3.3.4. Released sources

Recommended for building pristine packages.
Age: from days to weeks.
The official source releases can be found at https://www.wireshark.org/download.html. You should
use these sources if you want to build Wireshark on your platform for with minimal or no changes,
such Linux distribution packages.
The differences between the released sources and the sources in the Git repository will keep on growing
until the next release is made. (At the release time, the released and latest Git repository versions are
identical again :-).

3.4. Update the Wireshark sources

After youve obtained the Wireshark sources for the first time, you might want to keep them in sync
with the sources at the upstream Git repository.

Take a look at the buildbot first

As development evolves, the Wireshark sources are compilable most of the time but
not always. You should take a look at http://buildbot.wireshark.org/trunk/waterfall
before fetching or pulling to make sure the builds are in good shape.

3.4.1. Update Using Git

After you clone Wiresharks Git repository you can update by running
$ git status
$ git pull

Depending on your preferences and work habits you might want to run git pull --rebase or
git checkout -b my-topic-branch origin/master instead.
Fetching should only take a few seconds, even on a slow internet connection. It will update your local
repository history with changes from the official repository. If you and someone else have changed
the same file since the last update, Git will try to merge the changes into your private file (this works
remarkably well).

3.4.2. Update Using Source Archives

There are several ways to download the Wireshark source code (as described in Section 3.3, Obtain
the Wireshark sources), but bringing the changes from the official sources into your personal source
tree is identical.
First of all, you will download the new .tar.bz2 file of the official sources the way you did it the
first time.

20

Work with the Wireshark sources

If you havent changed anything in the sources, you could simply throw away your old sources and
reinstall everything just like the first time. But be sure, that you really havent changed anything. It
might be a good idea to simply rename the "old" dir to have it around, just in case you remember later
that you really did change something before.
If you have changed your source tree, you have to merge the official changes since the last update into
your source tree. You will install the content of the .tar.bz2 file into a new directory and use a
good merge tool (e.g. http://winmerge.sourceforge.net/for Win32) to bring your personal source tree
in sync with the official sources again.
This method can be problematic and can be much more difficult and error-prone than using Git.

3.5. Build Wireshark

The sources contain several documentation files. Its a good idea to read these files first. After
obtaining the sources, tools and libraries, the first place to look at is doc/README.developer. Inside
you will find the latest information for Wireshark development for all supported platforms.

Build Wireshark before changing anything

It is a very good idea to first test your complete build environment (including running and
debugging Wireshark) before making any changes to the source code (unless otherwise
noted).
Building Wireshark for the first time depends on your platform.

3.5.1. Building on Unix

Run the autogen.sh script at the top-level wireshark directory to configure your build directory.
$ ./autogen.sh
$ ./configure
$ make

If you need to build with a non-standard configuration, you can run

$ ./configure --help

to see what options you have.

3.5.2. Win32 native

First, check the file config.nmake to determine if it reflects your configuration. The settings in this file
are well documented but there are a lot of them so please look closely. If youve installed the libraries
and tools as recommended there should be no need to change anything.
Many of the file and directory names used in the build process go past the old 8.3 naming limitations.
As a result you should use the cmd.exe command interpreter instead of the old command.com.
Be sure that your command-line environment is set up to compile and link with MSVC++. When
installing MSVC++, you can have your systems environment set up to always allow compiling from
the command line, or you can invoke the vcvars32.bat script, which can usually be found in the
_VC98\Bin_subdirectory of the directory in which Visual Studio was installed.
You should then cleanup any intermediate files, which are shipped for convenience of Unix users, by
typing at the command line prompt (cmd.exe):
> nmake -f Makefile.nmake distclean

21

Work with the Wireshark sources

After doing this, typing at the command line prompt (cmd.exe):

> nmake -f Makefile.nmake all

will start the whole Wireshark build process.

After the build process has successfully finished, you should find a wireshark.exe and some other
files in the root directory.

3.6. Run generated Wireshark

Tip!
An already installed Wireshark may interfere with your newly generated version in
various ways. If you have any problems getting your Wireshark running the first time,
it might be a good idea to remove the previously installed version first.

3.6.1. Unix/Linux
After a successful build you can run Wireshark right from the build directory. Still the program would
need to know that its being run from the build directory and not from its install location. This has
inpact on the directories where the program can find the other parts and relevant data files.
In order to run the Wireshark from the build directory set the environment variable
WIRESHARK_RUN_FROM_BUILD_DIRECTORY and run Wireshark. If your platform is properly
setup, your build directory and current working directory are not in your PATH, so the commandline
to launch Wireshark would be:
$ WIRESHARK_RUN_FROM_BUILD_DIRECTORY=1 ./wireshark

Theres no need to run Wireshark as root user, you just wont be able to capture. When you opt to run
Wireshark this way, your terminal output can be informative when things dont work as expected.

3.6.2. Win32 native

During the build all relevant program files are collected in a subdirectory wireshark-qt-release. You
can run the program from there by launching the Wireshark.exe executable.
The older GTK based version is also available in the wireshark-gtk subdirectory. You can run the
program from there by launching the Wireshark-gtk.exe executable.

3.7. Debug your generated Wireshark

3.7.1. Unix/Linux
When you want to investigate a problem with Wireshark you want to load the program into your
debugger. But loading wireshark into debugger fails because of the libtool build environment. Youll
have to wrap loading wireshark into a libtool command:
$ libtool --mode=execute gdb wireshark

If you prefer a graphic debugger you can use the Data Display Debugger (ddd) instead of GNU
debugger (gdb).
Additional traps can be set on GLib by setting the G_DEBUG environment variable:
$ G_DEBUG=fatal_criticals libtool --mode=execute ddd wireshark

22

Work with the Wireshark sources

See http://library.gnome.org/devel/glib/stable/glib-running.html

3.7.2. Win32 native

You can debug using the Visual Studio Debugger or WinDbg. See the section on using the Debugger
Tools.

3.8. Make changes to the Wireshark sources

As the Wireshark developers are working on many different platforms, a lot of editors are used to
develop Wireshark (emacs, vi, Microsoft Visual Studio and many many others). Theres no "standard"
or "default" development environment.
There are several reasons why you might want to change the Wireshark sources:
Add support for a new protocol (a new dissector)
Change or extend an existing dissector
Fix a bug
Implement a glorious new feature
The internal structure of the Wireshark sources will be described in Part II, Wireshark Development.

Ask the wireshark-dev mailing list before you start a new

development task.
If you have an idea what you want to add or change its a good idea to contact
the developer mailing list (see Section 1.7.5, Mailing Lists) and explain your idea.
Someone else might already be working on the same topic, so a duplicated effort can
be reduced. Someone might also give you tips that should be thought about (like side
effects that are sometimes very hard to see).

3.9. Contribute your changes

If you have finished changing the Wireshark sources to suit your needs, you might want to contribute
your changes back to the Wireshark community. You gain the following benefits by contributing your
improvements:
Its the right thing to do. Other people who find your contributions useful will appreciate them,
and you will know that you have helped people in the same way that the developers of Wireshark
have helped you.
You get free enhancements. By making your code public, other developers have a chance to make
improvements, as theres always room for improvements. In addition someone may implement
advanced features on top of your code, which can be useful for yourself too.
You save time and effort. The maintainers and developers of Wireshark will maintain your code as
well, updating it when API changes or other changes are made, and generally keeping it in tune
with what is happening with Wireshark. So if Wireshark is updated (which is done often), you can
get a new Wireshark version from the website and your changes will already be included without
any effort for you.
Theres no direct way to push changes to the Git repository. Only a few people are authorised to
actually make changes to the source code (check-in changed files). If you want to submit your changes,
you should upload them to the code review system.

23

Work with the Wireshark sources

3.9.1. Some tips for a good patch

Some tips that will make the merging of your changes into Git much more likely (and you want exactly
that, dont you?):
Use the latest Git sources. Its a good idea to work with the same sources that are used by the
other developers. This usually makes it much easier to apply your patch. For information about the
different ways to get the sources, see Section 3.3, Obtain the Wireshark sources.
Update your sources just before making a patch. For the same reasons as the previous point.
Inspect your patch carefully. Run git diff and make sure you arent adding, removing, or
omitting anything you shouldnt.
Find a good descriptive topic name for your patch. Short, specific names are preferred. snowconemachine-protocol is good, your name or your company name isnt.
Dont put unrelated things into one large patch. A few smaller patches are usually easier to apply
(but also dont put every changed line into a separate patch.
In general, making it easier to understand and apply your patch by one of the maintainers will make
it much more likely (and faster) that it will actually be applied.

Please remember
Wireshark is a volunteer effort. You arent paying to have your code reviewed and
integrated.

3.9.2. Code Requirements

The core maintainers have done a lot of work fixing bugs and making code compile on the various
platforms Wireshark supports.
To ensure Wiresharks source code quality, and to reduce the workload of the core maintainers, there
are some things you should think about before submitting a patch.

Pay attention to the coding guidelines

Ignoring the code requirements will make it very likely that your patch will be rejected.
Follow the Wireshark source code style guide. Just because something compiles on your platform,
that doesnt mean itll compile on all of the other platforms for which Wireshark is built. Wireshark
runs on many platforms, and can be compiled with a number of different compilers. See Section 7.2,
Coding Stylefor details.
Submit dissectors as built-in whenever possible. Developing a new dissector as a plugin is a good
idea because compiling and testing is quicker, but its best to convert dissectors to the built-in style
before submitting for checkin. This reduces the number of files that must be installed with Wireshark
and ensures your dissector will be available on all platforms.
This is no hard-and-fast rule though. Many dissectors are straightforward so they can easily be put
into "the big pile", while some are ASN.1 based which takes a different approach, and some multiple
sourcefile dissectors are more suitable to be placed separate as plugin.
Verify that your dissector code does not use prohibited or deprecated APIs. This can be done as
follows:
$ perl <wireshark_root>/tools/checkAPIs.pl <source filename(s)>

24

Work with the Wireshark sources

Fuzz test your changes! Fuzz testing is a very effective way to automatically find a lot of dissector
related bugs. Youll take a capture file containing packets affecting your dissector and the fuzz
test will randomly change bytes in this file, so that unusual code paths in your dissector are
checked. There are tools available to automatically do this on any number of input files, see: http:
//wiki.wireshark.org/FuzzTesting for details.

3.9.3. Uploading your changes

When youre satisfied with your changes (and obtained any necessary approval from your
organization) you can upload them for review. Changes should be pushed to a magical "refs/for"
branch in Gerrit. For example, to upload your new Snowcone Machine Protocol dissector you could
push to refs/for/master with the topic "snowcone-machine":

$ git push ssh://[email protected]:29418/wireshark HEAD:refs/for/master/snowcone-machin

If you have git-review installed you can upload the change with a lot less typing:
# Note: The "-f" flag deletes your current branch.
$ git review -f

You can push using any Git client. Many clients have support for Gerrit, either built in or via an
additional module.
You might get one of the following responses to your patch request:
Your patch is checked into the repository. Congratulations!
You are asked to provide additional information, capture files, or other material. If you havent
fuzzed your code, you may be asked to do so.
Your patch is rejected. You should get a response with the reason for rejection. Common reasons
include not following the style guide, buggy or insecure code, and code that wont compile on other
platforms. In each case youll have to fix each problem and upload another patch.
You dont get any response to your patch. Possible reason: All the core developers are busy (e.g.,
with their day jobs or family or other commitments) and havent had time to look at your patch.
Dont worry, if your patch is in the review system it wont get lost.
If youre concerned, feel free to add a comment to the patch or send an email to the developers list
asking for status. But please be patient: most if not all of us do this in our spare time.

3.9.4. Backporting a change

When a bug is fixed in the master branch it might be desirable or necessary to backport the fix to
a stable branch. You can do this in Git by cherry-picking the change from one branch to another.
Suppose you want to backport change 1ab2c3d4 from the master branch to master-1.10. Using "pure
Git" commands you would do the following:
# Create a new topic branch for the backport.
$ git checkout -b backport-g1ab2c3d4 origin/master-1.10
# Cherry-pick the change. Include a "cherry picked from..." line.
$ git cherry-pick -x 1ab2c3d4
# If there are conflicts, fix them.
# Compile and test the change.
$ make
$ ...
# OPTIONAL: Add entries to docbook/release-notes.asciidoc.
$ $EDITOR docbook/release-notes.asciidoc
# If you made any changes, update your commit:

25

Work with the Wireshark sources

$ git commit --amend -a

# Upload the change to Gerrit

$ git push ssh://[email protected]:29418/wireshark HEAD:refs/for/master-1.10/backport-g

If you want to cherry-pick a Gerrit change ID (e.g. I5e6f7890) you can use git review -X
I5e6f7890 instead of git cherry-pick and git review instead of git push as described
in the previous chapter.

3.10. Apply a patch from someone else

Sometimes you need to apply a patch to your private source tree. Maybe because you want to try a patch
from someone on the developer mailing list, or you want to check your own patch before submitting.

Beware line endings

If you have problems applying a patch, make sure the line endings (CR/LF) of the patch
and your source files match.

3.10.1. Using patch

Given the file new.diff containing a unified diff, the right way to call the patch tool depends on what
the pathnames in new.diff look like. If theyre relative to the top-level source directory (for example,
if a patch to prefs.c just has prefs.c as the file name) youd run it as:
$ patch -p0 < new.diff

If theyre relative to a higher-level directory, youd replace 0 with the number of higher-level
directories in the path, e.g. if the names are wireshark.orig/prefs.c and wireshark.mine/prefs.c, youd
run it with:
$ patch -p1 < new.diff

If theyre relative to a subdirectory of the top-level directory, youd run patch in that directory and
run it with -p0.
If you run it without -pat all, the patch tool flattens path names, so that if you have a patch file
with patches to Makefile.am and wiretap/Makefile.am, itll try to apply the first patch to the top-level
Makefile.am and then apply the wiretap/Makefile.am patch to the top-level Makefile.am as well.
At which position in the filesystem should the patch tool be called?
If the pathnames are relative to the top-level source directory, or to a directory above that directory,
youd run it in the top-level source directory.
If theyre relative to a subdirectory for example, if somebody did a patch to packet-ip.c and ran
diff or git diff in the epan/dissectors directory youd run it in that subdirectory. It is preferred
that people not submit patches like that, especially if theyre only patching files that exist in multiple
directories such as Makefile.am.

3.11. Binary packaging

Delivering binary packages makes it much easier for the end-users to install Wireshark on their target
system. This section will explain how the binary packages are made.

3.11.1. Debian: .deb packages

The Debian Package is built using dpkg-buildpackage, based on information found in the source tree
under debian. See http://www.debian-administration.org/articles/336for a more in-depth discussion
of the build process.

26

Work with the Wireshark sources

In the wireshark directory, type:

$ make debian-package

to build the Debian Package.

3.11.2. Red Hat: .rpm packages

The RPM is built using rpmbuild (http://www.rpm.org/), which comes as standard on many flavours
of Linux, including Red Hat and Fedora. The process creates a clean build environment in packaging/
rpm/BUILD_every time the RPM is built. The settings controlling the build are in _packaging/rpm/
SPECS/wireshark.spec.in. After editing the settings in this file, _./configure_must be run again in the
wireshark directory to generate the actual specification script.

Careful with that configure setting

The SPEC file contains settings for the configure used to set the RPM build environment.
These are completely independent of any settings passed to the usual Wireshark ./
configure. The exception to this rule is that the prefix given to configure -prefix is passed to rpmbuild.
In the wireshark directory, type:
$ make rpm-package

to build the RPM and source RPM. Once it is done, there will be a message stating where the built
RPM can be found.

This might take a while

Because this does a clean build as well as constructing the package this can take quite
a long time.

Build requirements differ from run requirements

Building the RPM requires building a source distribution which itself requires the Qt
development tools uic and moc. These can usually be obtained by installing the qtdevel package.

3.11.3. MAC OS X: .dmg packages

The MAC OS X Package is built using OS X packaging tools, based on information found in the
source tree under packaging/macosx.
In the wireshark directory, type:
$ make osx-package

to build the MAC OS X Package.

3.11.4. Win32: NSIS .exe installer

The Nullsoft Install System is a free installer generator for Win32 based systems; instructions how to
install it can be found in Section 4.19, Windows: NSIS (optional). NSIS is script based, you will
find the Wireshark installer generation script at: packaging/nsis/wireshark.nsi.
You will probably have to modify the MAKENSIS setting in the config.nmake file to specify where
the NSIS binaries are installed.
In the top-level source directory type:

27

Work with the Wireshark sources

> nmake -f makefile.nmake packaging

to build the installer.

This might take a while

Please be patient while the package is compressed. It might take some time, even on
fast machines.
If everything went well, you will now find something like: wireshark-setup-1.99.2.exe in the
packaging/nsis directory.

3.11.5. Win32: PortableApps .paf.exe package

PortableApps.com is an environment that lets users run popular applications from portable media such
as flash drives and cloud drive services.
You will probably have to modify the MAKENSIS setting in the config.nmake file to specify where
the NSIS binaries are installed.
In the top-level source directory type:
> nmake -f makefile.nmake packaging_papps

to build the installer.

This might take a while

Please be patient while the package is compressed. It might take some time, even on
fast machines.
If everything went well, you will now find something like: WiresharkPortable-1.99.paf.exe in the
packaging/portableapps/win32 directory.

28

Chapter 4. Tool Reference

4.1. Introduction
This chapter will provide you with information about the various tools needed for Wireshark
development.
None of the tools mentioned in this chapter are needed to run Wireshark; they are only needed to
build it.
Most of these tools have their roots on UNIX like platforms, but Windows ports are also available.
Therefore the tools are available in different "flavours":
UNIX (or Windows Cygwin): the tools should be commonly available on the supported UNIX
platforms, and for Windows platforms by using the Cygwin UNIX emulation
Windows native: some tools are available as native Windows tools, no special emulation is required.
Many of these tools can be installed (and updated) using Chocolatey, a Windows package manager
similar to the Linux package managers apt-get or yum.

Follow the directions

Unless you know exactly what you are doing, you should strictly follow the
recommendations given in Chapter 2, Quick Setup.
The following sections give a very brief description of what a particular tool is doing, how it is used
in the Wireshark project and how it can be installed and tested.
Documentation for these tools is outside the scope of this document. If you need further information on
using a specific tool you should find lots of useful information on the web, as these tools are commonly
used. You can also get help for the UNIX based tools with toolname --help or the man page
via man toolname.
You will find explanations of the tool usage for some of the specific development tasks in Chapter 3,
Work with the Wireshark sources.

4.2. Windows PowerShell

PowerShell 2.0 or later is required for building Wireshark and the NSIS package. Windows 7 and later
include compatible versions.
If you are running Windows Vista and have thus far managed to not install PowerShell 2.0, either
directly or via anything that requires it, you must now install PowerShell 2.0. You can download it
from https://www.microsoft.com/powershell

4.3. Chocolatey
Chocolatey is a Windows package manager that can be used to install (and update) many of the
packages required for Wireshark development. Chocolatey can be obtained from the website or from
a DOS command prompt:

C:\>@powershell -NoProfile -ExecutionPolicy unrestricted -Command "iex ((new-object net.webclient).D

or a Powershell prompt:
PS:\>iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))

29

Tool Reference

4.4. Windows: Cygwin

Cygwin provides a lot of UNIX based tools on the Windows platform. It uses a UNIX emulation
layer which might be a bit slower compared to the native Windows tools, but at an acceptable level.
The installation and update is pretty easy and done through a single utility, setup-x86.exe for 32-bit
Windows and setup-x86_64.exe for 64-bit Windows.
The native Windows tools will typically be a bit faster but more complicated to install, as you would
have to download the tools from different web sites and install and configure them individually.

You must have Cygwin installed

As theres no Windows native bash version available, at least a basic installation of
Cygwin is required in any case. This may change in the future as packaging systems
such as NuGet and Chocolatey mature.
Although Cygwin consists of several separate packages, the installation and update is done through
a single utility, setup-x86.exe or setup-x86_64.exe, which acts similarly to other web based installers.
All tools will be installed into one base folder. The default is C:\cygwin.
You will find setup-x86.exe, for 32-bit systems, and setup-x86_64.exe, for 64-bit systems, at http://
www.cygwin.com/install.html. Click on the link for the appropriate setup utility to download it. After
the download completes, run it.
The setup utility will ask you for some settings. The defaults should usually work well, at least initially.
If, at the "Choose A Download Source" page, you use the default "Install from Internet" setting, you
will need to choose a download site at the "Choose A Download Site" page. See the list of mirror sites
at http://cygwin.com/mirrors.html to choose a download site appropriate to your location.
At the "Select Packages" page, youll need to select some additional packages, which are not installed
by default. Navigate to the required Category/Package row and click on the "Skip" item in the "New"
column so it shows a version number for the required package.
After clicking the Next button several times the setup will then download and install the selected
packages (this may take a while, depending on the package size).
Under: Start#Programs#Cygwin#Cygwin Bash Shell you should now be able to start a new Cygwin
bash shell, which is similar to the standard Windows command line interpreters (command.com /
cmd.exe) but much more powerful.

4.4.1. Add/Update/Remove Cygwin Packages

If you want to add, update, or remove packages later you can do so by running the setup utility again.
At the "Select Packages" page, the entry in the "New" column will control what is done (or not) with
the package. If a new version of a package is available, the new version number will be displayed, so
it will be automatically updated. You can change the current setting by simply clicking at it, it will
change between:
A specific version number. This specific package version will be installed.
Skip. Not installed, no changes.
Keep. Already installed, no changes.
Uninstall. Uninstall this package.
Reinstall. Reinstall this package.

30

Tool Reference

4.5. GNU compiler toolchain (UNIX only)

4.5.1. gcc (GNU compiler collection)
The GCC C compiler is available for most of the UNIX-like platforms.
If GCC isnt already installed or available as a package for your platform, you can get it at: http://
gcc.gnu.org/.
After correct installation, typing at the bash command line prompt:
$ gcc --version

should result in something like

gcc (Ubuntu 4.9.1-16ubuntu6) 4.9.1
Copyright (C) 2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Your version string may vary, of course.

4.5.2. gdb (GNU project debugger)

GDB is the debugger for the GCC compiler. It is available for many (if not all) UNIX-like platforms.
If you dont like debugging using the command line there are some GUI frontends for it available,
most notably GNU DDD.
If gdb isnt already installed or available as a package for your platform, you can get it at: http://
www.gnu.org/software/gdb/gdb.html.
After correct installation:
$ gdb --version

should result in something like:

GNU gdb (Ubuntu 7.8-1ubuntu4) 7.8.0.20141001-cvs
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".

Your version string may vary, of course.

4.5.3. ddd (GNU Data Display Debugger)

The GNU Data Display Debugger is a good GUI frontend for GDB (and a lot of other command line
debuggers), so you have to install GDB first. It is available for many UNIX-like platforms.
If GNU DDD isnt already installed or available as a package for your platform, you can get it at: http:
//www.gnu.org/software/ddd/.

31

Tool Reference

4.5.4. make (GNU Make)

Note
GNU Make is available for most of the UNIX-like platforms.
If GNU Make isnt already installed or available as a package for your platform, you can get it at:
http://www.gnu.org/software/make/.
After correct installation:
$ make --version

should result in something like:

GNU Make 4.0
Built for x86_64-pc-linux-gnu
Copyright (C) 1988-2013 Free Software Foundation, Inc.
Licence GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Your version string may vary, of course.

4.6. Microsoft compiler toolchain (Windows

native)
To compile Wireshark on Windows using the Microsoft C/C++ compiler, youll need:
1. C compiler (cl.exe)
2. Assembler (ml.exe for 32-bit targets and ml64.exe for 64-bit targets)
3. Linker (link.exe)
4. Make (nmake.exe)
5. C runtime headers and libraries (e.g. stdio.h, msvcrt.lib)
6. Windows platform headers and libraries (e.g. windows.h, WSock32.lib)
7. HTML help headers and libraries (htmlhelp.h, htmlhelp.lib)

4.6.1. Toolchain Package Alternatives

The Wireshark 1.99.x releases are compiled using Microsoft Visual C++ 2013. The official Wireshark
1.12.x and 1.10.x releases are compiled using Microsoft Visual C++ 2010 SP1. The official 1.8 releases
were compiled using Microsoft Visual C++ 2010 SP1 as well. The official 1.6, 1.4, and 1.2 releases
were compiled using Microsoft Visual C++ 2008 SP1. Other past releases, including the 1.0 branch,
were compiled using Microsoft Visual C++ 6.0.
Using the release compilers is recommended for Wireshark development work.
The older "Express Edition" compilers such as Visual C++ 2010 Express Edition SP1 can be used but
any PortableApps packages you create with them will require the installation of a separate Visual C
++ Redistributable package on any machine on which the PortableApps package is to be used. See
Section 4.6.5, C-Runtime "Redistributable" Files below for more details.
However, you might already have a different Microsoft C++ compiler installed. It should be possible
to use any of the following with the considerations listed:

32

Tool Reference

Visual C++ 2013 Community Edition

IDE + Debugger?

Yes

Purchase required?

Free Download

SDK required for 64-bit builds?

No

config.nmake MSVC_VARIANT

MSVC2013

Visual C++ 2010 Express Edition

IDE + Debugger?

Yes

Purchase required?

Free Download

SDK required for 64-bit builds?

Yes.

config.nmake MSVC_VARIANT

MSVC2010EE

Remarks

Installers created using express editions require a C+

+ redistributable vcredist_x86.exe (3MB free download)
is required to build Wireshark-win32-1.99.x.exe, and
vcredist_x64.exe is required to build Wiresharkwin64-1.99.x.exe. The version of vcredist_x86.exe or
vcredist_x64.exe must match the version for your compiler
including any service packs installed for the compiler.]

Visual Studio 2010

IDE + Debugger?

Yes

Purchase required?

Yes

SDK required for 64-bit builds?

No

config.nmake MSVC_VARIANT

MSVC2010

Remarks

Building a 64-bit installer requires a a C++ redistributable

(vcredist_x86.exe).footnoteref[vcredist]

You can use Chocolatey to install Visual Studio, e.g:

PS:\> cinst VisualStudioCommunity2013

4.6.2. cl.exe (C Compiler)

The following table gives an overview of the possible Microsoft toolchain variants and their specific
C compiler versions ordered by release date.
Compiler Package

cl.exe

_MSC_VER

CRT DLL

Visual Studio 2013

12.0

1800

msvcr120.dll

Visual Studio 2010

10.0

1600

msvcr100.dll

After correct installation of the toolchain, typing at the Visual Studio Command line prompt (cmd.exe):
> cl

33

Tool Reference

should result in something like:

Microsoft (R) C/C++ Optimizing Compiler Version 18.00.31101 for x86
Copyright (C) Microsoft Corporation. All rights reserved.
usage: cl [ option... ] filename... [ /link linkoption...

However, the version string may vary.

Documentation on the compiler can be found at Microsoft MSDN

4.6.3. nmake.exe (Make)

Nmake is part of the toolchain packages described above.
Instead of using the workspace (.dsw) and projects (.dsp) files, the traditional nmake makefiles are
used. This has one main reason: it makes it much easier to maintain changes simultaneously with
the GCC toolchain makefile.am files as both file formats are similar. However, as no Visual Studio
workspace/project files are available, this makes it hard to use the Visual Studio IDE e.g. for using
the integrated debugging feature.
After correct installation, typing at the Visual Studio Command line prompt (cmd.exe):
> nmake

should result in something like:

Microsoft (R) Program Maintenance Utility Version 12.00.21005.1
Copyright (C) Microsoft Corporation. All rights reserved.
NMAKE : fatal error U1064: MAKEFILE not found and no target specified
Stop.

However, the version string may vary.

Documentation on nmake can be found at Microsoft MSDN

4.6.4. link.exe (Linker)

After correct installation, typing at the Visual Studio Command line prompt (cmd.exe):
> link

should result in something like:

Microsoft (R) Incremental Linker Version 12.00.31101.0
Copyright (C) Microsoft Corporation. All rights reserved.
usage: LINK [options] [files] [@commandfile]
...

However, the version string may vary.

Documentation on the linker can be found at Microsoft MSDN

4.6.5. C-Runtime "Redistributable" Files

Please note: The following is not legal advice - ask your preferred lawyer instead. Its the authors view
and this view might be wrong.
Depending on the Microsoft compiler version you use, some binary files coming from Microsoft
might be required to be installed on Windows machine to run Wireshark. On a developer machine,

34

Tool Reference

the compiler setup installs these files so they are available - but they might not be available on a user
machine!
This is especially true for the C runtime DLL (msvcr*.dll), which contains the implementation of ANSI
and alike functions, e.g.: fopen(), malloc(). The DLL is named like: msvcrversion'.dll, an abbreviation
for "MicroSoft Visual C Runtime". For Wireshark to work, this DLL must be available on the users
machine.
Starting with MSVC7, it is necessary to ship the C runtime DLL (msvcrversion'.dll) together with the
application installer somehow, as that DLL is possibly not available on the target system.

Make sure youre allowed to distribute this file

The files to redistribute must be mentioned in the redist.txt file of the compiler package.
Otherwise it cant be legally redistributed by third parties like us.
The following MSDN link is recommended for the interested reader:
Redistributing Visual C++ Files
In all cases where vcredist_x86.exe or vcredist_x64.exe is downloaded it should be downloaded to
the directory into which the support libraries for Wireshark have been downloaded and installed. This
directory is specified by the WIRESHARK_LIB_DIR setting in the config.nmake. By default it is C:
\Development\wireshark-win32-libs. It need not, and should not, be run after being downloaded.

4.6.5.1. msvcr120.dll / vcredist_x86.exe / vcredist_x64.exe Version 12.0 (2013)

There are three redistribution methods that MSDN mentions for MSVC 2013 (see: "Choosing a
Deployment Method"):
1. Using Visual C++ Redistributable Package. The Microsoft libraries are installed by copying
vcredist_x64.exe or vcredist_x86.exe to the target machine and executing it on that machine (MSDN
recommends this for applications built with Visual Studio 2013)
2. Using Visual C++ Redistributable Merge Modules. (Loadable modules for building msi installers.
Not suitable for Wiresharks NSIS based installer)
3. Install a particular Visual C++ assembly as a private assembly for the application. The Microsoft
libraries are installed by copying the folder content of Microsoft.VC120.CRT to the target directory
(e.g. C:\Program Files\Wireshark)
To save installer size, and to make a portable version of Wireshark (which must be completely selfcontained, on a medium such as a flash drive, and not require that an installer be run to install anything
on the target machine) possible, when building 32-bit Wireshark with MSVC2013, method 3 (copying
the content of Microsoft.VC120.CRT) is used (this produces the smallest package).

4.6.6. Windows (Platform) SDK

The Windows Platform SDK (PSDK) or Windows SDK is a free (as in beer) download and contains
platform specific headers and libraries (e.g. windows.h, WSock32.lib, etc.). As new Windows features
evolve in time, updated SDKs become available that include new and updated APIs.
When you purchase a commercial Visual Studio or use the Community Edition, it will include an
SDK. The free Express (as in beer) downloadable C compiler versions (VC++ 2012 Express, VC++
2012 Express, etc.) do not contain an SDK youll need to download a PSDK in order to have the
required C header files and libraries.
Older versions of the SDK should also work. However, the command to set the environment settings
will be different, try search for SetEnv.* in the SDK directory.

35

Tool Reference

4.6.7. HTML Help

HTML Help is used to create the Users and Developers Guide in .chm format and to show the Users
Guide as the Wireshark "Online Help".
Both features are currently optional, and might be removed in future versions.

4.6.7.1. HTML Help Compiler (hhc.exe)

This compiler is used to generate a .chm file from a bunch of HTML files in our case to generate
the Users and Developers Guide in .chm format.
The compiler is only available as the free (as in beer) "HTML Help Workshop" download. If you want
to compile the guides yourself, you need to download and install this. If you dont install it into the
default directory, you may also have a look at the HHC_DIR setting in the file docbook/Makefile.

4.6.7.2. HTML Help Build Files (htmlhelp.c / htmlhelp.lib)

The files htmlhelp.c and htmlhelp.lib are required to be able to open .chm files from Wireshark and
show the online help. Both files are part of the SDK (standalone (P)SDK or MSVC since 2002).
Simply set HHC_DIR in config.nmake to use it.

4.6.8. Debugger
Using a good debugger can save you a lot of development time.
The debugger you use must match the C compiler Wireshark was compiled with, otherwise the
debugger will simply fail or you will only see a lot of garbage.

4.6.8.1. Visual Studio integrated debugger

You can use the integrated debugger of Visual Studio if your toolchain includes it. As described
on MSDN, create an EXE project for your built copy, i.e. C:\Development\Wireshark\wireshark-qtrelease\Wireshark.exe, and then start the debugger in the mormal way. To set a breakpoint, open the
required source file using the File Open File menu and set the breakpoint as normal.
The normal build is an optimised release version so debugging can be a bit difficult as variables are
optimised out into registers and the execution order of statements can jump around.
If you require a non-optimised version, then edit config.nmake and replace the /O2 flag from
LOCAL_CFLAGS with /Od, clean up the build (nmake -f Makefile.nmake clean) and then rebuild.

4.6.8.2. Debugging Tools for Windows

You can also use the Microsoft Debugging Tools for Windows toolkit, which is a standalone GUI
debugger. Although its not that comfortable compared to debugging with the Visual Studio integrated
debugger it can be helpful if you have to debug on a machine where an integrated debugger is not
available.
You can get it free of charge from Microsoft in several ways, see the Debugging tools for Windows
page.
You can also use Chocolatey to install WinDbg:
PS:\> cinst windbg

To debug Wireshark using WinDbg, open the built copy of Wireshark using the File Open
Executable menu, i.e. C:\Development\Wireshark\wireshark-qt-release\Wireshark.exe. To set a

36

Tool Reference

breakpoint open the required source file using the File Open Source File menu and then click on
the required line and press F9. To run the program, press F5.

4.7. bash
The bash shell is needed to run several shell scripts.

4.7.1. UNIX and Cygwin: GNU bash

The bash shell is available for most of the UNIX-like platforms and as the bash package from the
Cygwin setup.
If bash isnt already installed or available as a package for your platform, you can get it at http://
www.gnu.org/software/bash/bash.html.
After correct installation, typing at the bash command line prompt:
$ bash --version

should result in something like:

GNU bash, version 3.1.17(6)-release (i686-pc-cygwin)
Copyright (C) 2005 Free Software Foundation, Inc.

However, the version string may vary.

4.7.2. Windows native:

This section not yet written

4.8. Python
Python is an interpreted programming language. The homepage of the Python project is http://
python.org/. It is used to generate some source files. Python 2.5 or later (including Python 3) should
work fine but Python 2.7 is recommended.
Python is either included or available as a package on most UNIX-like platforms. Windows
packages and source are available at http://python.org/download/. The Cygwin Python package is
not recommended since /usr/bin/python is a symbolic link, which causes confusion outside
Cygwin.
You can also use Chocolatey to install Python:
PS:\> cinst Python2

You can verify your Python version by running

$ python --version

on UNIX and Linux and

C:> cd python27
C:Python27> python --version

on Windows. You should see something like

Python 2.7.3

37

Tool Reference

Your version string may vary of course.

4.9. Perl
Perl is an interpreted programming language. The homepage of the Perl project is http://
www.perl.com. Perl is used to convert various text files into usable source code. Perl version 5.6 and
above should work fine.

4.9.1. UNIX and Cygwin: Perl

Perl is available for most of the UNIX-like platforms and as the perl package from the Cygwin setup.
If perl isnt already installed or available as a package for your platform, you can get it at http://
www.perl.com/.
After correct installation, typing at the bash command line prompt:
$ perl --version

should result in something like:

This is perl, v5.8.7 built for cygwin-thread-multi-64int
(with 1 registered patch, see perl -V for more detail)
Copyright 1987-2005, Larry Wall
Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.
Complete documentation for Perl, including FAQ lists, should be found on
this system using `man perl' or `perldoc perl'. If you have access to the
Internet, point your browser at http://www.perl.com/, the Perl Home Page.

However, the version string may vary.

4.9.2. Windows native: Perl

A native Windows Perl package can be obtained from Active State or Strawberry Perl. The installation
should be straightforward.
You may also use Chocolatey to install either package:
PS:\> cinst ActivePerl

or
PS:\> cinst StrawberryPerl

After correct installation, typing at the command line prompt (cmd.exe):

> perl -v

should result in something like:

This is perl, v5.8.0 built for MSWin32-x86-multi-thread
(with 1 registered patch, see perl -V for more detail)
Copyright 1987-2002, Larry Wall
Binary build 805 provided by ActiveState Corp. http://www.ActiveState.com
Built 18:08:02 Feb 4 2003
...

However, the version string may vary.

38

Tool Reference

4.10. sed
Sed it the streaming editor. It makes it easy for example to replace text inside a source code file. The
Wireshark build process uses this to stamp version strings in various places.

4.10.1. UNIX and Cygwin: sed

Sed is available for most of the UNIX-like platforms and as the sed package from the Cygwin setup.
If sed isnt already installed or available as a package for your platform, you can get it at http://
directory.fsf.org/GNU/sed.html
After correct installation, typing at the bash command line prompt:
$ sed --version

should result in something like:

GNU sed version 4.1.5
Copyright (C) 2003 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE,
to the extent permitted by law.

However, the version string may vary.

4.10.2. Windows native: sed

A native Windows sed package can be obtained from http://gnuwin32.sourceforge.net/. The
installation should be straightforward.

4.11. Bison
Bison is a parser generator used for some of Wiresharks file format support.

4.11.1. UNIX or Cygwin: bison

Bison is available for most UNIX-like platforms and as the bison package from Cygwin. See the next
section for native Windows options.
If GNU Bison isnt already installed or available as a package for your platform you can get it at: http:
//www.gnu.org/software/bison/bison.html.
After correct installation running the following
$ bison --version

should result in something like:

bison (GNU Bison) 2.3
Written by Robert Corbett and Richard Stallman.
Copyright (C) 2006 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Your version string may vary.

4.11.2. Windows Native: Win flex-bison and bison

A native Windows version of bison is available in the winflexbison Chocolatey package. Note that the
executable is named win_bison.

39

Tool Reference

Native packages are available from other sources such as GnuWin. They arent officially supported
but should work.

4.12. Flex
Flex is a lexical analyzer generator used for Wiresharks display filters, some file formats, and other
features.

4.12.1. UNIX or Cygwin: flex

Flex is available for most UNIX-like platforms and as the flex package from Cygwin. See the next
section for native Windows options.
If GNU flex isnt already installed or available as a package for your platform you can get it at http:
//www.gnu.org/software/flex/.
After correct installation running the following
$ flex --version

should result in something like:

flex version 2.5.4

Your version string may vary.

4.12.2. Windows Native: Win flex-bison and flex

A native Windows version of flex is available in the winflexbison Chocolatey package. Note that the
executable is named win_flex.
PS:\>cinst winflexbison

Native packages are available from other sources such as GnuWin. They arent officially supported
but should work.

4.13. Git client

The Wireshark project uses its own Git repository to keep track of all the changes done to the source
code. Details about the usage of Git in the Wireshark project can be found in Section 3.2, The
Wireshark Git repository.
If you want to work with the source code and are planning to commit your changes back to the
Wireshark community, it is recommended to use a Git client to get the latest source files. For detailed
information about the different ways to obtain the Wireshark sources, see Section 3.3, Obtain the
Wireshark sources.
You will find more instructions in Section 3.3.1, Git over SSH or HTTPS on how to use the Git
client.

4.13.1. UNIX or Cygwin: git

Git is available for most of the UNIX-like platforms and as the Git package from the Cygwin setup
If Git isnt already installed or available as a package for your platform, you can get it at: http://gitscm.com/.
After correct installation, typing at the bash command line prompt:

40

Tool Reference

$ git --version

should result in something like:

git version 1.8.3.4

Your version will likely be different.

4.13.2. Windows native: git

The Git command line tools for Windows can be found at http://git-scm.com/download/win and can
also be installed using Chocolatey:
PS:\> cinst git

After correct installation, typing at the command line prompt (cmd.exe):

$ git --version

should result in something like:

git version 1.8.3.4

However, the version string may vary.

4.14. Git Powershell Extensions (optional)

A useful tool for command line git on Windows is PoshGit. Poshgit provides git command completion
and alters the prompt to indicate the local working copy status. You can install it using Chocolatey:
PS:\>cinst poshgit

4.15. Git GUI client (optional)

Along with the traditional command-line client, several GUI clients are available for a number of
platforms. See http://git-scm.com/downloads/guis for details.

4.16. patch (optional)

The patch utility is used to merge a diff file into your own source tree. This tool is only needed, if
you want to apply a patch (diff file) from someone else (probably from the developer mailing list) to
try out in your own private source tree.
It most cases you may not need the patch tool installed. Git and Gerrit should handle patches for you.
You will find more instructions in Section 3.10, Apply a patch from someone elseon how to use
the patch tool.

4.16.1. UNIX and Cygwin: patch

Patch is available for most of the UNIX-like platforms and as the patch package from the Cygwin
setup.
If GNU patch isnt already installed or available as a package for your platform, you can get it at http:
//www.gnu.org/software/patch/patch.html.
After correct installation, typing at the bash command line prompt:
$ patch --version

should result in something like:

41

Tool Reference

patch 2.5.8
Copyright (C) 1988 Larry Wall
Copyright (C) 2002 Free Software Foundation, Inc.
This program comes with NO WARRANTY, to the extent permitted by law.
You may redistribute copies of this program
under the terms of the GNU General Public License.
For more information about these matters, see the file named COPYING.
written by Larry Wall and Paul Eggert

However, the version string may vary.

4.16.2. Windows native: patch

The Windows native Git tools provide patch. A native Windows patch package can be obtained from
http://gnuwin32.sourceforge.net/. The installation should be straightforward.

4.17. Windows: GNU wget (optional)

GNU wget is used to download files from the internet using the command line.
GNU wget is available for most of the UNIX-like platforms and as the wget package from the Cygwin
setup and also using Chocolatey:
PS$> cinst Wget

You will only need wget, if you want to use the Windows automated library download, see Section 5.3,
Win32: Automated library downloadfor details.
If GNU wget isnt already installed or available as a package for your platform (well, for Windows it
is available as a Cygwin package), you can get it at http://www.gnu.org/software/wget/wget.html.
If wget is trying to download files but fails to do so, your Internet connection might use an HTTP
proxy. Some Internet providers use such a proxy and it is common in many company networks today.
Wiresharks setup script will try to discover your proxy settings automatically, but you may need to set
the environment variable HTTP_PROXY by hand before using wget. For example, if you are behind
proxy.com which is listening on port 8080, you have to set it to something like:
set HTTP_PROXY=http://proxy.com:8080/

If you are unsure about the settings, you might ask your system administrator.

4.18. Windows: GNU unzip (optional)

GNU unzip is used to, well, unzip the zip files downloaded using the wget tool.
GNU unzip is available for most of the UNIX-like platforms and as the unzip package from the Cygwin
setup.
You will only need unzip, if you want to use the Windows automated library download, see Section 5.3,
Win32: Automated library downloadfor details.
If GNU unzip isnt already installed or available as a package for your platform (well, for Windows it is
available as a Cygwin package), you can get it at http://gnuwin32.sourceforge.net/packages/unzip.htm.

4.19. Windows: NSIS (optional)

The NSIS (Nullsoft Scriptable Install System) is used to generate wireshark-win32-1.99.x.exe from
all the files needed to be installed, including all required DLLs, plugins, and supporting files.

42

Tool Reference

To install it, simply download the latest released version (currently 2.46) from http://
nsis.sourceforge.net and start the downloaded installer. You will need NSIS version 2. Version 3 is
not yet supported.
You can find more instructions on using NSIS in Section 3.11.4, Win32: NSIS .exe installer.

4.20. Windows: PortableApps (optional)

The PortableApps.com Installer is used to generate WiresharkPortable-1.99.paf.exe from all the files
needed to be installed, including all required DLLs, plugins, and supporting files.
To install it, do the following:
Download the latest PortableApps.com Platform release from http://portableapps.com/.
config.nmake uses the Local All Users install location (C:) by default.
Install the following applications in the PortableApps.com environment:
PortableApps.com Installer
PortableApps.com Launcher
NSIS Portable (Unicode)
PortableApps.com AppCompactor
You can find more instructions on using the PortableApps.com Installer in Section 3.11.5, Win32:
PortableApps .paf.exe package.

43

Chapter 5. Library Reference

5.1. Introduction
Several libraries are needed to build and run Wireshark. Most of them are split into three packages:
1. Runtime. System and third party libraries such as MSVCR110.dll and libglib-2.0-0.dll.
2. Developer. Documentation, header files, import libraries, and other files needed for compilation.
3. Source. Library sources, which are usually not required to build Wireshark.

Our libraries are freely available

All libraries required to build Wireshark on Windows are available for
download at http://anonsvn.wireshark.org/wireshark-win32-libs/trunk/packages/ and
http://anonsvn.wireshark.org/wireshark-win64-libs/trunk/packages/. See Section 5.3,
Win32: Automated library download for an easier way to install them.

5.2. Binary library formats

Binary libraries are available in different formats, depending on the C compiler used to build it and
of course the platform they were built for.

5.2.1. Unix
If you have installed unix binary libraries on your system, they will match the C compiler. If not
already installed, the libraries should be available as a package from the platform installer, or you can
download and compile the source and then install the binaries.

5.2.2. Win32: MSVC

Most of the Win32 binary libraries you will find on the web are in this format. You will recognize
MSVC libraries by the .lib/.dll file extension.

5.2.3. Win32: cygwin gcc

Cygwin provides most of the required libraries (with file extension .a or .lib) for Wireshark suitable
for cygwins gcc compiler.

5.3. Win32: Automated library download

5.3.1. Initial download
You can download and install all required libraries by using the setup target of Makefile.nmake from
the source package.

Use the setup target

Its a really good idea to use the Win32 automated library download to install the required
libraries as it makes this download very easy.
Before you start the download, you must have installed both the required tools (see
Chapter 4, Tool Reference) and the Wireshark sources (see Section 3.3, Obtain the
Wireshark sources).

44

Library Reference

By default the libraries will be downloaded and installed into C:\wireshark-win32-libs for x86 builds
and C:\wireshark-win64-libs for x86_64 builds. You can change this to any other location by editing
config.nmake and changing the line containing WIRESHARK_LIB_DIR to your favourite place. You
must use an absolute path.
Then run the command
> nmake -f Makefile.nmake setup

This will first check for all the various tools needed to build Wireshark as described in Section 2.2.10,
Verify installed tools.
Then it will download the zipped libraries (together around 45MB for x86 and 52MB for x64)
from the server location at http://anonsvn.wireshark.org/wireshark-win32-libs/trunk/packages/ into
the directory specified by WIRESHARK_LIB_DIR and install (unzip) all required library files there.
If you have problems downloading the library files, you might be connected to the internet through a
proxy. In this case see the wget proxy comment in Section 4.17, Windows: GNU wget (optional).

5.3.2. Update of a previous download

As new versions of the libraries become available, maybe with bugfixes or some new functionality,
your libraries get outdated.
You could simply remove everything in the WIRESHARK_LIB_DIR dir and call the setup target
again, but that would require a download of every file again, which isnt necessary.
The following will bring your libraries up to date:
Update your Wireshark sources to the latest SVN files (see Section 3.3, Obtain the Wireshark
sources), so the zip filenames in the setup target of Makefile.nmake are in sync with the library
zip files on the server.
Execute the library setup command as described above.
> nmake -f Makefile.nmake setup

Note that this command will automatically do a clean-setup which will remove all files
previously unzipped from the downloaded files in your WIRESHARK_LIB_DIR library path (all
the subdirs, e.g. c:\wireshark-win32-libs\gtk+), except for the zip files located at the toplevel, which
are the files downloaded the last time(s).
Also note that as wget will download only the missing (updated) files, existing zip files in the
WIRESHARK_LIB_DIR dir wont be downloaded again. Remaining (outdated) zip files shouldnt
do any harm.

5.4. GTK+ / GLib / GDK / Pango / ATK / GNU

gettext / GNU libiconv
The Glib library is used as a basic platform abstraction library, its not related to graphical user
interface (GUI) things. For a detailed description about GLib, see Section 7.3, The GLib library.
The GTK and its dependent libraries are used to build Wiresharks GUI. For a detailed description of
the GTK libraries, see Section 11.2, The GTK library.
All other libraries are dependent on the two libraries mentioned above, you will typically not come in
touch with these while doing Wireshark development.
As the requirements for the GLib/GTK libraries have increased in the past, the required additional
libraries depend on the GLib/GTK versions you have. The 2.x versions require all mentioned libs.

45

Library Reference

5.4.1. Unix
The GLib/GTK+ libraries are available for many unix-like platforms and Cygwin.
If these libraries arent already installed and also arent available as a package for your platform, you
can get them at http://www.gtk.org/download.html.

5.4.2. Win32 MSVC

You can get the latest version at http://www.gtk.org/download.html.

5.5. SMI (optional)

LibSMI is used for MIB and PIB parsing and for OID resolution.

5.5.1. Unix
If this library isnt already installed or available as a package for your platform, you can get it at http:
//www.ibr.cs.tu-bs.de/projects/libsmi/.

5.5.2. Win32 MSVC

Wireshark uses the source libSMI distribution at http://www.ibr.cs.tu-bs.de/projects/libsmi/.
LibSMI is cross-compiled using MinGW32. Its stored in the libsmi zip archive at http://
anonsvn.wireshark.org/wireshark-win32-libs/trunk/packages/.

5.6. c-ares (optional)

C-Ares is used for asynchronous DNS resolution. This is the primary name resolution library in
Wireshark.

5.6.1. Unix
If this library isnt already installed or available as a package for your platform, you can get it at http:
//c-ares.haxx.se/.

5.6.2. Win32 MSVC

C-Ares is cross-compiled using MinGW32 and is available at http://anonsvn.wireshark.org/wiresharkwin32-libs/trunk/packages/.

5.7. zlib (optional)

zlib is designed to be a free, general-purpose, legally unencumbered that is, not
covered by any patents lossless data-compression library for use on virtually any
computer hardware and operating system.
The zlib web site http://www.zlib.net/

5.7.1. Unix
This library is almost certain to be installed on your system. If it isnt or you dont want to use the
default library you can download it from http://www.zlib.net/.

46

Library Reference

5.7.2. Win32 MSVC

The zlib sources are downloaded from http://anonsvn.wireshark.org/wireshark-win32-libs/trunk/
packages/ and compiled locally.

5.8. libpcap/WinPcap (optional)

Libpcap and WinPcap provide that packet capture capabilities that are central to Wiresharks core
functionality.

5.8.1. Unix: libpcap

If this library isnt already installed or available as a package for your platform, you can get it at http:
//www.tcpdump.org/.

5.8.2. Win32 MSVC: WinPcap

You can get the "Windows packet capture library" at: http://www.winpcap.org/install/

5.9. GnuTLS (optional)

The GNU Transport Layer Security Library is used to dissect SSL and TLS protocols (aka: HTTPS).

5.9.1. Unix
If this library isnt already installed or available as a package for your platform, you can get it at http:
//www.gnu.org/software/gnutls/download.html.

5.9.2. Win32 MSVC

We provide a package cross-compiled using MinGW32 at http://anonsvn.wireshark.org/wiresharkwin32-libs/trunk/packages/.

5.10. Gcrypt (optional)

The Gcrypt Library is a low-level encryption library that provides support for many ciphers, such as
DES, 3DES, AES, Blowfish, and others..

5.10.1. Unix
If this library isnt already installed or available as a package for your platform, you can get it at http:
//directory.fsf.org/security/libgcrypt.html.

5.10.2. Win32 MSVC

Part of our GnuTLS package.

5.11. Kerberos (optional)

The Kerberos library is used to dissect Kerberos, sealed DCERPC and secureLDAP protocols.

47

Library Reference

5.11.1. Unix
If this library isnt already installed or available as a package for your platform, you can get it at http:
//web.mit.edu/Kerberos/dist/.

5.11.2. Win32 MSVC

We provide a package at http://anonsvn.wireshark.org/wireshark-win32-libs/trunk/packages/.

5.12. LUA (optional)

The LUA library is used to add scripting support to Wireshark.

5.12.1. Unix
If this library isnt already installed or available as a package for your platform, you can get it at http:
//www.lua.org/download.html.

5.12.2. Win32 MSVC

We provide a copy of the official package at http://anonsvn.wireshark.org/wireshark-win32-libs/trunk/
packages/.

5.13. PortAudio (optional)

The PortAudio library enables audio output for RTP streams.

5.13.1. Unix
If this library isnt already installed or available as a package for your platform, you can get it at http:
//www.portaudio.com/download.html.

5.13.2. Win32 MSVC

The PortAudio sources are downloaded from http://anonsvn.wireshark.org/wireshark-win32-libs/
trunk/packages/ and compiled locally.

5.14. GeoIP (optional)

MaxMind Inc. publishes a GeoIP database for use in open source software. It can be used to map IP
addresses to geographical locations.

5.14.1. Unix
If this library isnt already installed or available as a package for your platform, you can get it at http:
//www.maxmind.com/app/c.

5.14.2. Win32 MSVC

We provide a package cross-compiled using MinGW32 at http://anonsvn.wireshark.org/wiresharkwin32-libs/trunk/packages/.

48

Part II. Wireshark Development

Wireshark Development
The second part describes how the Wireshark sources are structured and how to change the sources such as adding
a new dissector.

Chapter 6. How Wireshark Works

6.1. Introduction
This chapter will give you a short overview of how Wireshark works.

6.2. Overview
The following will give you a simplified overview of Wiresharks function blocks:

Figure 6.1. Wireshark function blocks

This image is out of date. It is missing the utility library in wsutil and the Qt UI in ui/qt.
The function blocks in more detail: GTK+ 2:: Handling of all user input/output (all windows, dialogs
and such). Source code can be found in the ui/gtk directory.
Core

Main "glue code" that holds the other blocks together. Source code
can be found in the root directory.

Epan

Ethereal Packet ANalyzer the packet analyzing engine. Source

code can be found in the epan directory. Epan provides the
following APIs:
Protocol Tree. Dissection information for an individual packet.
Dissectors. The various protocol dissectors in epan/dissectors.

50

How Wireshark Works

Dissector Plugins - Support for implementing dissectors as

separate modules. Source code can be found in plugins.
Display Filters - The display filter engine at epan/dfilter.
Wiretap

The wiretap library is used to read and write capture files in libpcap,
pcapng, and many other file formats. Source code is in the wiretap
directory.

Capture

The interface with the capture engine. Source code is in the root
directory.

Dumpcap

The capture engine itself. This is the only part that is to execute with
elevated privileges. Source code is in the root directory.

WinPcap and libpcap

These are separate libraries that provide packet capture and filtering
support on different platforms. The filtering WinPcap and libpcap
works at a much lower level than Wiresharks display filters and
uses a significantly different mechanism. Thats why we have
different display and capture filter syntaxes.

6.3. Capturing packets

Capturing takes packets from a network adapter and saves them to a file on your hard disk.
Since raw network adapter access requires elevated privileges these functions are isolated into the
dumpcap program. Its only this program that needs these privileges, allowing the main part of the
code (dissectors, user interface, etc) to run with normal user privileges.
To hide all the low-level machine dependent details from Wireshark, the libpcap and WinPcap
(see Section 5.8, libpcap/WinPcap (optional)) libraries are used. These libraries provide a general
purpose interface to capture packets and are used by a wide variety of applications.

6.4. Capture Files

Wireshark can read and write capture files in its natural file formats, pcapng and pcap, which are used
by many other network capturing tools, such as tcpdump. In addition to this, as one of its strengths,
Wireshark can read and write files in many different file formats of other network capturing tools.
The wiretap library, developed together with Wireshark, provides a general purpose interface to read
and write all the file formats. If you need to add support for another capture file format this is the
place to start.

6.5. Dissect packets

While Wireshark is loading packets from a file each packet is dissected. Wireshark tries to detect the
packet type and gets as much information from the packet as possible. In this run though, only the
information shown in the packet list pane is needed.
As the user selects a specific packet in the packet list pane this packet will be dissected again. This
time, Wireshark tries to get every single piece of information and put it into the packet details pane.

51

Chapter 7. Introduction
7.1. Source overview
Wireshark consists of the following major parts:
Packet dissection - in the /epan/dissector and /plugin/* directories
File I/O - using Wiresharks own wiretap library
Capture - using the libpcap/winpcap library, in /wiretap
User interface - using the Qt or GTK+ and associated libraries
Utilities - miscellaneous helper code
Help - using an external web browser and GTK text output

7.2. Coding Style

The coding style guides for Wireshark can be found in the "Code style" section of the file doc/
README.developer.

7.3. The GLib library

Glib is used as a basic platform abstraction library. Its doesnt provide any direct GUI functionality.
To quote the Glib Reverence Manual:
GLib provides the core application building blocks for libraries and applications
written in C. It provides the core object system used in GNOME, the main loop
implementation, and a large set of utility functions for strings and common data
structures.
GLib contains lots of useful things for platform independent development. See https://
developer.gnome.org/glib/ for details about GLib.

52

Chapter 8. Packet capturing

This chapter needs to be reviewed and extended.

8.1. How to add a new capture type to libpcap

The following is an updated excerpt from a developer mailing list mail about adding ISO 9141 and
14230 (simple serial line card diagnostics) to Wireshark:
For libpcap, the first thing youd need to do would be to get DLT_* values for all the link-layer
protocols youd need. If ISO 9141 and 14230 use the same link-layer protocol, they might be able to
share a DLT_* value, unless the only way to know what protocols are running above the link layer is to
know which link-layer protocol is being used, in which case you might want separate DLT_* values.
For the rest of the libpcap discussion, Ill assume youre working with libpcap 1.0 or later and that
this is on a UN*X platform. You probably dont want to work with a version older than 1.0, even
if whatever OS youre using happens to include libpcap - older versions are not as friendly towards
adding support for devices other than standard network interfaces.
Then youd probably add to the pcap_open_live() routine, for whatever platform or platforms
this code should work, something such as a check for device names that look like serial port names
and, if the check succeeds, a call to a routine to open the serial port.
See, for example, the #ifdef HAVE_DAG_API code in pcap-linux.c and pcap-bpf.c.
The serial port open routine would open the serial port device, set the baud rate and do anything else
needed to open the device. Itd allocate a pcap_t, set its fd member to the file descriptor for the serial
device, set the snapshot member to the argument passed to the open routine, set the linktype
member to one of the DLT_* values, and set the selectable_fd member to the same value as the
fd member. It should also set the dlt_count member to the number of DLT_* values to support,
and allocate an array of dlt_count u_int+s, assign it to the +dlt_list member,
and fill in that list with all the DLT_* values.
Youd then set the various *_op fields to routines to handle the operations in question. read_op is
the routine thatd read packets from the device. inject_op would be for sending packets; if you
dont care about that, youd set it to a routine that returns an error indication. setfilter_op can
probably just be set to install_bpf_program. set_datalink would just set the linktype
member to the specified value if its one of the values for OBD, otherwise it should return an error.
getnonblock_op can probably be set to pcap_getnonblock_fd. setnonblock_op can
probably be set to pcap_setnonblock_fd. stats_op would be set to a routine that reports
statistics. close_op can probably be set to pcap_close_common.
If theres more than one DLT_* value, you definitely want a set_datalink routine so that the user
can select the appropriate link-layer type.
For Wireshark, youd add support for those DLT_* values to wiretap/libpcap.c, which might mean
adding one or more WTAP_ENCAP types to wtap.h and to the encap_table[] table in wiretap/
wtap.c. Youd then have to write a dissector or dissectors for the link-layer protocols or protocols
and have them register themselves with the wtap_encap dissector table, with the appropriate
WTAP_ENCAP values by calling dissector_add_uint().

53

Chapter 9. Packet dissection

9.1. How it works
Each dissector decodes its part of the protocol, and then hands off decoding to subsequent dissectors
for an encapsulated protocol.
Every dissection starts with the Frame dissector which dissects the packet details of the capture file
itself (e.g. timestamps). From there it passes the data on to the lowest-level data dissector, e.g. the
Ethernet dissector for the Ethernet header. The payload is then passed on to the next dissector (e.g. IP)
and so on. At each stage, details of the packet will be decoded and displayed.
Dissection can be implemented in two possible ways. One is to have a dissector module compiled
into the main program, which means its always available. Another way is to make a plugin (a shared
library or DLL) that registers itself to handle dissection.
There is little difference in having your dissector as either a plugin or built-in. On the Windows
platform you have limited function access through the ABI exposed in libwireshark.def, but that is
mostly complete.
The big plus is that your rebuild cycle for a plugin is much shorter than for a built-in one. So starting
with a plugin makes initial development simpler, while the finished code may make more sense as
a built-in dissector.

Read README.dissector
The file doc/README.dissector contains detailed information about implementing a
dissector. In many cases it is more up to date than this document.

9.2. Adding a basic dissector

Lets step through adding a basic dissector. Well start with the made up "foo" protocol. It consists
of the following basic items.
A packet type - 8 bits, possible values: 1 - initialisation, 2 - terminate, 3 - data.
A set of flags stored in 8 bits, 0x01 - start packet, 0x02 - end packet, 0x04 - priority packet.
A sequence number - 16 bits.
An IPv4 address.

9.2.1. Setting up the dissector

The first decision you need to make is if this dissector will be a built-in dissector, included in the main
program, or a plugin.
Plugins are the easiest to write initially, so lets start with that. With a little care, the plugin can be
made to run as a built-in easily too so we havent lost anything.

Example 9.1. Dissector Initialisation.

#include "config.h"
#include <epan/packet.h>
#define FOO_PORT 1234

54

Packet dissection

static int proto_foo = -1;

void
proto_register_foo(void)
{
proto_foo = proto_register_protocol (
"FOO Protocol", /* name
*/
"FOO",
/* short name */
"foo"
/* abbrev
*/
);
}

Lets go through this a bit at a time. First we have some boilerplate include files. These will be pretty
constant to start with.
Next we have an int that is initialised to -1 that records our protocol. This will get updated when we
register this dissector with the main program. Its good practice to make all variables and functions
that arent exported static to keep name space pollution down. Normally this isnt a problem unless
your dissector gets so big it has to span multiple files.
Then a #define for the UDP port that carries foo traffic.
Now that we have the basics in place to interact with the main program, well start with two protocol
dissector setup functions.
First well call proto_register_protocol() which registers the protocol. We can give it
three names that will be used for display in various places. The full and short name are used in e.g.
the "Preferences" and "Enabled protocols" dialogs as well as the generated field name list in the
documentation. The abbreviation is used as the display filter name.
Next we need a handoff routine.

Example 9.2. Dissector Handoff.

void
proto_reg_handoff_foo(void)
{
static dissector_handle_t foo_handle;
foo_handle = create_dissector_handle(dissect_foo, proto_foo);
dissector_add_uint("udp.port", FOO_PORT, foo_handle);
}

Whats happening here? We are initialising the dissector. First we create a dissector handle; It is
associated with the foo protocol and with a routine to be called to do the actual dissecting. Then we
associate the handle with a UDP port number so that the main program will know to call us when it
gets UDP traffic on that port.
The stardard Wireshark dissector convention is to put proto_register_foo() and
proto_reg_handoff_foo() as the last two functions in the dissector source.
Now at last we get to write some dissecting code. For the moment well leave it as a basic placeholder.

Example 9.3. Dissection.

static void
dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
col_set_str(pinfo->cinfo, COL_PROTOCOL, "FOO");
/* Clear out stuff in the info column */
col_clear(pinfo->cinfo,COL_INFO);
}

This function is called to dissect the packets presented to it. The packet data is held in a special buffer
referenced here as tvb. We shall become fairly familiar with this as we get deeper into the details of

55

Packet dissection

the protocol. The packet info structure contains general data about the protocol, and we can update
information here. The tree parameter is where the detail dissection takes place.
For now well do the minimum we can get away with. In the first line we set the text of this to our
protocol, so everyone can see its being recognised. The only other thing we do is to clear out any data
in the INFO column if its being displayed.
At this point we should have a basic dissector ready to compile and install. It doesnt do much at
present, other than identify the protocol and label it.
In order to compile this dissector and create a plugin a couple of support files are required, besides
the dissector source in packet-foo.c:
Makefile.am - The UNIX/Linux makefile template.
Makefile.common - Contains the file names of this plugin.
Makefile.nmake - Contains the Wireshark plugin makefile for Windows.
moduleinfo.h - Contains plugin version information.
moduleinfo.nmake - Contains DLL version info for Windows.
packet-foo.c - Your dissector source.
plugin.rc.in - Contains the DLL resource template for Windows.
You can find a good example for these files in the interlink plugin directory. Makefile.common and
Makefile.am have to be modified to reflect the relevant files and dissector name. moduleinfo.h and
moduleinfo.nmake have to be filled in with the version information. Compile the dissector to a DLL
or shared library and copy it into the plugin directory of the installation.

9.2.2. Dissecting the details of the protocol

Now that we have our basic dissector up and running, lets do something with it. The simplest thing to
do to start with is to just label the payload. This will allow us to set up some of the parts we will need.
The first thing we will do is to build a subtree to decode our results into. This helps to keep things
looking nice in the detailed display. Now the dissector is called in two different cases. In one case it
is called to get a summary of the packet, in the other case it is called to look into details of the packet.
These two cases can be distinguished by the tree pointer. If the tree pointer is NULL, then we are
being asked for a summary. If it is non NULL, we can pick apart the protocol for display. So with
that in mind, lets enhance our dissector.

Example 9.4. Plugin Packet Dissection.

static void
dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
col_set_str(pinfo->cinfo, COL_PROTOCOL, "FOO");
/* Clear out stuff in the info column */
col_clear(pinfo->cinfo,COL_INFO);
if (tree) { /* we are being asked for details */
proto_item *ti = NULL;
ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA);
}
}

What were doing here is adding a subtree to the dissection. This subtree will hold all the details of
this protocol and so not clutter up the display when not required.

56

Packet dissection

We are also marking the area of data that is being consumed by this protocol. In our case its all that
has been passed to us, as were assuming this protocol does not encapsulate another. Therefore, we
add the new tree node with proto_tree_add_item(), adding it to the passed in tree, label it with
the protocol, use the passed in tvb buffer as the data, and consume from 0 to the end (-1) of this data.
ENC_NA ("not applicable") is specified as the "encoding" parameter.
After this change, there should be a label in the detailed display for the protocol, and selecting this
will highlight the remaining contents of the packet.
Now lets go to the next step and add some protocol dissection. For this step well need
to construct a couple of tables that help with dissection. This needs some additions to the
proto_register_foo() function shown previously.
Two statically allocated arrays are added at the beginning of proto_register_foo(). The arrays
are then registered after the call to proto_register_protocol().

Example 9.5. Registering data structures.

void
proto_register_foo(void)
{
static hf_register_info hf[] = {
{ &hf_foo_pdu_type,
{ "FOO PDU Type", "foo.type",
FT_UINT8, BASE_DEC,
NULL, 0x0,
NULL, HFILL }
}
};
/* Setup protocol subtree array */
static gint *ett[] = {
&ett_foo
};
proto_foo = proto_register_protocol (
"FOO Protocol", /* name
*/
"FOO",
/* short name */
"foo"
/* abbrev
*/
);
proto_register_field_array(proto_foo, hf, array_length(hf));
proto_register_subtree_array(ett, array_length(ett));
}

The variables hf_foo_pdu_type and ett_foo also need to be declared somewhere near the top
of the file.

Example 9.6. Dissector data structure globals.

static int hf_foo_pdu_type = -1;
static gint ett_foo = -1;

Now we can enhance the protocol display with some detail.

Example 9.7. Dissector starting to dissect the packets.

if (tree) { /* we are being asked for details */
proto_item *ti = NULL;
proto_tree *foo_tree = NULL;
ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA);
foo_tree = proto_item_add_subtree(ti, ett_foo);
proto_tree_add_item(foo_tree, hf_foo_pdu_type, tvb, 0, 1, ENC_BIG_ENDIAN);
}

57

Packet dissection

Now the dissection is starting to look more interesting. We have picked apart our first bit of the
protocol. One byte of data at the start of the packet that defines the packet type for foo protocol.
The proto_item_add_subtree() call has added a child node to the protocol tree which is
where we will do our detail dissection. The expansion of this node is controlled by the ett_foo
variable. This remembers if the node should be expanded or not as you move between packets.
All subsequent dissection will be added to this tree, as you can see from the next call. A call to
proto_tree_add_item() in the foo_tree, this time using the hf_foo_pdu_type to control
the formatting of the item. The pdu type is one byte of data, starting at 0. We assume it is in network
order (also called big endian), so that is why we use ENC_BIG_ENDIAN. For a 1-byte quantity, there
is no order issue, but it is good practice to make this the same as any multibyte fields that may be
present, and as we will see in the next section, this particular protocol uses network order.
If we look in detail at the hf_foo_pdu_type declaration in the static array we can see the details
of the definition.
hf_foo_pdu_type - The index for this node.
FOO PDU Type - The label for this item.
foo.type - This is the filter string. It enables us to type constructs such as foo.type=1 into the
filter box.
FT_UINT8 - This specifies this item is an 8bit unsigned integer. This tallies with our call above
where we tell it to only look at one byte.
BASE_DEC - Tor an integer type, this tells it to be printed as a decimal number. It could be
hexdecimal (BASE_HEX) or octal (BASE_OCT) if that made more sense.
Well ignore the rest of the structure for now.
If you install this plugin and try it out, youll see something that begins to look useful.
Now lets finish off dissecting the simple protocol. We need to add a few more variables to the hfarray,
and a couple more procedure calls.

Example 9.8. Wrapping up the packet dissection.

...
static int hf_foo_flags = -1;
static int hf_foo_sequenceno = -1;
static int hf_foo_initialip = -1;
...
static void
dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
gint offset = 0;
...
if (tree) { /* we are being asked for details */
proto_item *ti = NULL;
proto_tree *foo_tree = NULL;
ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA);
foo_tree = proto_item_add_subtree(ti, ett_foo);
proto_tree_add_item(foo_tree, hf_foo_pdu_type, tvb, offset, 1, ENC_BIG_ENDIAN);
offset += 1;
proto_tree_add_item(foo_tree, hf_foo_flags, tvb, offset, 1, ENC_BIG_ENDIAN);
offset += 1;
proto_tree_add_item(foo_tree, hf_foo_sequenceno, tvb, offset, 2, ENC_BIG_ENDIAN);
offset += 2;
proto_tree_add_item(foo_tree, hf_foo_initialip, tvb, offset, 4, ENC_BIG_ENDIAN);
offset += 4;
}

58

Packet dissection

...
}
void
proto_register_foo(void) {
...
...
{ &hf_foo_flags,
{ "FOO PDU Flags", "foo.flags",
FT_UINT8, BASE_HEX,
NULL, 0x0,
NULL, HFILL }
},
{ &hf_foo_sequenceno,
{ "FOO PDU Sequence Number", "foo.seqn",
FT_UINT16, BASE_DEC,
NULL, 0x0,
NULL, HFILL }
},
{ &hf_foo_initialip,
{ "FOO PDU Initial IP", "foo.initialip",
FT_IPv4, BASE_NONE,
NULL, 0x0,
NULL, HFILL }
},
...
...
}
...

This dissects all the bits of this simple hypothetical protocol. Weve introduced a new variable
offsetinto the mix to help keep track of where we are in the packet dissection. With these extra bits
in place, the whole protocol is now dissected.

9.2.3. Improving the dissection information

We can certainly improve the display of the protocol with a bit of extra data. The first step is to add
some text labels. Lets start by labeling the packet types. There is some useful support for this sort of
thing by adding a couple of extra things. First we add a simple table of type to name.

Example 9.9. Naming the packet types.

static const value_string packettypenames[] = {
{ 1, "Initialise" },
{ 2, "Terminate" },
{ 3, "Data" },
{ 0, NULL }
};

This is a handy data structure that can be used to look up a name for a value. There are routines to
directly access this lookup table, but we dont need to do that, as the support code already has that
added in. We just have to give these details to the appropriate part of the data, using the VALS macro.

Example 9.10. Adding Names to the protocol.

{ &hf_foo_pdu_type,
{ "FOO PDU Type", "foo.type",
FT_UINT8, BASE_DEC,
VALS(packettypenames), 0x0,
NULL, HFILL }
}

This helps in deciphering the packets, and we can do a similar thing for the flags structure. For this
we need to add some more data to the table though.

Example 9.11. Adding Flags to the protocol.

#define FOO_START_FLAG 0x01

59

Packet dissection

#define FOO_END_FLAG
#define FOO_PRIORITY_FLAG

0x02
0x04

static int hf_foo_startflag = -1;

static int hf_foo_endflag = -1;
static int hf_foo_priorityflag = -1;
static void
dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
...
...
proto_tree_add_item(foo_tree, hf_foo_flags, tvb, offset, 1, ENC_BIG_ENDIAN);
proto_tree_add_item(foo_tree, hf_foo_startflag, tvb, offset, 1, ENC_BIG_ENDIAN);
proto_tree_add_item(foo_tree, hf_foo_endflag, tvb, offset, 1, ENC_BIG_ENDIAN);
proto_tree_add_item(foo_tree, hf_foo_priorityflag, tvb, offset, 1, ENC_BIG_ENDIAN);
offset += 1;
...
...
}
void
proto_register_foo(void) {
...
...
{ &hf_foo_startflag,
{ "FOO PDU Start Flags", "foo.flags.start",
FT_BOOLEAN, 8,
NULL, FOO_START_FLAG,
NULL, HFILL }
},
{ &hf_foo_endflag,
{ "FOO PDU End Flags", "foo.flags.end",
FT_BOOLEAN, 8,
NULL, FOO_END_FLAG,
NULL, HFILL }
},
{ &hf_foo_priorityflag,
{ "FOO PDU Priority Flags", "foo.flags.priority",
FT_BOOLEAN, 8,
NULL, FOO_PRIORITY_FLAG,
NULL, HFILL }
},
...
...
}
...

Some things to note here. For the flags, as each bit is a different flag, we use the type FT_BOOLEAN,
as the flag is either on or off. Second, we include the flag mask in the 7th field of the data, which
allows the system to mask the relevant bit. Weve also changed the 5th field to 8, to indicate that we
are looking at an 8 bit quantity when the flags are extracted. Then finally we add the extra constructs
to the dissection routine. Note we keep the same offset for each of the flags.
This is starting to look fairly full featured now, but there are a couple of other things we can do to make
things look even more pretty. At the moment our dissection shows the packets as "Foo Protocol" which
whilst correct is a little uninformative. We can enhance this by adding a little more detail. First, lets get
hold of the actual value of the protocol type. We can use the handy function tvb_get_guint8()
to do this. With this value in hand, there are a couple of things we can do. First we can set the INFO
column of the non-detailed view to show what sort of PDU it is - which is extremely helpful when
looking at protocol traces. Second, we can also display this information in the dissection window.

Example 9.12. Enhancing the display.

static void
dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
guint8 packet_type = tvb_get_guint8(tvb, 0);

60

Packet dissection

col_set_str(pinfo->cinfo, COL_PROTOCOL, "FOO");

/* Clear out stuff in the info column */
col_clear(pinfo->cinfo,COL_INFO);
col_add_fstr(pinfo->cinfo, COL_INFO, "Type %s",
val_to_str(packet_type, packettypenames, "Unknown (0x%02x)"));
if (tree) { /* we are being asked for details */
proto_item *ti = NULL;
proto_tree *foo_tree = NULL;
gint offset = 0;
ti = proto_tree_add_item(tree, proto_foo, tvb, 0, -1, ENC_NA);
proto_item_append_text(ti, ", Type %s",
val_to_str(packet_type, packettypenames, "Unknown (0x%02x)"));
foo_tree = proto_item_add_subtree(ti, ett_foo);
proto_tree_add_item(foo_tree, hf_foo_pdu_type, tvb, offset, 1, ENC_BIG_ENDIAN);
offset += 1;
}
}

So here, after grabbing the value of the first 8 bits, we use it with one of the built-in utility routines
val_to_str(), to lookup the value. If the value isnt found we provide a fallback which just prints
the value in hex. We use this twice, once in the INFO field of the columns if its displayed, and
similarly we append this data to the base of our dissecting tree.

9.3. How to handle transformed data

Some protocols do clever things with data. They might possibly encrypt the data, or compress data,
or part of it. If you know how these steps are taken it is possible to reverse them within the dissector.
As encryption can be tricky, lets consider the case of compression. These techniques can also work
for other transformations of data, where some step is required before the data can be examined.
What basically needs to happen here, is to identify the data that needs conversion, take that data and
transform it into a new stream, and then call a dissector on it. Often this needs to be done "on-the-fly"
based on clues in the packet. Sometimes this needs to be used in conjunction with other techniques,
such as packet reassembly. The following shows a technique to achieve this effect.

Example 9.13. Decompressing data packets for dissection.

guint8 flags = tvb_get_guint8(tvb, offset);
offset ++;
if (flags & FLAG_COMPRESSED) { /* the remainder of the packet is compressed */
guint16 orig_size = tvb_get_ntohs(tvb, offset);
guchar *decompressed_buffer = (guchar*)g_malloc(orig_size);
offset += 2;
decompress_packet(tvb_get_ptr(tvb, offset, -1),
tvb_length_remaining(tvb, offset),
decompressed_buffer, orig_size);
/* Now re-setup the tvb buffer to have the new data */
next_tvb = tvb_new_child_real_data(tvb, decompressed_buffer, orig_size, orig_size);
tvb_set_free_cb(next_tvb, g_free);
add_new_data_source(pinfo, next_tvb, "Decompressed Data");
} else {
next_tvb = tvb_new_subset_remaining(tvb, offset);
}
offset = 0;
/* process next_tvb from here on */

The first steps here are to recognise the compression. In this case a flag byte alerts us to the fact the
remainder of the packet is compressed. Next we retrieve the original size of the packet, which in this
case is conveniently within the protocol. If its not, it may be part of the compression routine to work
it out for you, in which case the logic would be different.
So armed with the size, a buffer is allocated to receive the uncompressed data using g_malloc(),
and the packet is decompressed into it. The tvb_get_ptr() function is useful to get a pointer to

61

Packet dissection

the raw data of the packet from the offset onwards. In this case the decompression routine also needs
to know the length, which is given by the tvb_length_remaining() function.
Next we build a new tvb buffer from this data, using the tvb_new_child_real_data() call.
This data is a child of our original data, so calling this function also acknowledges that. One
procedural step is to add a callback handler to free the data when its no longer needed via a call to
tvb_set_free_cb(). In this case g_malloc() was used to allocate the memory, so g_free()
is the appropriate callback function. Finally we add this tvb as a new data source, so that the detailed
display can show the decompressed bytes as well as the original.
After this has been set up the remainder of the dissector can dissect the buffer next_tvb, as its a new
buffer the offset needs to be 0 as we start again from the beginning of this buffer. To make the rest of
the dissector work regardless of whether compression was involved or not, in the case that compression
was not signaled, we use tvb_new_subset_remaining() to deliver us a new buffer based on
the old one but starting at the current offset, and extending to the end. This makes dissecting the packet
from this point on exactly the same regardless of compression.

9.4. How to reassemble split packets

Some protocols have times when they have to split a large packet across multiple other packets. In this
case the dissection cant be carried out correctly until you have all the data. The first packet doesnt
have enough data, and the subsequent packets dont have the expect format. To dissect these packets
you need to wait until all the parts have arrived and then start the dissection.

9.4.1. How to reassemble split UDP packets

As an example, lets examine a protocol that is layered on top of UDP that splits up its own data
stream. If a packet is bigger than some given size, it will be split into chunks, and somehow signaled
within its protocol.
To deal with such streams, we need several things to trigger from. We need to know that this packet
is part of a multi-packet sequence. We need to know how many packets are in the sequence. We also
need to know when we have all the packets.
For this example well assume there is a simple in-protocol signaling mechanism to give details. A
flag byte that signals the presence of a multi-packet sequence and also the last packet, followed by an
ID of the sequence and a packet sequence number.
msg_pkt ::= SEQUENCE {
.....
flags ::= SEQUENCE {
fragment
BOOLEAN,
last_fragment
BOOLEAN,
.....
}
msg_id INTEGER(0..65535),
frag_id INTEGER(0..65535),
.....
}

Example 9.14. Reassembling fragments - Part 1

#include <epan/reassemble.h>
...
save_fragmented = pinfo->fragmented;
flags = tvb_get_guint8(tvb, offset); offset++;
if (flags & FL_FRAGMENT) { /* fragmented */
tvbuff_t* new_tvb = NULL;
fragment_data *frag_msg = NULL;
guint16 msg_seqid = tvb_get_ntohs(tvb, offset); offset += 2;
guint16 msg_num = tvb_get_ntohs(tvb, offset); offset += 2;

62

Packet dissection

pinfo->fragmented = TRUE;
frag_msg = fragment_add_seq_check(tvb, offset, pinfo,
msg_seqid, /* ID for fragments belonging together */
msg_fragment_table, /* list of message fragments */
msg_reassembled_table, /* list of reassembled messages */
msg_num, /* fragment sequence number */
tvb_length_remaining(tvb, offset), /* fragment length - to the end */
flags & FL_FRAG_LAST); /* More fragments? */

We start by saving the fragmented state of this packet, so we can restore it later. Next comes some
protocol specific stuff, to dig the fragment data out of the stream if its present. Having decided it is
present, we let the function fragment_add_seq_check() do its work. We need to provide this
with a certain amount of data.
The tvb buffer we are dissecting.
The offset where the partial packet starts.
The provided packet info.
The sequence number of the fragment stream. There may be several streams of fragments in flight,
and this is used to key the relevant one to be used for reassembly.
The msg_fragment_table and the msg_reassembled_table are variables we need to
declare. Well consider these in detail later.
msg_num is the packet number within the sequence.
The length here is specified as the rest of the tvb as we want the rest of the packet data.
Finally a parameter that signals if this is the last fragment or not. This might be a flag as in this
case, or there may be a counter in the protocol.

Example 9.15. Reassembling fragments part 2

new_tvb = process_reassembled_data(tvb, offset, pinfo,
"Reassembled Message", frag_msg, &msg_frag_items,
NULL, msg_tree);
if (frag_msg) { /* Reassembled */
col_append_str(pinfo->cinfo, COL_INFO,
" (Message Reassembled)");
} else { /* Not last packet of reassembled Short Message */
col_append_fstr(pinfo->cinfo, COL_INFO,
" (Message fragment %u)", msg_num);
}
if (new_tvb) { /* take it all */
next_tvb = new_tvb;
} else { /* make a new subset */
next_tvb = tvb_new_subset(tvb, offset, -1, -1);
}
}
else { /* Not fragmented */
next_tvb = tvb_new_subset(tvb, offset, -1, -1);
}
.....
pinfo->fragmented = save_fragmented;

Having passed the fragment data to the reassembly handler, we can now check if we have the whole
message. If there is enough information, this routine will return the newly reassembled data buffer.
After that, we add a couple of informative messages to the display to show that this is part of a sequence.
Then a bit of manipulation of the buffers and the dissection can proceed. Normally you will probably
not bother dissecting further unless the fragments have been reassembled as there wont be much to
find. Sometimes the first packet in the sequence can be partially decoded though if you wish.

63

Packet dissection

Now the mysterious data we passed into the fragment_add_seq_check().

Example 9.16. Reassembling fragments - Initialisation

static GHashTable *msg_fragment_table = NULL;
static GHashTable *msg_reassembled_table = NULL;
static void
msg_init_protocol(void)
{
fragment_table_init(&msg_fragment_table);
reassembled_table_init(&msg_reassembled_table);
}

First a couple of hash tables are declared, and these are initialised in the protocol initialisation routine.
Following that, a fragment_items structure is allocated and filled in with a series of ett items, hf
data items, and a string tag. The ett and hf values should be included in the relevant tables like all the
other variables your protocol may use. The hf variables need to be placed in the structure something
like the following. Of course the names may need to be adjusted.

Example 9.17. Reassembling fragments - Data

...
static int hf_msg_fragments = -1;
static int hf_msg_fragment = -1;
static int hf_msg_fragment_overlap = -1;
static int hf_msg_fragment_overlap_conflicts = -1;
static int hf_msg_fragment_multiple_tails = -1;
static int hf_msg_fragment_too_long_fragment = -1;
static int hf_msg_fragment_error = -1;
static int hf_msg_fragment_count = -1;
static int hf_msg_reassembled_in = -1;
static int hf_msg_reassembled_length = -1;
...
static gint ett_msg_fragment = -1;
static gint ett_msg_fragments = -1;
...
static const fragment_items msg_frag_items = {
/* Fragment subtrees */
&ett_msg_fragment,
&ett_msg_fragments,
/* Fragment fields */
&hf_msg_fragments,
&hf_msg_fragment,
&hf_msg_fragment_overlap,
&hf_msg_fragment_overlap_conflicts,
&hf_msg_fragment_multiple_tails,
&hf_msg_fragment_too_long_fragment,
&hf_msg_fragment_error,
&hf_msg_fragment_count,
/* Reassembled in field */
&hf_msg_reassembled_in,
/* Reassembled length field */
&hf_msg_reassembled_length,
/* Tag */
"Message fragments"
};
...
static hf_register_info hf[] =
{
...
{&hf_msg_fragments,
{"Message fragments", "msg.fragments",
FT_NONE, BASE_NONE, NULL, 0x00, NULL, HFILL } },
{&hf_msg_fragment,
{"Message fragment", "msg.fragment",
FT_FRAMENUM, BASE_NONE, NULL, 0x00, NULL, HFILL } },
{&hf_msg_fragment_overlap,
{"Message fragment overlap", "msg.fragment.overlap",
FT_BOOLEAN, 0, NULL, 0x00, NULL, HFILL } },

64

Packet dissection

{&hf_msg_fragment_overlap_conflicts,
{"Message fragment overlapping with conflicting data",
"msg.fragment.overlap.conflicts",
FT_BOOLEAN, 0, NULL, 0x00, NULL, HFILL } },
{&hf_msg_fragment_multiple_tails,
{"Message has multiple tail fragments",
"msg.fragment.multiple_tails",
FT_BOOLEAN, 0, NULL, 0x00, NULL, HFILL } },
{&hf_msg_fragment_too_long_fragment,
{"Message fragment too long", "msg.fragment.too_long_fragment",
FT_BOOLEAN, 0, NULL, 0x00, NULL, HFILL } },
{&hf_msg_fragment_error,
{"Message defragmentation error", "msg.fragment.error",
FT_FRAMENUM, BASE_NONE, NULL, 0x00, NULL, HFILL } },
{&hf_msg_fragment_count,
{"Message fragment count", "msg.fragment.count",
FT_UINT32, BASE_DEC, NULL, 0x00, NULL, HFILL } },
{&hf_msg_reassembled_in,
{"Reassembled in", "msg.reassembled.in",
FT_FRAMENUM, BASE_NONE, NULL, 0x00, NULL, HFILL } },
{&hf_msg_reassembled_length,
{"Reassembled length", "msg.reassembled.length",
FT_UINT32, BASE_DEC, NULL, 0x00, NULL, HFILL } },
...
static gint *ett[] =
{
...
&ett_msg_fragment,
&ett_msg_fragments
...

These hf variables are used internally within the reassembly routines to make useful links, and to add
data to the dissection. It produces links from one packet to another, such as a partial packet having a
link to the fully reassembled packet. Likewise there are back pointers to the individual packets from
the reassembled one. The other variables are used for flagging up errors.

9.4.2. How to reassemble split TCP Packets

A dissector gets a tvbuff_t pointer which holds the payload of a TCP packet. This payload contains
the header and data of your application layer protocol.
When dissecting an application layer protocol you cannot assume that each TCP packet contains
exactly one application layer message. One application layer message can be split into several TCP
packets.
You also cannot assume that a TCP packet contains only one application layer message and that the
message header is at the start of your TCP payload. More than one messages can be transmitted in one
TCP packet, so that a message can start at an arbitrary position.
This sounds complicated, but there is a simple solution. tcp_dissect_pdus() does all this tcp
packet reassembling for you. This function is implemented in epan/dissectors/packet-tcp.h.

Example 9.18. Reassembling TCP fragments

#include "config.h"
#include <epan/packet.h>
#include <epan/prefs.h>
#include "packet-tcp.h"
...
#define FRAME_HEADER_LEN 8
/* This method dissects fully reassembled messages */
static int dissect_foo_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
{

65

Packet dissection

/* TODO: implement your dissecting code */

return tvb_length(tvb);
}
/* determine PDU length of protocol foo */
static guint get_foo_message_len(packet_info *pinfo, tvbuff_t *tvb, int offset)
{
/* TODO: change this to your needs */
return (guint)tvb_get_ntohl(tvb, offset+4); /* e.g. length is at offset 4 */
}
/* The main dissecting routine */
static int dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data)
{
tcp_dissect_pdus(tvb, pinfo, tree, TRUE, FRAME_HEADER_LEN,
get_foo_message_len, dissect_foo_message, data);
return tvb_length(tvb);
}
...

As you can see this is really simple. Just call tcp_dissect_pdus() in your main dissection
routine and move you message parsing code into another function. This function gets called whenever
a message has been reassembled.
The parameters tvb, pinfo, treeand dataare just handed over to tcp_dissect_pdus(). The 4th
parameter is a flag to indicate if the data should be reassembled or not. This could be set according
to a dissector preference as well. Parameter 5 indicates how much data has at least to be available to
be able to determine the length of the foo message. Parameter 6 is a function pointer to a method that
returns this length. It gets called when at least the number of bytes given in the previous parameter is
available. Parameter 7 is a function pointer to your real message dissector. Parameter 8 is a the data
passed in from parent dissector.

9.5. How to tap protocols

Adding a Tap interface to a protocol allows it to do some useful things. In particular you can produce
protocol statistics from the tap interface.
A tap is basically a way of allowing other items to see whats happening as a protocol is dissected. A
tap is registered with the main program, and then called on each dissection. Some arbitrary protocol
specific data is provided with the routine that can be used.
To create a tap, you first need to register a tap. A tap is registered with an integer handle, and registered
with the routine register_tap(). This takes a string name with which to find it again.

Example 9.19. Initialising a tap

#include <epan/packet.h>
#include <epan/tap.h>
static int foo_tap = -1;
struct FooTap {
gint packet_type;
gint priority;
...
};
void proto_register_foo(void)
{
...
foo_tap = register_tap("foo");

Whilst you can program a tap without protocol specific data, it is generally not very useful. Therefore
its a good idea to declare a structure that can be passed through the tap. This needs to be a static

66

Packet dissection

structure as it will be used after the dissection routine has returned. Its generally best to pick out some
generic parts of the protocol you are dissecting into the tap data. A packet type, a priority or a status
code maybe. The structure really needs to be included in a header file so that it can be included by
other components that want to listen in to the tap.
Once you have these defined, its simply a case of populating the protocol specific structure and then
calling tap_queue_packet, probably as the last part of the dissector.

Example 9.20. Calling a protocol tap

void dissect_foo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
...
fooinfo = wmem_alloc(wmem_packet_scope(), sizeof(struct FooTap));
fooinfo->packet_type = tvb_get_guint8(tvb, 0);
fooinfo->priority = tvb_get_ntohs(tvb, 8);
...
tap_queue_packet(foo_tap, pinfo, fooinfo);
}

This now enables those interested parties to listen in on the details of this protocol conversation.

9.6. How to produce protocol stats

Given that you have a tap interface for the protocol, you can use this to produce some interesting
statistics (well presumably interesting!) from protocol traces.
This can be done in a separate plugin, or in the same plugin that is doing the dissection. The latter
scheme is better, as the tap and stats module typically rely on sharing protocol specific data, which
might get out of step between two different plugins.
Here is a mechanism to produce statistics from the above TAP interface.

Example 9.21. Initialising a stats interface

/* register all http trees */
static void register_foo_stat_trees(void) {
stats_tree_register("foo", "foo", "Foo/Packet Types",
foo_stats_tree_packet, foo_stats_tree_init, NULL);
}
WS_DLL_PUBLIC_DEF const gchar version[] = "0.0";
WS_DLL_PUBLIC_DEF void plugin_register_tap_listener(void)
{
register_foo_stat_trees();
}
#endif

Working from the bottom up, first the plugin interface entry point is defined,
plugin_register_tap_listener(). This simply calls the initialisation function
register_foo_stat_trees().
This in turn calls the stats_tree_register() function, which takes three strings, and three
functions.
1. This is the tap name that is registered.
2. An abbreviation of the stats name.
3. The name of the stats module. A '/' character can be used to make sub menus.
4. The function that will called to generate the stats.

67

Packet dissection

5. A function that can be called to initialise the stats data.

6. A function that will be called to clean up the stats data.
In this case we only need the first two functions, as there is nothing specific to clean up.

Example 9.22. Initialising a stats session

static
static
static
static

const guint8* st_str_packets = "Total Packets";

const guint8* st_str_packet_types = "FOO Packet Types";
int st_node_packets = -1;
int st_node_packet_types = -1;

static void foo_stats_tree_init(stats_tree* st)

{
st_node_packets = stats_tree_create_node(st, st_str_packets, 0, TRUE);
st_node_packet_types = stats_tree_create_pivot(st, st_str_packet_types, st_node_packets);
}

In this case we create a new tree node, to handle the total packets, and as a child of that we create a
pivot table to handle the stats about different packet types.

Example 9.23. Generating the stats

static int foo_stats_tree_packet(stats_tree* st, packet_info* pinfo, epan_dissect_t* edt, const void
{
struct FooTap *pi = (struct FooTap *)p;
tick_stat_node(st, st_str_packets, 0, FALSE);
stats_tree_tick_pivot(st, st_node_packet_types,
val_to_str(pi->packet_type, msgtypevalues, "Unknown packet type (%d)"));
return 1;
}

In this case the processing of the stats is quite simple. First we call the tick_stat_node for the
st_str_packets packet node, to count packets. Then a call to stats_tree_tick_pivot()
on the st_node_packet_types subtree allows us to record statistics by packet type.

9.7. How to use conversations

Some info about how to use conversations in a dissector can be found in the file doc/
README.dissector, chapter 2.2.

9.8. idl2wrs: Creating dissectors from

CORBA IDL files
Many of Wiresharks dissectors are automatically generated. This section shows how to generate one
from a CORBA IDL file.

9.8.1. What is it?

As you have probably guessed from the name, idl2wrs takes a user specified IDL file and attempts
to build a dissector that can decode the IDL traffic over GIOP. The resulting file is C code, that
should compile okay as a Wireshark dissector.
idl2wrs parses the data struct given to it by the omniidl compiler, and using the GIOP API
available in packet-giop.[ch], generates get_CDR_xxx calls to decode the CORBA traffic on the wire.
It consists of 4 main files.
README.idl2wrs

This document

68

Packet dissection

wireshark_be.py

The main compiler backend

wireshark_gen.py

A helper class, that generates the C code.

idl2wrs

A simple shell script wrapper that the end user should use to generate
the dissector from the IDL file(s).

9.8.2. Why do this?

It is important to understand what CORBA traffic looks like over GIOP/IIOP, and to help build a tool
that can assist in troubleshooting CORBA interworking. This was especially the case after seeing a
lot of discussions about how particular IDL types are represented inside an octet stream.
I have also had comments/feedback that this tool would be good for say a CORBA class when teaching
students what CORBA traffic looks like on the wire.
It is also COOL to work on a great Open Source project such as the case with Wireshark (https://
www.wireshark.org/ )

9.8.3. How to use idl2wrs

To use the idl2wrs to generate Wireshark dissectors, you need the following:
Python must be installed. See http://python.org/
omniidl from the omniORB package must be available. See http://omniorb.sourceforge.net/
Of course you need Wireshark installed to compile the code and tweak it if required. idl2wrs is part
of the standard Wireshark distribution
To use idl2wrs to generate an Wireshark dissector from an idl file use the following procedure:
To write the C code to stdout.
$ idl2wrs <your_file.idl>

e.g.:
$ idl2wrs echo.idl

To write to a file, just redirect the output.

$ idl2wrs echo.idl > packet-test-idl.c

You may wish to comment out the register_giop_user_module() code and that will leave you with
heuristic dissection.
If you dont want to use the shell script wrapper, then try steps 3 or 4 instead.
To write the C code to stdout.
$ omniidl

-p ./ -b wireshark_be <your file.idl>

e.g.:
$ omniidl

-p ./ -b wireshark_be echo.idl

To write to a file, just redirect the output.

$ omniidl

-p ./ -b wireshark_be echo.idl > packet-test-idl.c

You may wish to comment out the register_giop_user_module() code and that will leave you with
heuristic dissection.
69

Packet dissection

Copy the resulting C code to subdirectory epan/dissectors/ inside your Wireshark source directory.
$ cp packet-test-idl.c /dir/where/wireshark/lives/epan/dissectors/

The new dissector has to be added to Makefile.common in the same directory. Look for the
declaration CLEAN_DISSECTOR_SRC and add the new dissector there. For example,
CLEAN_DISSECTOR_SRC = \
packet-2dparityfec.c
packet-3com-njack.c
...

\
\

becomes
CLEAN_DISSECTOR_SRC = \
packet-test-idl.c
packet-2dparityfec.c
packet-3com-njack.c
...

\
\
\

For the next steps, go up to the top of your Wireshark source directory.
Run configure
$ ./configure (or ./autogen.sh)

Compile the code

$ make

Good Luck !!

9.8.4. TODO
Exception code not generated (yet), but can be added manually.
Enums not converted to symbolic values (yet), but can be added manually.
Add command line options etc
More I am sure :-)

9.8.5. Limitations
See the TODO list inside packet-giop.c

9.8.6. Notes
The -p ./ option passed to omniidl indicates that the wireshark_be.py and wireshark_gen.py are
residing in the current directory. This may need tweaking if you place these files somewhere else.
If it complains about being unable to find some modules (e.g. tempfile.py), you may want to check if
PYTHONPATH is set correctly. On my Linux box, it is PYTHONPATH=/usr/lib/python2.4/

70

Chapter 10. Lua Support in Wireshark

10.1. Introduction
Wireshark has an embedded Lua interpreter. Lua is a powerful light-weight programming language
designed for extending applications. Lua is designed and implemented by a team at PUC-Rio, the
Pontifical Catholic University of Rio de Janeiro in Brazil. Lua was born and raised at Tecgraf, the
Computer Graphics Technology Group of PUC-Rio, and is now housed at Lua.org. Both Tecgraf and
Lua.org are laboratories of the Department of Computer Science.
In Wireshark Lua can be used to write dissectors, taps, and capture file readers and writers.
Wiresharks Lua interpreter starts by loading init.lua that is located in the global configuration
directory of Wireshark. Lua is enabled by default. To disable Lua the line variable disable_lua should
be set to true in init.lua.
After loading init.lua from the data directory if Lua is enabled Wireshark will try to load a file named
init.lua in the users directory.
Wireshark will also load all files with .lua suffix from both the global and the personal plugins
directory.
The command line option -X lua_script:file.lua can be used to load Lua scripts as well.
The Lua code will be executed once after all the protocol dissectors have being initialized and before
reading any file.

10.2. Example of Dissector written in Lua

local p_multi = Proto("multi","MultiProto");
local vs_protos = {
[2] = "mtp2",
[3] = "mtp3",
[4] = "alcap",
[5] = "h248",
[6] = "ranap",
[7] = "rnsap",
[8] = "nbap"
}

local f_proto = ProtoField.uint8("multi.protocol","Protocol",base.DEC,vs_protos)

local f_dir = ProtoField.uint8("multi.direction","Direction",base.DEC,{ [1] = "incoming", [0] = "out
local f_text = ProtoField.string("multi.text","Text")
p_multi.fields = { f_proto, f_dir, f_text }
local data_dis = Dissector.get("data")
local protos = {
[2] = Dissector.get("mtp2"),
[3] = Dissector.get("mtp3"),
[4] = Dissector.get("alcap"),
[5] = Dissector.get("h248"),
[6] = Dissector.get("ranap"),
[7] = Dissector.get("rnsap"),
[8] = Dissector.get("nbap"),
[9] = Dissector.get("rrc"),
[10] = DissectorTable.get("sctp.ppi"):get_dissector(3), -- m3ua
[11] = DissectorTable.get("ip.proto"):get_dissector(132), -- sctp
}
function p_multi.dissector(buf,pkt,root)

71

Lua Support in Wireshark

local t = root:add(p_multi,buf(0,2))
t:add(f_proto,buf(0,1))
t:add(f_dir,buf(1,1))
local proto_id = buf(0,1):uint()
local dissector = protos[proto_id]
if dissector ~= nil then
dissector:call(buf(2):tvb(),pkt,root)
elseif proto_id < 2 then
t:add(f_text,buf(2))
-- pkt.cols.info:set(buf(2,buf:len() - 3):string())
else
data_dis:call(buf(2):tvb(),pkt,root)
end
end
local wtap_encap_table = DissectorTable.get("wtap_encap")
local udp_encap_table = DissectorTable.get("udp.port")
wtap_encap_table:add(wtap.USER15,p_multi)
wtap_encap_table:add(wtap.USER12,p_multi)
udp_encap_table:add(7555,p_multi)

10.3. Example of Listener written in Lua

-- This program will register a menu that will open a window with a count of occurrences
-- of every address in the capture
local function menuable_tap()
-- Declare the window we will use
local tw = TextWindow.new("Address Counter")
-- This will contain a hash of counters of appearances of a certain address
local ips = {}
-- this is our tap
local tap = Listener.new();
function remove()
-- this way we remove the listener that otherwise will remain running indefinitely
tap:remove();
end
-- we tell the window to call the remove() function when closed
tw:set_atclose(remove)
-- this function will be called once for each packet
function tap.packet(pinfo,tvb)
local src = ips[tostring(pinfo.src)] or 0
local dst = ips[tostring(pinfo.dst)] or 0
ips[tostring(pinfo.src)] = src + 1
ips[tostring(pinfo.dst)] = dst + 1
end
-- this function will be called once every few seconds to update our window
function tap.draw(t)
tw:clear()
for ip,num in pairs(ips) do
tw:append(ip .. "\t" .. num .. "\n");
end
end
-- this function will be called whenever a reset is needed
-- e.g. when reloading the capture file
function tap.reset()
tw:clear()

72

Lua Support in Wireshark

ips = {}
end
end
-- using this function we register our function
-- to be called when the user selects the Tools->Test->Packets menu
register_menu("Test/Packets", menuable_tap, MENU_TOOLS_UNSORTED)

10.4. Wiresharks Lua API Reference Manual

This Part of the User Guide describes the Wireshark specific functions in the embedded Lua.

10.5. Saving capture files

The classes/functions defined in this module are for using a Dumper object to make Wireshark
save a capture file to disk. Dumper represents Wiresharks built-in file format writers (see the
wtap_filetypes table in init.lua).
To have a Lua script create its own file format writer, see the chapter titled "Custom file format reading/
writing".

10.5.1. Dumper
10.5.1.1. Dumper.new(filename, [filetype], [encap])
Creates a file to write packets. Dumper:new_for_current() will probably be a better choice.

Arguments
filename

The name of the capture file to be created.

filetype (optional)

The type of the file to be created - a number entry from the

wtap_filetypes table in init.lua.

encap (optional)

The encapsulation to be used in the file to be created - a number

entry from the wtap_encaps table in init.lua.

Returns
The newly created Dumper object

10.5.1.2. dumper:close()
Closes a dumper.

Errors
Cannot operate on a closed dumper

10.5.1.3. dumper:flush()
Writes all unsaved data of a dumper to the disk.

10.5.1.4. dumper:dump(timestamp, pseudoheader, bytearray)

Dumps an arbitrary packet.

73

Lua Support in Wireshark

Note
Dumper:dump_current() will fit best in most cases.

Arguments
timestamp

The absolute timestamp the packet will have.

pseudoheader

The PseudoHeader to use.

bytearray

The data to be saved

10.5.1.5. dumper:new_for_current([filetype])
Creates a capture file using the same encapsulation as the one of the current packet.

Arguments
filetype (optional)

The file type. Defaults to pcap.

Returns
The newly created Dumper Object

Errors
Cannot be used outside a tap or a dissector

10.5.1.6. dumper:dump_current()
Dumps the current packet as it is.

Errors
Cannot be used outside a tap or a dissector

10.5.2. PseudoHeader
A pseudoheader to be used to save captured frames.

10.5.2.1. PseudoHeader.none()
Creates a "no" pseudoheader.

Returns
A null pseudoheader

10.5.2.2. PseudoHeader.eth([fcslen])
Creates an ethernet pseudoheader.

Arguments
fcslen (optional)

The fcs length

Returns
The ethernet pseudoheader

74

Lua Support in Wireshark

10.5.2.3. PseudoHeader.atm([aal], [vpi], [vci], [channel], [cells],

[aal5u2u], [aal5len])
Creates an ATM pseudoheader.

Arguments
aal (optional)

AAL number

vpi (optional)

VPI

vci (optional)

VCI

channel (optional)

Channel

cells (optional)

Number of cells in the PDU

aal5u2u (optional)

AAL5 User to User indicator

aal5len (optional)

AAL5 Len

Returns
The ATM pseudoheader

10.5.2.4. PseudoHeader.mtp2([sent], [annexa], [linknum])

Creates an MTP2 PseudoHeader.

Arguments
sent (optional)

True if the packet is sent, False if received.

annexa (optional)

True if annex A is used.

linknum (optional)

Link Number.

Returns
The MTP2 pseudoheader

10.6. Obtaining dissection data

10.6.1. Field
A Field extractor to to obtain field values. A Field object can only be created outside of the callback
functions of dissectors, post-dissectors, heuristic-dissectors, and taps.
Once created, it is used inside the callback functions, to generate a FieldInfo object.

10.6.1.1. Field.new(fieldname)
Create a Field extractor.

Arguments
fieldname

The filter name of the field (e.g. ip.addr)

75

Lua Support in Wireshark

Returns
The field extractor

Errors
A Field extractor must be defined before Taps or Dissectors get called

10.6.1.2. Field.list()
Gets a Lua array table of all registered field filter names.

Note
this is an expensive operation, and should only be used for troubleshooting.
Since: 1.11.3

Returns
The array table of field filter names

10.6.1.3. field:__call()
Obtain all values (see FieldInfo) for this field.

Returns
All the values of this field

Errors
Fields cannot be used outside dissectors or taps

10.6.1.4. field:__tostring()
Obtain a string with the field name.

10.6.2. FieldInfo
An extracted Field from dissected packet data. A FieldInfo object can only be used within the
callback functions of dissectors, post-dissectors, heuristic-dissectors, and taps.
A FieldInfo can be called on either existing Wireshark fields by using either Field.new() or
Field() before-hand, or it can be called on new fields created by Lua from a ProtoField.

10.6.2.1. fieldinfo:__len()
Obtain the Length of the field

10.6.2.2. fieldinfo:__unm()
Obtain the Offset of the field

10.6.2.3. fieldinfo:__call()
Obtain the Value of the field.

76

Lua Support in Wireshark

Previous to 1.11.4, this function retrieved the value for most field types, but for
ftypes.UINT_BYTES it retrieved the ByteArray of the fields entire TvbRange. In other
words, it returned a ByteArray that included the leading length byte(s), instead of just the value
bytes. That was a bug, and has been changed in 1.11.4. Furthermore, it retrieved an ftypes.GUID
as a ByteArray, which is also incorrect.
If you wish to still get a ByteArray of the TvbRange, use FieldInfo:get_range() to get
the TvbRange, and then use Tvb:bytes() to convert it to a ByteArray.

10.6.2.4. fieldinfo:__tostring()
The string representation of the field.

10.6.2.5. fieldinfo:__eq()
Checks whether lhs is within rhs.

10.6.2.6. fieldinfo:__le()
Checks whether the end byte of lhs is before the end of rhs.

Errors
Data source must be the same for both fields

10.6.2.7. fieldinfo:__lt()
Checks whether the end byte of rhs is before the beginning of rhs.

Errors
Data source must be the same for both fields

10.6.3. fieldinfo.len
Mode: Retrieve only.
The length of this field.

10.6.4. fieldinfo.offset
Mode: Retrieve only.
The offset of this field.

10.6.5. fieldinfo.value
Mode: Retrieve only.
The value of this field.

10.6.6. fieldinfo.label
Mode: Retrieve only.
The string representing this field

77

Lua Support in Wireshark

10.6.7. fieldinfo.display
Mode: Retrieve only.
The string display of this field as seen in GUI

10.6.8. fieldinfo.range
Mode: Retrieve only.
The TvbRange covering this field

10.6.9. fieldinfo.generated
Mode: Retrieve only.
Whether this field was marked as generated (boolean)

10.6.10. fieldinfo.name
Mode: Retrieve only.
The name of this field

10.6.11. Global Functions

10.6.11.1. all_field_infos()
Obtain all fields from the current tree. Note this only gets whatever fields the underlying dissectors
have filled in for this packet at this time - there may be fields applicable to the packet that simply
arent being filled in because at this time theyre not needed for anything. This function only gets what
the C-side code has currently populated, not the full list.

Errors
Cannot be called outside a listener or dissector

10.7. GUI support

10.7.1. ProgDlg
Manages a progress bar dialog.

10.7.1.1. ProgDlg.new([title], [task])

Creates a new ProgDlg progress dialog.

Arguments
title (optional)

Title of the new window, defaults to "Progress".

task (optional)

Current task, defaults to "".

Returns
The newly created ProgDlg object.

78

Lua Support in Wireshark

10.7.1.2. progdlg:update(progress, [task])

Appends text.

Arguments
progress

Part done ( e.g. 0.75 ).

task (optional)

Current task, defaults to "".

Errors
GUI not available
Cannot be called for something not a ProgDlg
Progress value out of range (must be between 0.0 and 1.0)

10.7.1.3. progdlg:stopped()
Checks whether the user has pressed the stop button.

Returns
true if the user has asked to stop the progress.

10.7.1.4. progdlg:close()
Closes the progress dialog.

Returns
A string specifying whether the Progress Dialog has stopped or not.

Errors
GUI not available

10.7.2. TextWindow
Manages a text window.

10.7.2.1. TextWindow.new([title])
Creates a new TextWindow text window.

Arguments
title (optional)

Title of the new window.

Returns
The newly created TextWindow object.

Errors
GUI not available

79

Lua Support in Wireshark

10.7.2.2. textwindow:set_atclose(action)
Set the function that will be called when the text window closes.

Arguments
action

A Lua function to be executed when the user closes the text window.

Returns
The TextWindow object.

Errors
GUI not available

10.7.2.3. textwindow:set(text)
Sets the text.

Arguments
text

The text to be used.

Returns
The TextWindow object.

Errors
GUI not available

10.7.2.4. textwindow:append(text)
Appends text

Arguments
text

The text to be appended

Returns
The TextWindow object.

Errors
GUI not available

10.7.2.5. textwindow:prepend(text)
Prepends text

Arguments
text

The text to be appended

Returns
The TextWindow object.

80

Lua Support in Wireshark

Errors
GUI not available

10.7.2.6. textwindow:clear()
Erases all text in the window.

Returns
The TextWindow object.

Errors
GUI not available

10.7.2.7. textwindow:get_text()
Get the text of the window

Returns
The `TextWindows text.

Errors
GUI not available

10.7.2.8. textwindow:set_editable([editable])
Make this text window editable.

Arguments
editable (optional)

A boolean flag, defaults to true.

Returns
The TextWindow object.

Errors
GUI not available

10.7.2.9. textwindow:add_button(label, function)

Adds a button to the text window.

Arguments
label

The label of the button

function

The Lua function to be called when clicked

Returns
The TextWindow object.

Errors
GUI not available

81

Lua Support in Wireshark

10.7.3. Global Functions

10.7.3.1. gui_enabled()
Checks whether the GUI facility is enabled.

Returns
A boolean: true if it is enabled, false if it isnt.

10.7.3.2. register_menu(name, action, [group])

Register a menu item in one of the main menus.

Arguments
name

The name of the menu item. The submenus are to be separated by '`/s.
(string)

action

The function to be called when the menu item is invoked. (function

taking no arguments and returning nothing)

group (optional)

The menu group into which the menu item is to be inserted. If omitted,
defaults to MENU_STAT_GENERIC. One of:
MENU_STAT_UNSORTED (Statistics),
MENU_STAT_GENERIC (Statistics, first section),
MENU_STAT_CONVERSATION (Statistics/Conversation List),
MENU_STAT_ENDPOINT (Statistics/Endpoint List),
MENU_STAT_RESPONSE (Statistics/Service Response Time),
MENU_STAT_TELEPHONY (Telephony),
MENU_STAT_TELEPHONY_GSM (Telephony/GSM),
MENU_STAT_TELEPHONY_LTE (Telephony/LTE),
MENU_STAT_TELEPHONY_SCTP (Telephony/SCTP),
MENU_ANALYZE (Analyze),
MENU_ANALYZE_CONVERSATION
Filter),

(Analyze/Conversation

MENU_TOOLS_UNSORTED (Tools). (number)

10.7.3.3. new_dialog(title, action, )

Pops up a new dialog

Arguments
title

Title of the dialogs window.

action

Action to be performed when OKd.

A series of strings to be used as labels of the dialogs fields.

82

Lua Support in Wireshark

Errors
GUI not available
At least one field required
All fields must be strings

10.7.3.4. retap_packets()
Rescan all packets and just run taps - dont reconstruct the display.

10.7.3.5. copy_to_clipboard(text)
Copy a string into the clipboard.

Arguments
text

The string to be copied into the clipboard.

10.7.3.6. open_capture_file(filename, filter)

Open and display a capture file.

Arguments
filename

The name of the file to be opened.

filter

A filter to be applied as the file gets opened.

10.7.3.7. get_filter()
Get the main filter text.

10.7.3.8. set_filter(text)
Set the main filter text.

Arguments
text

The filters text.

10.7.3.9. set_color_filter_slot(row, text)

Set packet-coloring rule for the current session.

Arguments
row

The index of the desired color in the temporary coloring rules list.

text

Display filter for selecting packets to be colorized.

10.7.3.10. apply_filter()
Apply the filter in the main filter box.

10.7.3.11. reload()
Reload the current capture file.

83

Lua Support in Wireshark

10.7.3.12. browser_open_url(url)
Open an url in a browser.

Arguments
url

The url.

10.7.3.13. browser_open_data_file(filename)
Open a file in a browser.

Arguments
filename

The file name.

10.8. Post-dissection packet analysis

10.8.1. Listener
A Listener is called once for every packet that matches a certain filter or has a certain tap. It can
read the tree, the packets Tvb buffer as well as the tapped data, but it cannot add elements to the tree.

10.8.1.1. Listener.new([tap], [filter], [allfields])

Creates a new Listener listener object.

Arguments
tap (optional)

The name of this tap.

filter (optional)

A filter that when matches the tap.packet function gets called

(use nil to be called for every packet).

allfields (optional)

Whether to generate all fields. (default=false)

Note
this impacts performance.

Returns
The newly created Listener listener object

Errors
tap registration error

10.8.1.2. Listener.list()
Gets a Lua array table of all registered Listener tap names.

Note
this is an expensive operation, and should only be used for troubleshooting.
Since: 1.11.3

84

Lua Support in Wireshark

Returns
The array table of registered tap names

10.8.1.3. listener:remove()
Removes a tap Listener.

10.8.1.4. listener:__tostring()
Generates a string of debug info for the tap Listener.

10.8.2. listener.packet
Mode: Assign only.
A function that will be called once every packet matches the Listener listener filter.
When later called by Wireshark, the packet function will be given:
1. A Pinfo object
2. A Tvb object
3. A tapinfo table
function tap.packet(pinfo,tvb,tapinfo) ... end

Note
tapinfo is a table of info based on the `Listeners type, or nil.

10.8.3. listener.draw
Mode: Assign only.
A function that will be called once every few seconds to redraw the GUI objects; in Tshark this funtion
is called only at the very end of the capture file.
When later called by Wireshark, the draw function will not be given any arguments.
function tap.draw() ... end

10.8.4. listener.reset
Mode: Assign only.
A function that will be called at the end of the capture run.
When later called by Wireshark, the reset function will not be given any arguments.
function tap.reset() ... end

10.9. Obtaining packet information

10.9.1. Address
Represents an address.

85

Lua Support in Wireshark

10.9.1.1. Address.ip(hostname)
Creates an Address Object representing an IP address.

Arguments
hostname

The address or name of the IP host.

Returns
The Address object.

10.9.1.2. address:__tostring()
Returns
The string representing the address.

10.9.1.3. address:__eq()
Compares two Addresses.

10.9.1.4. address:__le()
Compares two Addresses.

10.9.1.5. address:__lt()
Compares two Addresses.

10.9.2. Column
A Column in the packet list.

10.9.2.1. column:__tostring()
Returns
The columns string text (in parenthesis if not available).

10.9.2.2. column:clear()
Clears a Column.

10.9.2.3. column:set(text)
Sets the text of a Column.

Arguments
text

The text to which to set the Column.

10.9.2.4. column:append(text)
Appends text to a Column.

Arguments
text

The text to append to the Column.

86

Lua Support in Wireshark

10.9.2.5. column:prepend(text)
Prepends text to a Column.

Arguments
text

The text to prepend to the Column.

10.9.2.6. column:fence()
Sets Column text fence, to prevent overwriting.
Since: 1.10.6

10.9.2.7. column:clear_fence()
Clear Column text fence.
Since: 1.11.3

10.9.3. Columns
The Columns of the packet list.

10.9.3.1. columns:__tostring()
Returns
The string "Columns", no real use, just for debugging purposes.

10.9.3.2. columns:__newindex(column, text)

Sets the text of a specific column.

Arguments
column

The name of the column to set.

text

The text for the column.

10.9.3.3. columns:__index()
Gets a specific Column.

10.9.4. NSTime
NSTime represents a nstime_t. This is an object with seconds and nanoseconds.

10.9.4.1. NSTime.new([seconds], [nseconds])

Creates a new NSTime object.

Arguments
seconds (optional)

Seconds.

nseconds (optional)

Nano seconds.

87

Lua Support in Wireshark

Returns
The new NSTime object.

10.9.4.2. nstime:__call([seconds], [nseconds])

Creates a NSTime object.

Arguments
seconds (optional)

Seconds.

nseconds (optional)

Nanoseconds.

Returns
The new NSTime object.

10.9.4.3. nstime:__tostring()
Returns
The string representing the nstime.

10.9.4.4. nstime:__add()
Calculates the sum of two NSTimes.

10.9.4.5. nstime:__sub()
Calculates the diff of two NSTimes.

10.9.4.6. nstime:__unm()
Calculates the negative NSTime.

10.9.4.7. nstime:__eq()
Compares two NSTimes.

10.9.4.8. nstime:__le()
Compares two NSTimes.

10.9.4.9. nstime:__lt()
Compares two NSTimes.

10.9.5. nstime.secs
Mode: Retrieve or assign.
The NSTime seconds.

10.9.6. nstime.nsecs
Mode: Retrieve or assign.

88

Lua Support in Wireshark

The NSTime nano seconds.

10.9.7. Pinfo
Packet information.

10.9.8. pinfo.visited
Mode: Retrieve only.
Whether this packet has been already visited.

10.9.9. pinfo.number
Mode: Retrieve only.
The number of this packet in the current file.

10.9.10. pinfo.len
Mode: Retrieve only.
The length of the frame.

10.9.11. pinfo.caplen
Mode: Retrieve only.
The captured length of the frame.

10.9.12. pinfo.abs_ts
Mode: Retrieve only.
When the packet was captured.

10.9.13. pinfo.rel_ts
Mode: Retrieve only.
Number of seconds passed since beginning of capture.

10.9.14. pinfo.delta_ts
Mode: Retrieve only.
Number of seconds passed since the last captured packet.

10.9.15. pinfo.delta_dis_ts
Mode: Retrieve only.
Number of seconds passed since the last displayed packet.

10.9.16. pinfo.circuit_id
Mode: Retrieve or assign.

89

Lua Support in Wireshark

For circuit based protocols.

10.9.17. pinfo.curr_proto
Mode: Retrieve only.
Which Protocol are we dissecting.

10.9.18. pinfo.can_desegment
Mode: Retrieve or assign.
Set if this segment could be desegmented.

10.9.19. pinfo.desegment_len
Mode: Retrieve or assign.
Estimated number of additional bytes required for completing the PDU.

10.9.20. pinfo.desegment_offset
Mode: Retrieve or assign.
Offset in the tvbuff at which the dissector will continue processing when next called.

10.9.21. pinfo.fragmented
Mode: Retrieve only.
If the protocol is only a fragment.

10.9.22. pinfo.in_error_pkt
Mode: Retrieve only.
If were inside an error packet.

10.9.23. pinfo.match_uint
Mode: Retrieve only.
Matched uint for calling subdissector from table.

10.9.24. pinfo.match_string
Mode: Retrieve only.
Matched string for calling subdissector from table.

10.9.25. pinfo.port_type
Mode: Retrieve or assign.
Type of Port of .src_port and .dst_port.

90

Lua Support in Wireshark

10.9.26. pinfo.src_port
Mode: Retrieve or assign.
Source Port of this Packet.

10.9.27. pinfo.dst_port
Mode: Retrieve or assign.
Source Address of this Packet.

10.9.28. pinfo.dl_src
Mode: Retrieve or assign.
Data Link Source Address of this Packet.

10.9.29. pinfo.dl_dst
Mode: Retrieve or assign.
Data Link Destination Address of this Packet.

10.9.30. pinfo.net_src
Mode: Retrieve or assign.
Network Layer Source Address of this Packet.

10.9.31. pinfo.net_dst
Mode: Retrieve or assign.
Network Layer Destination Address of this Packet.

10.9.32. pinfo.src
Mode: Retrieve or assign.
Source Address of this Packet.

10.9.33. pinfo.dst
Mode: Retrieve or assign.
Destination Address of this Packet.

10.9.34. pinfo.match
Mode: Retrieve only.
Port/Data we are matching.

10.9.35. pinfo.columns
Mode: Retrieve only.

91

Lua Support in Wireshark

Accesss to the packet list columns.

10.9.36. pinfo.cols
Mode: Retrieve only.
Accesss to the packet list columns (equivalent to pinfo.columns).

10.9.37. pinfo.private
Mode: Retrieve only.
Access to the private table entries.

10.9.38. pinfo.hi
Mode: Retrieve or assign.
Higher Address of this Packet.

10.9.39. pinfo.lo
Mode: Retrieve only.
Lower Address of this Packet.

10.9.40. pinfo.conversation
Mode: Assign only.
Sets the packet conversation to the given Proto object.

10.9.41. PrivateTable
PrivateTable represents the pinfo#private_table.

10.9.41.1. privatetable:__tostring()
Gets debugging type information about the private table.

Returns
A string with all keys in the table, mostly for debugging.

10.10. Functions for new protocols and

dissectors
The classes and functions in this chapter allow Lua scripts to create new protocols for Wireshark.
Proto protocol objects can have Pref preferences, ProtoField fields for filterable values that
can be displayed in a details view tree, functions for dissecting the new protocol, and so on.
The dissection function can be hooked into existing protocol tables through DissectorTables so
that the new protocol dissector function gets called by that protocol, and the new dissector can itself
call on other, already existing protocol dissectors by retrieving and calling the Dissector object.
A Proto dissector can also be used as a post-dissector, at the end of every frames dissection, or as
a heuristic dissector.

92

Lua Support in Wireshark

10.10.1. Dissector
A refererence to a dissector, used to call a dissector against a packet or a part of it.

10.10.1.1. Dissector.get(name)
Obtains a dissector reference by name.

Arguments
name

The name of the dissector.

Returns
The Dissector reference.

10.10.1.2. Dissector.list()
Gets a Lua array table of all registered Dissector names.

Note
this is an expensive operation, and should only be used for troubleshooting.
Since: 1.11.3

Returns
The array table of registered dissector names.

10.10.1.3. dissector:call(tvb, pinfo, tree)

Calls a dissector against a given packet (or part of it).

Arguments
tvb

The buffer to dissect.

pinfo

The packet info.

tree

The tree on which to add the protocol items.

Returns
Number of bytes dissected. Note that some dissectors always return number of bytes in incoming
buffer, so be aware.

10.10.1.4. dissector:__call(tvb, pinfo, tree)

Calls a dissector against a given packet (or part of it).

Arguments
tvb

The buffer to dissect.

pinfo

The packet info.

tree

The tree on which to add the protocol items.

93

Lua Support in Wireshark

10.10.1.5. dissector:__tostring()
Gets the Dissectors protocol short name.

Returns
A string of the protocols short name.

10.10.2. DissectorTable
A table of subdissectors of a particular protocol (e.g. TCP subdissectors like http, smtp, sip are added
to table "tcp.port").
Useful to add more dissectors to a table so that they appear in the Decode As dialog.

10.10.2.1. DissectorTable.new(tablename, [uiname], [type], [base])

Creates a new DissectorTable for your dissectors use.

Arguments
tablename

The short name of the table.

uiname (optional)

The name of the table in the User Interface (defaults to the name given).

type (optional)

Either ftypes.UINT8, ftypes.UINT16, ftypes.UINT24,

ftypes.UINT32,
or
ftypes.STRING
(defaults
to
ftypes.UINT32).

base (optional)

Either base.NONE, base.DEC, base.HEX, base.OCT,

base.DEC_HEX or base.HEX_DEC (defaults to base.DEC).

Returns
The newly created DissectorTable.

10.10.2.2. DissectorTable.list()
Gets a Lua array table of all DissectorTable names - i.e., the string names you can use for the first
argument to DissectorTable.get().

Note
this is an expensive operation, and should only be used for troubleshooting.
Since: 1.11.3

Returns
The array table of registered DissectorTable names.

10.10.2.3. DissectorTable.heuristic_list()
Gets a Lua array table of all heuristic list names - i.e., the string names you can use for the first
argument in Proto:register_heuristic().

Note
this is an expensive operation, and should only be used for troubleshooting.

94

Lua Support in Wireshark

Since: 1.11.3

Returns
The array table of registered heuristic list names

10.10.2.4. DissectorTable.get(tablename)
Obtain a reference to an existing dissector table.

Arguments
tablename

The short name of the table.

Returns
The DissectorTable.

10.10.2.5. dissectortable:add(pattern, dissector)

Add a Proto with a dissector function, or a Dissector object, to the dissector table.

Arguments
pattern

The pattern to match (either an integer, a integer range or a string depending on

the tables type).

dissector

The dissector to add (either a Proto or a Dissector).

10.10.2.6. dissectortable:set(pattern, dissector)

Remove existing dissectors from a table and add a new or a range of new dissectors.
Since: 1.11.3

Arguments
pattern

The pattern to match (either an integer, a integer range or a string depending on

the tables type).

dissector

The dissector to add (either a Proto or a Dissector).

10.10.2.7. dissectortable:remove(pattern, dissector)

Remove a dissector or a range of dissectors from a table

Arguments
pattern

The pattern to match (either an integer, a integer range or a string depending on

the tables type).

dissector

The dissector to remove (either a Proto or a Dissector).

10.10.2.8. dissectortable:remove_all(dissector)
Remove all dissectors from a table.
Since: 1.11.3

95

Lua Support in Wireshark

Arguments
dissector

The dissector to remove (either a Proto or a Dissector).

10.10.2.9. dissectortable:try(pattern, tvb, pinfo, tree)

Try to call a dissector from a table

Arguments
pattern

The pattern to be matched (either an integer or a string depending on the tables type).

tvb

The buffer to dissect.

pinfo

The packet info.

tree

The tree on which to add the protocol items.

Returns
Number of bytes dissected. Note that some dissectors always return number of bytes in incoming
buffer, so be aware.

10.10.2.10. dissectortable:get_dissector(pattern)
Try to obtain a dissector from a table.

Arguments
pattern

The pattern to be matched (either an integer or a string depending on the tables type).

Returns
The dissector handle if found.
nil if not found.

10.10.2.11. dissectortable:add_for_decode_as(proto)
Add the given Proto to the "Decode as" list for this DissectorTable. The passed-in Proto objects
dissector() function is used for dissecting.
Since: 1.99.1

Arguments
proto

The Proto to add.

10.10.2.12. dissectortable:__tostring()
Gets some debug information about the DissectorTable.

Returns
A string of debug information about the DissectorTable.

10.10.3. Pref
A preference of a Protocol.

96

Lua Support in Wireshark

10.10.3.1. Pref.bool(label, default, descr)

Creates a boolean preference to be added to a Proto.prefs Lua table.

Arguments
label

The Label (text in the right side of the preference input) for this preference.

default

The default value for this preference.

descr

A description of what this preference is.

10.10.3.2. Pref.uint(label, default, descr)

Creates an (unsigned) integer preference to be added to a Proto.prefs Lua table.

Arguments
label

The Label (text in the right side of the preference input) for this preference.

default

The default value for this preference.

descr

A description of what this preference is.

10.10.3.3. Pref.string(label, default, descr)

Creates a string preference to be added to a Proto.prefs Lua table.

Arguments
label

The Label (text in the right side of the preference input) for this preference.

default

The default value for this preference.

descr

A description of what this preference is.

10.10.3.4. Pref.enum(label, default, descr, enum, radio)

Creates an enum preference to be added to a Proto.prefs Lua table.

Arguments
label

The Label (text in the right side of the preference input) for this preference.

default

The default value for this preference.

descr

A description of what this preference is.

enum

An enum Lua table.

radio

Radio button (true) or Combobox (false).

10.10.3.5. Pref.range(label, default, descr, max)

Creates a range preference to be added to a Proto.prefs Lua table.

Arguments
label

The Label (text in the right side of the preference input) for this preference.

default

The default value for this preference, e.g., "53", "10-30", or "10-30,53,55,100-120".

97

Lua Support in Wireshark

descr

A description of what this preference is.

max

The maximum value.

10.10.3.6. Pref.statictext(label, descr)

Creates a static text string to be added to a Proto.prefs Lua table.

Arguments
label

The static text.

descr

The static text description.

10.10.4. Prefs
The table of preferences of a protocol.

10.10.4.1. prefs:__newindex(name, pref)

Creates a new preference.

Arguments
name

The abbreviation of this preference.

pref

A valid but still unassigned Pref object.

Errors
Unknow Pref type

10.10.4.2. prefs:__index(name)
Get the value of a preference setting.

Arguments
name

The abbreviation of this preference.

Returns
The current value of the preference.

Errors
Unknow Pref type

10.10.5. Proto
A new protocol in Wireshark. Protocols have more uses, the main one is to dissect a protocol. But they
can also be just dummies used to register preferences for other purposes.

10.10.5.1. Proto.new(name, desc)

Arguments
name

The name of the protocol.

98

Lua Support in Wireshark

desc

A Long Text description of the protocol (usually lowercase).

Returns
The newly created protocol.

10.10.5.2. proto:__call(name, desc)

Creates a Proto object.

Arguments
name

The name of the protocol.

desc

A Long Text description of the protocol (usually lowercase).

Returns
The new Proto object.

10.10.5.3. proto:register_heuristic(listname, func)

Registers a heuristic dissector function for this Proto protocol, for the given heuristic list name.
When later called, the passed-in function will be given:
1. A Tvb object
2. A Pinfo object
3. A TreeItem object
The function must return true if the payload is for it, else false.
The function should perform as much verification as possible to ensure the payload is for it, and dissect
the packet (including setting TreeItem info and such) only if the payload is for it, before returning
true or false.
Since version 1.99.1, this function also accepts a Dissector object as the second argument, to allow reusing the same Lua code as the function proto.dissector(...). In this case, the Dissector
must return a Lua number of the number of bytes consumed/parsed: if 0 is returned, it will be treated
the same as a false return for the heuristic; if a positive or negative number is returned, then the
it will be treated the same as a true return for the heuristic, meaning the packet is for this protocol
and no other heuristic will be tried.
Since: 1.11.3

Arguments
listname

The heuristic list name this function is a heuristic for (e.g., "udp" or
"infiniband.payload").

func

A Lua function that will be invoked for heuristic dissection.

10.10.6. proto.dissector
Mode: Retrieve or assign.
The protocols dissector, a function you define.
When later called, the function will be given:

99

Lua Support in Wireshark

1. A Tvb object
2. A Pinfo object
3. A TreeItem object

10.10.7. proto.prefs
Mode: Retrieve only.
The preferences of this dissector.

10.10.8. proto.prefs_changed
Mode: Assign only.
The preferences changed routine of this dissector, a Lua function you define.

10.10.9. proto.init
Mode: Assign only.
The init routine of this dissector, a function you define.
The called init function is passed no arguments.

10.10.10. proto.name
Mode: Retrieve only.
The name given to this dissector.

10.10.11. proto.description
Mode: Retrieve only.
The description given to this dissector.

10.10.12. proto.fields
Mode: Retrieve or assign.
The `ProtoField`s Lua table of this dissector.

10.10.13. proto.experts
Mode: Retrieve or assign.
The expert info Lua table of this Proto.
Since: 1.11.3

10.10.14. ProtoExpert
A Protocol expert info field, to be used when adding items to the dissection tree.
Since: 1.11.3

100

Lua Support in Wireshark

10.10.14.1. ProtoExpert.new(abbr, text, group, severity)

Creates a new ProtoExpert object to be used for a protocols expert information notices.
Since: 1.11.3

Arguments
abbr

Filter name of the expert info field (the string that is used in filters).

text

The default text of the expert field.

group

Expert
group
type:
one
of:
expert.group.CHECKSUM,
expert.group.SEQUENCE,
expert.group.RESPONSE_CODE,
expert.group.REQUEST_CODE,
expert.group.UNDECODED,
expert.group.REASSEMBLE,
expert.group.MALFORMED,
expert.group.DEBUG,
expert.group.PROTOCOL,
expert.group.SECURITY, or expert.group.COMMENTS_GROUP.

severity

Expert
severity
type:
one
of:
expert.severity.COMMENT,
expert.severity.CHAT,
expert.severity.NOTE,
expert.severity.WARN, or expert.severity.ERROR.

Returns
The newly created ProtoExpert object.

10.10.14.2. protoexpert:__tostring()
Returns a string with debugging information about a ProtoExpert object.
Since: 1.11.3

10.10.15. ProtoField
A Protocol field (to be used when adding items to the dissection tree).

10.10.15.1. ProtoField.new(name, abbr, type, [valuestring], [base],

[mask], [descr])
Creates a new ProtoField object to be used for a protocol field.

Arguments
name

Actual name of the field (the string that appears in the tree).

abbr

Filter name of the field (the string that is used in filters).

type

Field
Type:
one
of:
ftypes.BOOLEAN,
ftypes.UINT8, ftypes.UINT16, ftypes.UINT24,
ftypes.UINT32, ftypes.UINT64, ftypes.INT8,
ftypes.INT16, ftypes.INT24, ftypes.INT32,
ftypes.INT64, ftypes.FLOAT, ftypes.DOUBLE ,
ftypes.ABSOLUTE_TIME, ftypes.RELATIVE_TIME,
ftypes.STRING,
ftypes.STRINGZ,
ftypes.UINT_STRING,
ftypes.ETHER,
ftypes.BYTES,
ftypes.UINT_BYTES,
ftypes.IPv4,
ftypes.IPv6,
ftypes.IPXNET,

101

Lua Support in Wireshark

ftypes.FRAMENUM, ftypes.PCRE, ftypes.GUID,

ftypes.OID,
ftypes.REL_OID,
ftypes.SYSTEM_ID,
ftypes.EUI64
or
ftypes.NONE.
valuestring (optional)

A table containing the text that corresponds to the values.

base (optional)

The representation, one of: base.NONE, base.DEC,

base.HEX,
base.OCT,
base.DEC_HEX,
or
base.HEX_DEC.

mask (optional)

The bitmask to be used.

descr (optional)

The description of the field.

Returns
The newly created ProtoField object.

10.10.15.2. ProtoField.uint8(abbr, [name], [base], [valuestring],

[mask], [desc])
Creates a ProtoField of an unsigned 8-bit integer (i.e., a byte).

Arguments
abbr

Abbreviated name of the field (the string used in filters).

name (optional)

Actual name of the field (the string that appears in the tree).

base (optional)

One of base.DEC, base.HEX or base.OCT.

valuestring (optional)

A table containing the text that corresponds to the values.

mask (optional)

Integer mask of this field.

desc (optional)

Description of the field.

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

10.10.15.3. ProtoField.uint16(abbr, [name], [base], [valuestring],

[mask], [desc])
Creates a ProtoField of an unsigned 16-bit integer.

Arguments
abbr

Abbreviated name of the field (the string used in filters).

name (optional)

Actual name of the field (the string that appears in the tree).

base (optional)

One of base.DEC, base.HEX or base.OCT.

valuestring (optional)

A table containing the text that corresponds to the values.

mask (optional)

Integer mask of this field.

desc (optional)

Description of the field.

102

Lua Support in Wireshark

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

10.10.15.4. ProtoField.uint24(abbr, [name], [base], [valuestring],

[mask], [desc])
Creates a ProtoField of an unsigned 24-bit integer.

Arguments
abbr

Abbreviated name of the field (the string used in filters).

name (optional)

Actual name of the field (the string that appears in the tree).

base (optional)

One of base.DEC, base.HEX or base.OCT.

valuestring (optional)

A table containing the text that corresponds to the values.

mask (optional)

Integer mask of this field.

desc (optional)

Description of the field.

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

10.10.15.5. ProtoField.uint32(abbr, [name], [base], [valuestring],

[mask], [desc])
Creates a ProtoField of an unsigned 32-bit integer.

Arguments
abbr

Abbreviated name of the field (the string used in filters).

name (optional)

Actual name of the field (the string that appears in the tree).

base (optional)

One of base.DEC, base.HEX or base.OCT.

valuestring (optional)

A table containing the text that corresponds to the values.

mask (optional)

Integer mask of this field.

desc (optional)

Description of the field.

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

10.10.15.6. ProtoField.uint64(abbr, [name], [base], [valuestring],

[mask], [desc])
Creates a ProtoField of an unsigned 64-bit integer.

Arguments
abbr

Abbreviated name of the field (the string used in filters).

103

Lua Support in Wireshark

name (optional)

Actual name of the field (the string that appears in the tree).

base (optional)

One of base.DEC, base.HEX or base.OCT.

valuestring (optional)

A table containing the text that corresponds to the values.

mask (optional)

Integer mask of this field.

desc (optional)

Description of the field.

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

10.10.15.7. ProtoField.int8(abbr, [name], [base], [valuestring],

[mask], [desc])
Creates a ProtoField of a signed 8-bit integer (i.e., a byte).

Arguments
abbr

Abbreviated name of the field (the string used in filters).

name (optional)

Actual name of the field (the string that appears in the tree).

base (optional)

One of base.DEC, base.HEX or base.OCT.

valuestring (optional)

A table containing the text that corresponds to the values.

mask (optional)

Integer mask of this field.

desc (optional)

Description of the field.

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

10.10.15.8. ProtoField.int16(abbr, [name], [base], [valuestring],

[mask], [desc])
Creates a ProtoField of a signed 16-bit integer.

Arguments
abbr

Abbreviated name of the field (the string used in filters).

name (optional)

Actual name of the field (the string that appears in the tree).

base (optional)

One of base.DEC, base.HEX or base.OCT.

valuestring (optional)

A table containing the text that corresponds to the values.

mask (optional)

Integer mask of this field.

desc (optional)

Description of the field.

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

104

Lua Support in Wireshark

10.10.15.9. ProtoField.int24(abbr, [name], [base], [valuestring],

[mask], [desc])
Creates a ProtoField of a signed 24-bit integer.

Arguments
abbr

Abbreviated name of the field (the string used in filters).

name (optional)

Actual name of the field (the string that appears in the tree).

base (optional)

One of base.DEC, base.HEX or base.OCT.

valuestring (optional)

A table containing the text that corresponds to the values.

mask (optional)

Integer mask of this field.

desc (optional)

Description of the field.

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

10.10.15.10. ProtoField.int32(abbr, [name], [base], [valuestring],

[mask], [desc])
Creates a ProtoField of a signed 32-bit integer.

Arguments
abbr

Abbreviated name of the field (the string used in filters).

name (optional)

Actual name of the field (the string that appears in the tree).

base (optional)

One of base.DEC, base.HEX or base.OCT.

valuestring (optional)

A table containing the text that corresponds to the values.

mask (optional)

Integer mask of this field.

desc (optional)

Description of the field.

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

10.10.15.11. ProtoField.int64(abbr, [name], [base], [valuestring],

[mask], [desc])
Creates a ProtoField of a signed 64-bit integer.

Arguments
abbr

Abbreviated name of the field (the string used in filters).

name (optional)

Actual name of the field (the string that appears in the tree).

base (optional)

One of base.DEC, base.HEX or base.OCT.

valuestring (optional)

A table containing the text that corresponds to the values.

105

Lua Support in Wireshark

mask (optional)

Integer mask of this field.

desc (optional)

Description of the field.

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

10.10.15.12. ProtoField.framenum(abbr, [name], [base],

[valuestring], [mask], [desc])
Creates a ProtoField for a frame number (for hyperlinks between frames).

Arguments
abbr

Abbreviated name of the field (the string used in filters).

name (optional)

Actual name of the field (the string that appears in the tree).

base (optional)

One of base.DEC, base.HEX or base.OCT.

valuestring (optional)

A table containing the text that corresponds to the values.

mask (optional)

Integer mask of this field.

desc (optional)

Description of the field.

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

10.10.15.13. ProtoField.bool(abbr, [name], [display], [valuestring],

[mask], [desc])
Creates a ProtoField for a boolean true/false value.

Arguments
abbr

Abbreviated name of the field (the string used in filters).

name (optional)

Actual name of the field (the string that appears in the tree).

display (optional)

How wide the parent bitfield is (base.NONE is used for

NULL-value).

valuestring (optional)

A table containing the text that corresponds to the values.

mask (optional)

Integer mask of this field.

desc (optional)

Description of the field.

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

10.10.15.14. ProtoField.absolute_time(abbr, [name], [base],

[desc])
Creates a ProtoField of a time_t structure value.

106

Lua Support in Wireshark

Arguments
abbr

Abbreviated name of the field (the string used in filters).

name (optional)

Actual name of the field (the string that appears in the tree).

base (optional)

One of base.LOCAL, base.UTC or base.DOY_UTC.

desc (optional)

Description of the field.

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

10.10.15.15. ProtoField.relative_time(abbr, [name], [desc])

Creates a ProtoField of a time_t structure value.

Arguments
abbr

Abbreviated name of the field (the string used in filters).

name (optional)

Actual name of the field (the string that appears in the tree).

desc (optional)

Description of the field.

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

10.10.15.16. ProtoField.none(abbr, [name], [desc])

Creates a ProtoField of an unstructured type.

Arguments
abbr

Abbreviated name of the field (the string used in filters).

name (optional)

Actual name of the field (the string that appears in the tree).

desc (optional)

Description of the field.

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

10.10.15.17. ProtoField.ipv4(abbr, [name], [desc])

Creates a ProtoField of an IPv4 address (4 bytes).

Arguments
abbr

Abbreviated name of the field (the string used in filters).

name (optional)

Actual name of the field (the string that appears in the tree).

desc (optional)

Description of the field.

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

107

Lua Support in Wireshark

10.10.15.18. ProtoField.ipv6(abbr, [name], [desc])

Creates a ProtoField of an IPv6 address (16 bytes).

Arguments
abbr

Abbreviated name of the field (the string used in filters).

name (optional)

Actual name of the field (the string that appears in the tree).

desc (optional)

Description of the field.

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

10.10.15.19. ProtoField.ether(abbr, [name], [desc])

Creates a ProtoField of an Ethernet address (6 bytes).

Arguments
abbr

Abbreviated name of the field (the string used in filters).

name (optional)

Actual name of the field (the string that appears in the tree).

desc (optional)

Description of the field.

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

10.10.15.20. ProtoField.float(abbr, [name], [desc])

Creates a ProtoField of a floating point number (4 bytes).

Arguments
abbr

Abbreviated name of the field (the string used in filters).

name (optional)

Actual name of the field (the string that appears in the tree).

desc (optional)

Description of the field.

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

10.10.15.21. ProtoField.double(abbr, [name], [desc])

Creates a ProtoField of a double-precision floating point (8 bytes).

Arguments
abbr

Abbreviated name of the field (the string used in filters).

name (optional)

Actual name of the field (the string that appears in the tree).

desc (optional)

Description of the field.

108

Lua Support in Wireshark

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

10.10.15.22. ProtoField.string(abbr, [name], [desc])

Creates a ProtoField of a string value.

Arguments
abbr

Abbreviated name of the field (the string used in filters).

name (optional)

Actual name of the field (the string that appears in the tree).

desc (optional)

Description of the field.

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

10.10.15.23. ProtoField.stringz(abbr, [name], [desc])

Creates a ProtoField of a zero-terminated string value.

Arguments
abbr

Abbreviated name of the field (the string used in filters).

name (optional)

Actual name of the field (the string that appears in the tree).

desc (optional)

Description of the field.

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

10.10.15.24. ProtoField.bytes(abbr, [name], [desc])

Creates a ProtoField for an arbitrary number of bytes.

Arguments
abbr

Abbreviated name of the field (the string used in filters).

name (optional)

Actual name of the field (the string that appears in the tree).

desc (optional)

Description of the field.

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

10.10.15.25. ProtoField.ubytes(abbr, [name], [desc])

Creates a ProtoField for an arbitrary number of unsigned bytes.

Arguments
abbr

Abbreviated name of the field (the string used in filters).

109

Lua Support in Wireshark

name (optional)

Actual name of the field (the string that appears in the tree).

desc (optional)

Description of the field.

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

10.10.15.26. ProtoField.guid(abbr, [name], [desc])

Creates a ProtoField for a Globally Unique IDentifier (GUID).

Arguments
abbr

Abbreviated name of the field (the string used in filters).

name (optional)

Actual name of the field (the string that appears in the tree).

desc (optional)

Description of the field.

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

10.10.15.27. ProtoField.oid(abbr, [name], [desc])

Creates a ProtoField for an ASN.1 Organizational IDentified (OID).

Arguments
abbr

Abbreviated name of the field (the string used in filters).

name (optional)

Actual name of the field (the string that appears in the tree).

desc (optional)

Description of the field.

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

10.10.15.28. ProtoField.rel_oid(abbr, [name], [desc])

Creates a ProtoField for an ASN.1 Relative-OID.

Arguments
abbr

Abbreviated name of the field (the string used in filters).

name (optional)

Actual name of the field (the string that appears in the tree).

desc (optional)

Description of the field.

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

10.10.15.29. ProtoField.systemid(abbr, [name], [desc])

Creates a ProtoField for an OSI System ID.

110

Lua Support in Wireshark

Arguments
abbr

Abbreviated name of the field (the string used in filters).

name (optional)

Actual name of the field (the string that appears in the tree).

desc (optional)

Description of the field.

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

10.10.15.30. ProtoField.eui64(abbr, [name], [desc])

Creates a ProtoField for an EUI64.

Arguments
abbr

Abbreviated name of the field (the string used in filters).

name (optional)

Actual name of the field (the string that appears in the tree).

desc (optional)

Description of the field.

Returns
A ProtoField object to be added to a table set to the Proto.fields attribute.

10.10.15.31. protofield:__tostring()
Returns a string with info about a protofield (for debugging purposes).

10.10.16. Global Functions

10.10.16.1. register_postdissector(proto, [allfields])
Make a Proto protocol (with a dissector function) a post-dissector. It will be called for every frame
after dissection.

Arguments
proto

The protocol to be used as post-dissector.

allfields (optional)

Whether to generate all fields.

Note
this impacts performance (default=false).

10.11. Adding information to the dissection

tree
10.11.1. TreeItem
TreeItems represent information in the packet-details pane. A root TreeItem is passed to
dissectors as the third argument.

111

Lua Support in Wireshark

10.11.1.1. treeitem:add_packet_field(protofield, [tvbrange],

encoding, [label])
Adds a new child tree for the given ProtoField object to this tree item, returning the new child
TreeItem.
Unlike TreeItem:add() and TreeItem:add_le(), the ProtoField argument is not
optional, and cannot be a Proto object. Instead, this function always uses the ProtoField to
determine the type of field to extract from the passed-in TvbRange, highlighting the relevant bytes
in the Packet Bytes pane of the GUI (if there is a GUI), etc. If no TvbRange is given, no bytes are
highlighted and the fields value cannot be determined; the ProtoField must have been defined/
created not to have a length in such a case, or an error will occur. For backwards-compatibility reasons
the encoding argument, however, must still be given.
Unlike TreeItem:add() and TreeItem:add_le(), this function performs both big-endian
and little-endian decoding, by setting the encoding argument to be ENC_BIG_ENDIAN or
ENC_LITTLE_ENDIAN.
The signature of this function:
tree_item:add_packet_field(proto_field [,tvbrange], encoding, ...)

In Wireshark version 1.11.3, this function was changed to return more than just the new child
TreeItem. The child is the first return value, so that function chaining will still work as before;
but it now also returns the value of the extracted field (i.e., a number, UInt64, Address, etc.). If
the value could not be extracted from the TvbRange, the child TreeItem is still returned, but the
second returned value is nil.
Another new feature added to this function in Wireshark version 1.11.3 is the ability to extract native
number ProtoField`s from string encoding in the `TvbRange, for ASCII-based
and similar string encodings. For example, a ProtoField of as ftypes.UINT32 type can be
extracted from a TvbRange containing the ASCII string "123", and it will correctly decode the ASCII
to the number 123, both in the tree as well as for the second return value of this function. To do so, you
must set the encoding argument of this function to the appropriate string ENC_* value, bitwise-ord
with the ENC_STRING value (see init.lua). ENC_STRING is guaranteed to be a unique bit flag,
and thus it can added instead of bitwise-ored as well. Only single-byte ASCII digit string encoding
types can be used for this, such as ENC_ASCII and ENC_UTF_8.
For example, assuming the Tvb named "tvb" contains the string "123":
-- this is done earlier in the script
local myfield = ProtoField.new("Transaction ID", "myproto.trans_id", ftypes.UINT16)
-- this is done inside a dissector, post-dissector, or heuristic function
-- child will be the created child tree, and value will be the number 123 or nil on failure
local child, value = tree:add_packet_field(myfield, tvb:range(0,3), ENC_UTF_8 + ENC_STRING)

Arguments
protofield

The ProtoField field object to add to the tree.

tvbrange (optional)

The TvbRange of bytes in the packet this tree item covers/

represents.

encoding

The fields encoding in the TvbRange.

label (optional)

One or more strings to append to the created TreeItem.

Returns
The new child TreeItem, the fields extracted value or nil, and offset or nil.

112

Lua Support in Wireshark

10.11.1.2. treeitem:add([protofield], [tvbrange], [value], [label])

Adds a child item to this tree item, returning the new child TreeItem.
If the ProtoField represents a numeric value (int, uint or float), then its treated as a Big Endian
(network order) value.
This function has a complicated form: treeitem:add([protofield,] [tvbrange,] value], label), such that
if the first argument is a ProtoField or a Proto, the second argument is a TvbRange, and a third
argument is given, its a value; but if the second argument is a non-TvbRange, then its the value
(as opposed to filling that argument with nil, which is invalid for this function). If the first argument
is a non-ProtoField and a non-Proto then this argument can be either a TvbRange or a label,
and the value is not in use.

Arguments
protofield (optional)

The ProtoField field or Proto protocol object to add to the tree.

tvbrange (optional)

The TvbRange of bytes in the packet this tree item covers/

represents.

value (optional)

The fields value, instead of the ProtoField/Proto one.

label (optional)

One or more strings to use for the tree item label, instead of the
ProtoField/Proto one.

Returns
The new child TreeItem.

10.11.1.3. treeitem:add_le([protofield], [tvbrange], [value], [label])

Adds a child item to this tree item, returning the new child TreeItem.
If the ProtoField represents a numeric value (int, uint or float), then its treated as a Little Endian
value.
This function has a complicated form: treeitem:add_le([protofield,] [tvbrange,] value], label), such
that if the first argument is a ProtoField or a Proto, the second argument is a TvbRange, and a
third argument is given, its a value; but if the second argument is a non-TvbRange, then its the value
(as opposed to filling that argument with nil, which is invalid for this function). If the first argument
is a non-ProtoField and a non-Proto then this argument can be either a TvbRange or a label,
and the value is not in use.

Arguments
protofield (optional)

The ProtoField field or Proto protocol object to add to the tree.

tvbrange (optional)

The TvbRange of bytes in the packet this tree item covers/

represents.

value (optional)

The fields value, instead of the ProtoField/Proto one.

label (optional)

One or more strings to use for the tree item label, instead of the
ProtoField/Proto one.

Returns
The new child TreeItem.

113

Lua Support in Wireshark

10.11.1.4. treeitem:set_text(text)
Sets the text of the label.
This used to return nothing, but as of 1.11.3 it returns the same tree item to allow chained calls.

Arguments
text

The text to be used.

Returns
The same TreeItem.

10.11.1.5. treeitem:append_text(text)
Appends text to the label.
This used to return nothing, but as of 1.11.3 it returns the same tree item to allow chained calls.

Arguments
text

The text to be appended.

Returns
The same TreeItem.

10.11.1.6. treeitem:prepend_text(text)
Prepends text to the label.
This used to return nothing, but as of 1.11.3 it returns the same tree item to allow chained calls.

Arguments
text

The text to be prepended.

Returns
The same TreeItem.

10.11.1.7. treeitem:add_expert_info([group], [severity], [text])

Sets the expert flags of the item and adds expert info to the packet.
This function does not create a truly filterable expert info for a protocol. Instead you should use
TreeItem.add_proto_expert_info().

Note
This function is provided for backwards compatibility only, and should not be
used in new Lua code. It may be removed in the future. You should only use
TreeItem.add_proto_expert_info().

Arguments
group (optional)

One of PI_CHECKSUM, PI_SEQUENCE, PI_RESPONSE_CODE,

PI_REQUEST_CODE, PI_UNDECODED, PI_REASSEMBLE,
PI_MALFORMED or PI_DEBUG.

114

Lua Support in Wireshark

severity (optional)

One of PI_CHAT, PI_NOTE, PI_WARN, or PI_ERROR.

text (optional)

The text for the expert info display.

Returns
The same TreeItem.

10.11.1.8. treeitem:add_proto_expert_info(expert, [text])

Sets the expert flags of the tree item and adds expert info to the packet.
Since: 1.11.3

Arguments
expert

The ProtoExpert object to add to the tree.

text (optional)

Text for the expert info display (default is to use the registered text).

Returns
The same TreeItem.

10.11.1.9. treeitem:add_tvb_expert_info(expert, tvb, [text])

Sets the expert flags of the tree item and adds expert info to the packet associated with the Tvb or
TvbRange bytes in the packet.
Since: 1.11.3

Arguments
expert

The ProtoExpert object to add to the tree.

tvb

The Tvb or TvbRange object bytes to associate the expert info with.

text (optional)

Text for the expert info display (default is to use the registered text).

Returns
The same TreeItem.

10.11.1.10. treeitem:set_generated()
Marks the TreeItem as a generated field (with data inferred but not contained in the packet).
This used to return nothing, but as of 1.11.3 it returns the same tree item to allow chained calls.

Returns
The same TreeItem.

10.11.1.11. treeitem:set_hidden()
This function should not be used, and is provided for backwards-compatibility only.

Returns
The same TreeItem.

115

Lua Support in Wireshark

10.11.1.12. treeitem:set_len(len)
Set `TreeItems length inside tvb, after it has already been created.
This used to return nothing, but as of 1.11.3 it returns the same tree item to allow chained calls.

Arguments
len

The length to be used.

Returns
The same TreeItem.

10.12. Functions for handling packet data

10.12.1. ByteArray
10.12.1.1. ByteArray.new([hexbytes], [separator])
Creates a ByteArray object.

Arguments
hexbytes (optional)

A string consisting of hexadecimal bytes like "00 B1 A2" or

"1a2b3c4d".

separator (optional)

A string separator between hex bytes/words (default=" "), or if the

boolean value true is used, then the first argument is treated as
raw binary data

Returns
The new ByteArray object.

10.12.1.2. bytearray:__concat(first, second)

Concatenate two ByteArrays.

Arguments
first

First array.

second

Second array.

Returns
The new composite ByteArray.

10.12.1.3. bytearray:__eq(first, second)

Compares two ByteArray values.
Since: 1.11.4

Arguments
first

First array.

116

Lua Support in Wireshark

second

Second array.

10.12.1.4. bytearray:prepend(prepended)
Prepend a ByteArray to this ByteArray.

Arguments
prepended

ByteArray to be prepended.

10.12.1.5. bytearray:append(appended)
Append a ByteArray to this ByteArray.

Arguments
appended

ByteArray to be appended.

10.12.1.6. bytearray:set_size(size)
Sets the size of a ByteArray, either truncating it or filling it with zeros.

Arguments
size

New size of the array.

Errors
ByteArray size must be non-negative

10.12.1.7. bytearray:set_index(index, value)

Sets the value of an index of a ByteArray.

Arguments
index

The position of the byte to be set.

value

The char value to set [0-255].

10.12.1.8. bytearray:get_index(index)
Get the value of a byte in a ByteArray.

Arguments
index

The position of the byte to get.

Returns
The value [0-255] of the byte.

10.12.1.9. bytearray:len()
Obtain the length of a ByteArray.

Returns
The length of the ByteArray.

117

Lua Support in Wireshark

10.12.1.10. bytearray:subset(offset, length)

Obtain a segment of a ByteArray, as a new ByteArray.

Arguments
offset

The position of the first byte (0=first).

length

The length of the segment.

Returns
A ByteArray containing the requested segment.

10.12.1.11. bytearray:base64_decode()
Obtain a base64 decoded ByteArray.

Returns
The created ByteArray.

10.12.1.12. bytearray:raw([offset], [length])

Obtain a Lua string of the binary bytes in a ByteArray.

Arguments
offset (optional)

The position of the first byte (default=0/first).

length (optional)

The length of the segment to get (default=all).

Returns
A Lua string of the binary bytes in the ByteArray.

10.12.1.13. bytearray:tohex([lowercase], [separator])

Obtain a Lua string of the bytes in a ByteArray as hex-ascii, with given separator

Arguments
lowercase (optional)

True to use lower-case hex characters (default=false).

separator (optional)

A string separator to insert between hex bytes (default=nil).

Returns
A hex-ascii string representation of the ByteArray.

10.12.1.14. bytearray:__tostring()
Obtain a Lua string containing the bytes in a ByteArray so that it can be used in display filters (e.g.
"01FE456789AB").

Returns
A hex-ascii string representation of the ByteArray.

118

Lua Support in Wireshark

10.12.2. Tvb
A Tvb represents the packets buffer. It is passed as an argument to listeners and dissectors, and can
be used to extract information (via TvbRange) from the packets data.
To create a TvbRange the Tvb must be called with offset and length as optional arguments; the offset
defaults to 0 and the length to tvb:len().

Warning
Tvbs are usable only by the current listener or dissector call and are destroyed as soon
as the listener/dissector returns, so references to them are unusable once the function
has returned.

10.12.2.1. ByteArray.tvb(name)
Creates a new Tvb from a ByteArray (it gets added to the current frame too).

Arguments
name

The name to be given to the new data-source.

Returns
The created Tvb.

10.12.2.2. TvbRange.tvb(range)
Creates a (sub)Tvb from a TvbRange.

Arguments
range

The TvbRange from which to create the new Tvb.

10.12.2.3. tvb:__tostring()
Convert the bytes of a Tvb into a string, to be used for debugging purposes, as will be appended
if the string is too long.

Returns
The string.

10.12.2.4. tvb:reported_len()
Obtain the reported (not captured) length of a Tvb.

Returns
The reported length of the Tvb.

10.12.2.5. tvb:len()
Obtain the actual (captured) length of a Tvb.

Returns
The captured length of the Tvb.

119

Lua Support in Wireshark

10.12.2.6. tvb:reported_length_remaining()
Obtain the reported (not captured) length of packet data to end of a Tvb or -1 if the offset is beyond
the end of the Tvb.

Returns
The captured length of the Tvb.

10.12.2.7. tvb:offset()
Returns the raw offset (from the beginning of the source Tvb) of a sub Tvb.

Returns
The raw offset of the Tvb.

10.12.2.8. tvb:__call()
Equivalent to tvb:range()

10.12.3. TvbRange
A TvbRange represents a usable range of a Tvb and is used to extract data from the Tvb that
generated it.
TvbRange`s are created by calling a `Tvb (e.g. tvb(offset,length)). If the TvbRange
span is outside the `Tvbs range the creation will cause a runtime error.

10.12.3.1. tvb:range([offset], [length])

Creates a TvbRange from this Tvb.

Arguments
offset (optional)

The offset (in octets) from the beginning of the Tvb. Defaults to 0.

length (optional)

The length (in octets) of the range. Defaults to until the end of the Tvb.

Returns
The TvbRange

10.12.3.2. tvb:raw([offset], [length])

Obtain a Lua string of the binary bytes in a Tvb.

Arguments
offset (optional)

The position of the first byte (default=0/first).

length (optional)

The length of the segment to get (default=all).

Returns
A Lua string of the binary bytes in the Tvb.

120

Lua Support in Wireshark

10.12.3.3. tvbrange:uint()
Get a Big Endian (network order) unsigned integer from a TvbRange. The range must be 1, 2, 3
or 4 octets long.

Returns
The unsigned integer value.

10.12.3.4. tvbrange:le_uint()
Get a Little Endian unsigned integer from a TvbRange. The range must be 1, 2, 3 or 4 octets long.

Returns
The unsigned integer value

10.12.3.5. tvbrange:uint64()
Get a Big Endian (network order) unsigned 64 bit integer from a TvbRange, as a UInt64 object.
The range must be 1-8 octets long.

Returns
The UInt64 object.

10.12.3.6. tvbrange:le_uint64()
Get a Little Endian unsigned 64 bit integer from a TvbRange, as a UInt64 object. The range must
be 1-8 octets long.

Returns
The UInt64 object.

10.12.3.7. tvbrange:int()
Get a Big Endian (network order) signed integer from a TvbRange. The range must be 1, 2 or 4
octets long.

Returns
The signed integer value

10.12.3.8. tvbrange:le_int()
Get a Little Endian signed integer from a TvbRange. The range must be 1, 2 or 4 octets long.

Returns
The signed integer value.

10.12.3.9. tvbrange:int64()
Get a Big Endian (network order) signed 64 bit integer from a TvbRange, as an Int64 object. The
range must be 1-8 octets long.

Returns
The Int64 object.

121

Lua Support in Wireshark

10.12.3.10. tvbrange:le_int64()
Get a Little Endian signed 64 bit integer from a TvbRange, as an Int64 object. The range must
be 1-8 octets long.

Returns
The Int64 object.

10.12.3.11. tvbrange:float()
Get a Big Endian (network order) floating point number from a TvbRange. The range must be 4
or 8 octets long.

Returns
The floating point value.

10.12.3.12. tvbrange:le_float()
Get a Little Endian floating point number from a TvbRange. The range must be 4 or 8 octets long.

Returns
The floating point value.

10.12.3.13. tvbrange:ipv4()
Get an IPv4 Address from a TvbRange, as an Address object.

Returns
The IPv4 Address object.

10.12.3.14. tvbrange:le_ipv4()
Get an Little Endian IPv4 Address from a TvbRange, as an Address object.

Returns
The IPv4 Address object.

10.12.3.15. tvbrange:ether()
Get an Ethernet Address from a TvbRange, as an Address object.

Returns
The Ethernet Address object.

Errors
The range must be 6 bytes long

10.12.3.16. tvbrange:nstime([encoding])
Obtain a time_t structure from a TvbRange, as an NSTime object.

122

Lua Support in Wireshark

Arguments
encoding (optional)

An optional ENC_* encoding value to use

Returns
The NSTime object and number of bytes used, or nil on failure.

Errors
The range must be 4 or 8 bytes long

10.12.3.17. tvbrange:le_nstime()
Obtain a nstime from a TvbRange, as an NSTime object.

Returns
The NSTime object.

Errors
The range must be 4 or 8 bytes long

10.12.3.18. tvbrange:string([encoding])
Obtain a string from a TvbRange.

Arguments
encoding (optional)

The encoding to use. Defaults to ENC_ASCII.

Returns
The string

10.12.3.19. tvbrange:ustring()
Obtain a Big Endian (network order) UTF-16 encoded string from a TvbRange.

Returns
The string.

10.12.3.20. tvbrange:le_ustring()
Obtain a Little Endian UTF-16 encoded string from a TvbRange.

Returns
The string.

10.12.3.21. tvbrange:stringz([encoding])
Obtain a zero terminated string from a TvbRange.

Arguments
encoding (optional)

The encoding to use. Defaults to ENC_ASCII.

123

Lua Support in Wireshark

Returns
The zero terminated string.

10.12.3.22. tvbrange:strsize([encoding])
Find the size of a zero terminated string from a TvbRange. The size of the string includes the
terminating zero.

Arguments
encoding (optional)

The encoding to use. Defaults to ENC_ASCII.

Returns
Length of the zero terminated string.

10.12.3.23. tvbrange:ustringz()
Obtain a Big Endian (network order) UTF-16 encoded zero terminated string from a TvbRange.

Returns
Two return values: the zero terminated string, and the length.

10.12.3.24. tvbrange:le_ustringz()
Obtain a Little Endian UTF-16 encoded zero terminated string from a TvbRange

Returns
Two return values: the zero terminated string, and the length.

10.12.3.25. tvbrange:bytes([encoding])
Obtain a ByteArray from a TvbRange.
Starting in 1.11.4, this function also takes an optional encoding argument, which can be set to
ENC_STR_HEX to decode a hex-string from the TvbRange into the returned ByteArray. The
encoding can be bitwise-ored with one or more separator encodings, such as ENC_SEP_COLON,
to allow separators to occur between each pair of hex characters.
The return value also now returns the number of bytes used as a second return value.
On failure or error, nil is returned for both return values.

Note
The encoding type of the hex string should also be set, for example ENC_ASCII or
ENC_UTF_8, along with ENC_STR_HEX.

Arguments
encoding (optional)

An optional ENC_* encoding value to use

Returns
The ByteArray object or nil, and number of bytes consumed or nil.

124

Lua Support in Wireshark

10.12.3.26. tvbrange:bitfield([position], [length])

Get a bitfield from a TvbRange.

Arguments
position (optional)

The bit offset from the beginning of the TvbRange. Defaults to 0.

length (optional)

The length (in bits) of the field. Defaults to 1.

Returns
The bitfield value

10.12.3.27. tvbrange:range([offset], [length], name)

Creates a sub-TvbRange from this TvbRange.

Arguments
offset (optional)

The offset (in octets) from the beginning of the TvbRange. Defaults
to 0.

length (optional)

The length (in octets) of the range. Defaults to until the end of the
TvbRange.

name

The name to be given to the new data-source.

Returns
The TvbRange
The TvbRange

10.12.3.28. tvbrange:len()
Obtain the length of a TvbRange.

10.12.3.29. tvbrange:offset()
Obtain the offset in a TvbRange.

10.12.3.30. tvbrange:raw([offset], [length])

Obtain a Lua string of the binary bytes in a TvbRange.

Arguments
offset (optional)

The position of the first byte (default=0/first).

length (optional)

The length of the segment to get (default=all).

Returns
A Lua string of the binary bytes in the TvbRange.

10.12.3.31. tvbrange:__tostring()
Converts the TvbRange into a string. Since the string gets truncated, you should use this only for
debugging purposes or if what you want is to have a truncated string in the format 67:89:AB:

125

Lua Support in Wireshark

Returns
A Lua hex string of the first 24 binary bytes in the TvbRange.

10.13. Custom file format reading/writing

The classes/functions defined in this section allow you to create your own custom Lua-based "capture"
file reader, or writer, or both.
Since: 1.11.3

10.13.1. CaptureInfo
A CaptureInfo object, passed into Lua as an argument by FileHandler callback function
read_open(), read(), seek_read(), seq_read_close(), and read_close(). This
object represents capture file data and meta-data (data about the capture file) being read into Wireshark/
Tshark.
This objects fields can be written-to by Lua during the read-based function callbacks. In other words,
when the Lua plugins FileHandler.read_open() function is invoked, a CaptureInfo
object will be passed in as one of the arguments, and its fields should be written to by your Lua code
to tell Wireshark about the capture.
Since: 1.11.3

10.13.1.1. captureinfo:__tostring()
Generates a string of debug info for the CaptureInfo

Returns
String of debug information.

10.13.2. captureinfo.encap
Mode: Retrieve or assign.
The packet encapsulation type for the whole file.
See wtap_encaps in init.lua for available types. Set to wtap_encaps.PER_PACKET if
packets can have different types, then later set FrameInfo.encap for each packet during read()/
seek_read().

10.13.3. captureinfo.time_precision
Mode: Retrieve or assign.
The precision of the packet timestamps in the file.
See wtap_file_tsprec in init.lua for available precisions.

10.13.4. captureinfo.snapshot_length
Mode: Retrieve or assign.
The maximum packet length that could be recorded.
Setting it to 0 means unknown. Wireshark cannot handle anything bigger than 65535 bytes.

126

Lua Support in Wireshark

10.13.5. captureinfo.comment
Mode: Retrieve or assign.
A string comment for the whole capture file, or nil if there is no comment.

10.13.6. captureinfo.hardware
Mode: Retrieve or assign.
A string containing the description of the hardware used to create the capture, or nil if there is no
hardware string.

10.13.7. captureinfo.os
Mode: Retrieve or assign.
A string containing the name of the operating system used to create the capture, or nil if there is no
os string.

10.13.8. captureinfo.user_app
Mode: Retrieve or assign.
A string containing the name of the application used to create the capture, or nil if there is no
user_app string.

10.13.9. captureinfo.hosts
Mode: Assign only.
Sets resolved ip-to-hostname information.
The value set must be a Lua table of two key-ed names: ipv4_addresses and
ipv6_addresses. The value of each of these names are themselves array tables, of key-ed tables,
such that the inner table has a key addr set to the raw 4-byte or 16-byte IP address Lua string and
a name set to the resolved name.
For example, if the capture file identifies one resolved IPv4 address of 1.2.3.4 to foo.com, then you
must set CaptureInfo.hosts to a table of:
{ ipv4_addresses = { { addr = "\01\02\03\04", name = "foo.com" } } }

Note that either the ipv4_addresses or the ipv6_addresses table, or both, may be empty
or nil.

10.13.10. captureinfo.private_table
Mode: Retrieve or assign.
A private Lua value unique to this file.
The private_table is a field you set/get with your own Lua table. This is provided so that a Lua
script can save per-file reading/writing state, because multiple files can be opened and read at the
same time.
For example, if the user issued a reload-file command, or Lua called the reload() function, then
the current capture file is still open while a new one is being opened, and thus Wireshark will invoke
read_open() while the previous capture file has not caused read_close() to be called; and if

127

Lua Support in Wireshark

the read_open() succeeds then read_close() will be called right after that for the previous
file, rather than the one just opened. Thus the Lua script can use this private_table to store a
table of values specific to each file, by setting this private_table in the read_open() function,
which it can then later get back inside its read(), seek_read(), and read_close() functions.

10.13.11. CaptureInfoConst
A CaptureInfoConst object, passed into Lua as an argument to the FileHandler callback
function write_open().
This object represents capture file data and meta-data (data about the capture file) for the current
capture in Wireshark/Tshark.
This objects fields are read-from when used by write_open function callback. In other words,
when the Lua plugins FileHandler write_open function is invoked, a CaptureInfoConst
object will be passed in as one of the arguments, and its fields should be read from by your Lua code
to get data about the capture that needs to be written.
Since: 1.11.3

10.13.11.1. captureinfoconst:__tostring()
Generates a string of debug info for the CaptureInfoConst

Returns
String of debug information.

10.13.12. captureinfoconst.type
Mode: Retrieve only.
The file type.

10.13.13. captureinfoconst.snapshot_length
Mode: Retrieve only.
The maximum packet length that is actually recorded (vs. the original length of any given packet onthe-wire). A value of 0 means the snapshot length is unknown or there is no one such length for the
whole file.

10.13.14. captureinfoconst.encap
Mode: Retrieve only.
The packet encapsulation type for the whole file.
See wtap_encaps in init.lua for available types. It is set to wtap_encaps.PER_PACKET
if packets can have different types, in which case each Frame identifies its type, in
FrameInfo.packet_encap.

10.13.15. captureinfoconst.comment
Mode: Retrieve or assign.
A comment for the whole capture file, if the wtap_presence_flags.COMMENTS was set in the
presence flags; nil if there is no comment.

128

Lua Support in Wireshark

10.13.16. captureinfoconst.hardware
Mode: Retrieve only.
A string containing the description of the hardware used to create the capture, or nil if there is no
hardware string.

10.13.17. captureinfoconst.os
Mode: Retrieve only.
A string containing the name of the operating system used to create the capture, or nil if there is no
os string.

10.13.18. captureinfoconst.user_app
Mode: Retrieve only.
A string containing the name of the application used to create the capture, or nil if there is no user_app
string.

10.13.19. captureinfoconst.hosts
Mode: Retrieve only.
A ip-to-hostname Lua table of two key-ed names: ipv4_addresses and ipv6_addresses. The
value of each of these names are themselves array tables, of key-ed tables, such that the inner table has
a key addr set to the raw 4-byte or 16-byte IP address Lua string and a name set to the resolved name.
For example, if the current capture has one resolved IPv4 address of 1.2.3.4 to foo.com, then getting
CaptureInfoConst.hosts will get a table of:
{ ipv4_addresses = { { addr = "\01\02\03\04", name = "foo.com" } }, ipv6_addresses = { } }

Note that either the ipv4_addresses or the ipv6_addresses table, or both, may be empty,
however they will not be nil.

10.13.20. captureinfoconst.private_table
Mode: Retrieve or assign.
A private Lua value unique to this file.
The private_table is a field you set/get with your own Lua table. This is provided so that a Lua
script can save per-file reading/writing state, because multiple files can be opened and read at the
same time.
For example, if two Lua scripts issue a Dumper:new_for_current() call and the current
file happens to use your scripts writer, then the Wireshark will invoke write_open()
while the previous capture file has not had write_close() called. Thus the Lua script can
use this private_table to store a table of values specific to each file, by setting this
private_table in the write_open() function, which it can then later get back inside its write(),
and write_close() functions.

10.13.21. File
A File object, passed into Lua as an argument by FileHandler callback functions (e.g., read_open,
read, write, etc.). This behaves similarly to the Lua io librarys file object, returned when
calling io.open(), except in this case you cannot call file:close(), file:open(), nor

129

Lua Support in Wireshark

file:setvbuf(), since Wireshark/tshark manages the opening and closing of files. You also
cannot use the io library itself on this object, i.e. you cannot do io.read(file, 4). Instead,
use this File with the object-oriented style calling its methods, i.e. myfile:read(4). (see later
example)
The purpose of this object is to hide the internal complexity of how Wireshark handles files, and
instead provide a Lua interface that is familiar, by mimicking the io library. The reason true/raw io
files cannot be used is because Wireshark does many things under the hood, such as compress the file,
or write to stdout, or various other things based on configuration/commands.
When a File object is passed in through reading-based callback functions, such as read_open(),
read(), and read_close(), then the File objects write() and flush() functions are not
usable and will raise an error if used.
When a File object is passed in through writing-based callback functions, such as write_open(),
write(), and write_close(), then the File objects read() and lines() functions are not
usable and will raise an error if used.

Note
a File object should never be stored/saved beyond the scope of the callback function
it is passed in to.
For example:
function myfilehandler.read_open(file, capture)
local position = file:seek()
-- read 24 bytes
local line = file:read(24)
-- do stuff
-- it's not our file type, seek back (unnecessary but just to show it...)
file:seek("set",position)
-- return false because it's not our file type
return false
end

Since: 1.11.3

10.13.21.1. file:read()
Reads from the File, similar to Luas file:read(). See Lua 5.x ref manual for file:read().

10.13.21.2. file:seek()
Seeks in the File, similar to Luas file:seek(). See Lua 5.x ref manual for file:seek().

Returns
The current file cursor position as a number.

10.13.21.3. file:lines()
Lua iterator function for retrieving ASCII File lines, similar to Luas file:lines(). See Lua 5.x
ref manual for file:lines().

10.13.21.4. file:write()
Writes to the File, similar to Luas file:write(). See Lua 5.x ref manual for file:write().

130

Lua Support in Wireshark

10.13.21.5. file:__tostring()
Generates a string of debug info for the File object

Returns
String of debug information.

10.13.22. file.compressed
Mode: Retrieve only.
Whether the File is compressed or not.
See wtap_encaps in init.lua for available types. Set to wtap_encaps.PER_PACKET if packets
can have different types, then later set FrameInfo.encap for each packet during read()/
seek_read().

10.13.23. FileHandler
A FileHandler object, created by a call to FileHandler.new(arg1, arg2, ). The FileHandler object lets
you create a file-format reader, or writer, or both, by setting your own read_open/read or write_open/
write functions.
Since: 1.11.3

10.13.23.1. FileHandler.new(name, shortname, description, type)

Creates a new FileHandler

Arguments
name

The name of the file type, for display purposes only. E.g., "Wireshark - pcapng"

shortname

The file type short name, used as a shortcut in various places. E.g., "pcapng".
Note: the name cannot already be in use.

description

Descriptive text about this file format, for display purposes only

type

The type of FileHandler, "r"/"w"/"rw" for reader/writer/both, include "m" for

magic, "s" for strong heuristic

Returns
The newly created FileHandler object

10.13.23.2. filehandler:__tostring()
Generates a string of debug info for the FileHandler

Returns
String of debug information.

10.13.24. filehandler.read_open
Mode: Assign only.
The Lua function to be called when Wireshark opens a file for reading.

131

Lua Support in Wireshark

When later called by Wireshark, the Lua function will be given:

1. A File object
2. A CaptureInfo object
The purpose of the Lua function set to this read_open field is to check if the file Wireshark is
opening is of its type, for example by checking for magic numbers or trying to parse records in the
file, etc. The more can be verified the better, because Wireshark tries all file readers until it finds one
that accepts the file, so accepting an incorrect file prevents other file readers from reading their files.
The called Lua function should return true if the file is its type (it accepts it), false if not. The Lua
function must also set the File offset position (using file:seek()) to where it wants it to be for
its first read() call.

10.13.25. filehandler.read
Mode: Assign only.
The Lua function to be called when Wireshark wants to read a packet from the file.
When later called by Wireshark, the Lua function will be given:
1. A File object
2. A CaptureInfo object
3. A FrameInfo object
The purpose of the Lua function set to this read field is to read the next packet from the file,
and setting the parsed/read packet into the frame buffer using FrameInfo.data = foo or
FrameInfo:read_data().
The called Lua function should return the file offset/position number where the packet begins, or false
if it hit an error. The file offset will be saved by Wireshark and passed into the set seek_read()
Lua function later.

10.13.26. filehandler.seek_read
Mode: Assign only.
The Lua function to be called when Wireshark wants to read a packet from the file at the given offset.
When later called by Wireshark, the Lua function will be given:
1. A File object
2. A CaptureInfo object
3. A FrameInfo object
4. The file offset number previously set by the read() function call

10.13.27. filehandler.read_close
Mode: Assign only.
The Lua function to be called when Wireshark wants to close the read file completely.
When later called by Wireshark, the Lua function will be given:

132

Lua Support in Wireshark

1. A File object
2. A CaptureInfo object
It is not necessary to set this field to a Lua function - FileHandler can be registered without doing so
- it is available in case there is memory/state to clear in your script when the file is closed.

10.13.28. filehandler.seq_read_close
Mode: Assign only.
The Lua function to be called when Wireshark wants to close the sequentially-read file.
When later called by Wireshark, the Lua function will be given:
1. A File object
2. A CaptureInfo object
It is not necessary to set this field to a Lua function - FileHandler can be registered without doing so - it
is available in case there is memory/state to clear in your script when the file is closed for the sequential
reading portion. After this point, there will be no more calls to read(), only seek_read().

10.13.29. filehandler.can_write_encap
Mode: Assign only.
The Lua function to be called when Wireshark wants to write a file, by checking if this file writer can
handle the wtap packet encapsulation(s).
When later called by Wireshark, the Lua function will be given a Lua number, which matches one of
the encapsulations in the Lua wtap_encaps table. This might be the wtap_encap.PER_PACKET
number, meaning the capture contains multiple encapsulation types, and the file reader should only
return true if it can handle multiple encap types in one file. The function will then be called again,
once for each encap type in the file, to make sure it can write each one.
If the Lua file writer can write the given type of encapsulation into a file, then it returns the boolean
true, else false.

10.13.30. filehandler.write_open
Mode: Assign only.
The Lua function to be called when Wireshark opens a file for writing.
When later called by Wireshark, the Lua function will be given:
1. A File object
2. A CaptureInfoConst object
The purpose of the Lua function set to this write_open field is similar to the read_open callback
function: to initialize things necessary for writing the capture to a file. For example, if the output file
format has a file header, then the file header should be written within this write_open function.
The called Lua function should return true on success, or false if it hit an error.
Also
make
sure
to
set
the
FileHandler.write
(and
FileHandler.write_close) functions before returning true from this function.

133

potentially

Lua Support in Wireshark

10.13.31. filehandler.write
Mode: Assign only.
The Lua function to be called when Wireshark wants to write a packet to the file.
When later called by Wireshark, the Lua function will be given:
1. A File object
2. A CaptureInfoConst object
3. A FrameInfoConst object of the current frame/packet to be written
The purpose of the Lua function set to this write field is to write the next packet to the file.
The called Lua function should return true on success, or false if it hit an error.

10.13.32. filehandler.write_close
Mode: Assign only.
The Lua function to be called when Wireshark wants to close the written file.
When later called by Wireshark, the Lua function will be given:
1. A File object
2. A CaptureInfoConst object
It is not necessary to set this field to a Lua function - FileHandler can be registered without doing
so - it is available in case there is memory/state to clear in your script when the file is closed.

10.13.33. filehandler.type
Mode: Retrieve only.
The internal file type. This is automatically set with a new number when the FileHandler is registered.

10.13.34. filehandler.extensions
Mode: Retrieve or assign.
One or more file extensions that this file type usually uses.
For readers using heuristics to determine file type, Wireshark will try the readers of the files extension
first, before trying other readers. But ultimately Wireshark tries all file readers for any file extension,
until it finds one that accepts the file.

10.13.35. filehandler.writing_must_seek
Mode: Retrieve or assign.
True if the ability to seek is required when writing this file format, else false.
This will be checked by Wireshark when writing out to compressed file formats, because seeking is
not possible with compressed files. Usually a file writer only needs to be able to seek if it needs to go
back in the file to change something, such as a block or file length value earlier in the file.

134

Lua Support in Wireshark

10.13.36. filehandler.writes_name_resolution
Mode: Retrieve or assign.
True if the file format supports name resolution records, else false.

10.13.37. filehandler.supported_comment_types
Mode: Retrieve or assign.
Set to the bit-wise ORed number representing the type of comments the file writer supports writing,
based on the numbers in the wtap_comments table.

10.13.38. FrameInfo
A FrameInfo object, passed into Lua as an argument by FileHandler callback functions (e.g., read,
seek_read, etc.).
This object represents frame data and meta-data (data about the frame/packet) for a given read/
seek_read/`writes frame.
This objects fields are written-to/set when used by read function callbacks, and read-from/get when
used by file write function callbacks. In other words, when the Lua plugins FileHandler read/
seek_read/etc. functions are invoked, a FrameInfo object will be passed in as one of the arguments,
and its fields should be written-to/set based on the frame information read from the file; whereas when
the Lua plugins FileHandler.write() function is invoked, the FrameInfo object passed in
should have its fields read-from/get, to write that frame information to the file.
Since: 1.11.3

10.13.38.1. frameinfo:__tostring()
Generates a string of debug info for the FrameInfo

Returns
String of debug information.

10.13.38.2. frameinfo:read_data(file, length)

Tells Wireshark to read directly from given file into frame data buffer, for length bytes. Returns true
if succeeded, else false.

Arguments
file

The File object userdata, provided by Wireshark previously in a reading-based callback.

length

The number of bytes to read from the file at the current cursor position.

Returns
True if succeeded, else returns false along with the error number and string error description.
A Lua string of the frame buffers data.

10.13.39. frameinfo.time
Mode: Retrieve or assign.

135

Lua Support in Wireshark

The packet timestamp as an NSTime object.

Note
Set
the
FileHandler.time_precision
wtap_file_tsprec value as well.

to

the

appropriate

10.13.40. frameinfo.data
Mode: Retrieve or assign.
The data buffer containing the packet.

Note
This cannot be cleared once set.

10.13.41. frameinfo.rec_type
Mode: Retrieve or assign.
The record type of the packet frame
See wtap_rec_types in init.lua for values.

10.13.42. frameinfo.flags
Mode: Retrieve or assign.
The presence flags of the packet frame.
See wtap_presence_flags in init.lua for bit values.

10.13.43. frameinfo.captured_length
Mode: Retrieve or assign.
The captured packet length, and thus the length of the buffer passed to the FrameInfo.data field.

10.13.44. frameinfo.original_length
Mode: Retrieve or assign.
The on-the-wire packet length, which may be longer than the captured_length.

10.13.45. frameinfo.encap
Mode: Retrieve or assign.
The packet encapsulation type for the frame/packet, if the file supports per-packet types. See
wtap_encaps in init.lua for possible packet encapsulation types to use as the value for this
field.

10.13.46. frameinfo.comment
Mode: Retrieve or assign.

136

Lua Support in Wireshark

A string comment for the packet, if the wtap_presence_flags.COMMENTS was set in the
presence flags; nil if there is no comment.

10.13.47. FrameInfoConst
A constant FrameInfo object, passed into Lua as an argument by the FileHandler write callback
function. This has similar attributes/properties as FrameInfo, but the fields can only be read from, not
written to.
Since: 1.11.3

10.13.47.1. frameinfoconst:__tostring()
Generates a string of debug info for the FrameInfo

Returns
String of debug information.

10.13.47.2. frameinfoconst:write_data(file, [length])

Tells Wireshark to write directly to given file from the frame data buffer, for length bytes. Returns
true if succeeded, else false.

Arguments
file

The File object userdata, provided by Wireshark previously in a

writing-based callback.

length (optional)

The number of bytes to write to the file at the current cursor position,
or all if not supplied.

Returns
True if succeeded, else returns false along with the error number and string error description.

10.13.48. frameinfoconst.time
Mode: Retrieve only.
The packet timestamp as an NSTime object.

10.13.49. frameinfoconst.data
Mode: Retrieve only.
The data buffer containing the packet.

10.13.50. frameinfoconst.rec_type
Mode: Retrieve only.
The record type of the packet frame - see wtap_presence_flags in init.lua for values.

10.13.51. frameinfoconst.flags
Mode: Retrieve only.
The presence flags of the packet frame - see wtap_presence_flags in init.lua for bits.

137

Lua Support in Wireshark

10.13.52. frameinfoconst.captured_length
Mode: Retrieve only.
The captured packet length, and thus the length of the buffer in the FrameInfoConst.data field.

10.13.53. frameinfoconst.original_length
Mode: Retrieve only.
The on-the-wire packet length, which may be longer than the captured_length.

10.13.54. frameinfoconst.encap
Mode: Retrieve only.
The packet encapsulation type, if the file supports per-packet types.
See wtap_encaps in init.lua for possible packet encapsulation types to use as the value for
this field.

10.13.55. frameinfoconst.comment
Mode: Retrieve only.
A comment for the packet; nil if there is none.

10.13.56. Global Functions

10.13.56.1. register_filehandler(filehandler)
Register the FileHandler into Wireshark/tshark, so they can read/write this new format. All functions
and settings must be complete before calling this registration function. This function cannot be called
inside the reading/writing callback functions.

Arguments
filehandler

The FileHandler object to be registered

Returns
the new type number for this file reader/write

10.13.56.2. deregister_filehandler(filehandler)
De-register the FileHandler from Wireshark/tshark, so it no longer gets used for reading/writing/
display. This function cannot be called inside the reading/writing callback functions.

Arguments
filehandler

The FileHandler object to be de-registered

10.14. Directory handling functions

10.14.1. Dir
A Directory object, as well as associated functions.

138

Lua Support in Wireshark

10.14.1.1. Dir.make(name)
Creates a directory.
The created directory is set for permission mode 0755 (octal), meaning it is read+write+execute by
owner, but only read+execute by group and others.
IF the directory was created successfully, a boolean true is returned. If the directory cannot be made
because it already exists, false is returned. If the directory cannot be made because an error occurred,
nil is returned.
Since: 1.11.3

Arguments
name

The name of the directory, possibly including path.

Returns
Boolean true on success, false if already exists, nil on error.

10.14.1.2. Dir.exists(name)
Returns true if the given directory name exists.
If the directory exists, a boolean true is returned. If the path is a file instead, false is returned. If
the path does not exist or an error occurred, nil is returned.
Since: 1.11.3

Arguments
name

The name of the directory, possibly including path.

Returns
Boolean true if the directory exists, false if its a file, nil on error/not-exist.

10.14.1.3. Dir.remove(name)
Removes an empty directory.
If the directory was removed successfully, a boolean true is returned. If the directory cannot be
removed because it does not exist, false is returned. If the directory cannot be removed because an
error occurred, nil is returned.
This function only removes empty directories. To remove a directory regardless, use
Dir.remove_all().
Since: 1.11.3

Arguments
name

The name of the directory, possibly including path.

Returns
Boolean true on success, false if does not exist, nil on error.

139

Lua Support in Wireshark

10.14.1.4. Dir.remove_all(name)
Removes an empty or non-empty directory.
If the directory was removed successfully, a boolean true is returned. If the directory cannot be
removed because it does not exist, false is returned. If the directory cannot be removed because an
error occurred, nil is returned.
Since: 1.11.3

Arguments
name

The name of the directory, possibly including path.

Returns
Boolean true on success, false if does not exist, nil on error.

10.14.1.5. Dir.open(pathname, [extension])

Opens a directory and returns a Dir object representing the files in the directory.
for filename in Dir.open(path) do ... end

Arguments
pathname

The pathname of the directory.

extension (optional)

If given, only files with this extension will be returned.

Returns
the Dir object.

10.14.1.6. Dir.personal_config_path([filename])
Gets the personal configuration directory path, with filename if supplied.
Since: 1.11.3

Arguments
filename (optional)

A filename.

Returns
The full pathname for a file in the personal configuration directory.

10.14.1.7. Dir.global_config_path([filename])
Gets the global configuration directory path, with filename if supplied.
Since: 1.11.3

Arguments
filename (optional)

A filename

Returns
The full pathname for a file in wiresharks configuration directory.

140

Lua Support in Wireshark

10.14.1.8. Dir.personal_plugins_path()
Gets the personal plugins directory path.
Since: 1.11.3

Returns
The pathname for the personal plugins directory.

10.14.1.9. Dir.global_plugins_path()
Gets the global plugins directory path.
Since: 1.11.3

Returns
The pathname for the global plugins directory.

10.14.1.10. dir:__call()
At every invocation will return one file (nil when done).

10.14.1.11. dir:close()
Closes the directory.

10.15. Utility Functions

10.15.1. Global Functions
10.15.1.1. get_version()
Gets a string of the Wireshark version.

Returns
version string

10.15.1.2. format_date(timestamp)
Formats an absolute timestamp into a human readable date.

Arguments
timestamp

A timestamp value to convert.

Returns
A string with the formated date

10.15.1.3. format_time(timestamp)
Formats a relative timestamp in a human readable form.

Arguments
timestamp

A timestamp value to convert.

141

Lua Support in Wireshark

Returns
A string with the formated time

10.15.1.4. report_failure(text)
Reports a failure to the user.

Arguments
text

Message text to report.

10.15.1.5. critical()
Will add a log entry with critical severity.

Arguments

Objects to be printed

10.15.1.6. warn()
Will add a log entry with warn severity.

Arguments

Objects to be printed

10.15.1.7. message()
Will add a log entry with message severity.

Arguments

Objects to be printed

10.15.1.8. info()
Will add a log entry with info severity.

Arguments

Objects to be printed

10.15.1.9. debug()
Will add a log entry with debug severity.

Arguments

Objects to be printed

10.15.1.10. loadfile(filename)
Luas loadfile() has been modified so that if a file does not exist in the current directory it will look
for it in wiresharks user and system directories.

Arguments
filename

Name of the file to be loaded.

142

Lua Support in Wireshark

10.15.1.11. dofile(filename)
Luas dofile() has been modified so that if a file does not exist in the current directory it will look for
it in wiresharks user and system directories.

Arguments
filename

Name of the file to be run.

10.15.1.12. register_stat_cmd_arg(argument, [action])

Register a function to handle a -z option

Arguments
argument

Argument

action (optional)

Action

10.16. Handling 64-bit Integers

Lua uses one single number representation which can be chosen at compile time and since it is often
set to IEEE 754 double precision floating point, one cannot store a 64 bit integer with full precision.
For details, see http://wiki.wireshark.org/LuaAPI/Int64.

10.16.1. Int64
Int64 represents a 64 bit signed integer.
For details, see http://wiki.wireshark.org/LuaAPI/Int64.

10.16.1.1. Int64.decode(string, [endian])

Decodes an 8-byte Lua string, using given endianness, into a new Int64 object.
Since: 1.11.3

Arguments
string

The Lua string containing a binary 64-bit integer.

endian (optional)

If set to true then little-endian is used, if false then big-endian; if

missing/nil, native host endian.

Returns
The Int64 object created, or nil on failure.

10.16.1.2. Int64.new([value], [highvalue])

Creates a Int64 Object.
Since: 1.11.3

Arguments
value (optional)

A number, UInt64, Int64, or string of ASCII digits to assign

the value of the new Int64 (default=0).

143

Lua Support in Wireshark

highvalue (optional)

If this is a number and the first argument was a number, then the
first will be treated as a lower 32-bits, and this is the high-order
32 bit number.

Returns
The new Int64 object.

10.16.1.3. Int64.max()
Gets the max possible value.
Since: 1.11.3

Returns
The new Int64 object of the max value.

10.16.1.4. Int64.min()
Gets the min possible value.
Since: 1.11.3

Returns
The new Int64 object of the min value.

10.16.1.5. Int64.fromhex(hex)
Creates an Int64 object from the given hex string.
Since: 1.11.3

Arguments
hex

The hex-ascii Lua string.

Returns
The new Int64 object.

10.16.1.6. int64:encode([endian])
Encodes the Int64 number into an 8-byte Lua string, using given endianness.
Since: 1.11.3

Arguments
endian (optional)

If set to true then little-endian is used, if false then big-endian; if

missing/nil, native host endian.

Returns
The Lua string.

10.16.1.7. int64:__call()
Creates a Int64 Object.

144

Lua Support in Wireshark

Since: 1.11.3

Returns
The new Int64 object.

10.16.1.8. int64:tonumber()
Returns a Lua number of the Int64 value - this may lose precision.
Since: 1.11.3

Returns
The Lua number.

10.16.1.9. int64:tohex([numbytes])
Returns a hex string of the Int64 value.
Since: 1.11.3

Arguments
numbytes (optional)

The number of hex-chars/nibbles to generate, negative means

uppercase (default=16).

Returns
The string hex.

10.16.1.10. int64:higher()
Returns a Lua number of the higher 32-bits of the Int64 value. (negative Int64 will return a
negative Lua number).
Since: 1.11.3

Returns
The Lua number.

10.16.1.11. int64:lower()
Returns a Lua number of the lower 32-bits of the Int64 value. (always positive).
Since: 1.11.3

Returns
The Lua number.

10.16.1.12. int64:__tostring()
Converts the Int64 into a string of decimal digits.

Returns
The Lua string.

145

Lua Support in Wireshark

10.16.1.13. int64:__unm()
Returns the negative of the Int64, in a new Int64.
Since: 1.11.3

Returns
The new Int64.

10.16.1.14. int64:__add()
Adds two Int64 together and returns a new one (this may wrap the value).
Since: 1.11.3

10.16.1.15. int64:__sub()
Subtracts two Int64 and returns a new one (this may wrap the value).
Since: 1.11.3

10.16.1.16. int64:__mul()
Multiplies two Int64 and returns a new one (this may truncate the value).
Since: 1.11.3

10.16.1.17. int64:__div()
Divides two Int64 and returns a new one (integer divide, no remainder). Trying to divide by zero
results in a Lua error.
Since: 1.11.3

Returns
The Int64 object.

10.16.1.18. int64:__mod()
Divides two Int64 and returns a new one of the remainder. Trying to modulo by zero results in a
Lua error.
Since: 1.11.3

Returns
The Int64 object.

10.16.1.19. int64:__pow()
The first Int64 is taken to the power of the second Int64, returning a new one (this may truncate
the value).
Since: 1.11.3

Returns
The Int64 object.

146

Lua Support in Wireshark

10.16.1.20. int64:__eq()
Returns true if both Int64 are equal.
Since: 1.11.3

10.16.1.21. int64:__lt()
Returns true if first Int64 < second.
Since: 1.11.3

10.16.1.22. int64:__le()
Returns true if first Int64 second.
Since: 1.11.3

10.16.1.23. int64:bnot()
Returns a Int64 of the bitwise not operation.
Since: 1.11.3

Returns
The Int64 object.

10.16.1.24. int64:band()
Returns a Int64 of the bitwise and operation, with the given number/Int64/UInt64. Note that
multiple arguments are allowed.
Since: 1.11.3

Returns
The Int64 object.

10.16.1.25. int64:bor()
Returns a Int64 of the bitwise or operation, with the given number/Int64/UInt64. Note that
multiple arguments are allowed.
Since: 1.11.3

Returns
The Int64 object.

10.16.1.26. int64:bxor()
Returns a Int64 of the bitwise xor operation, with the given number/Int64/UInt64. Note that
multiple arguments are allowed.
Since: 1.11.3

Returns
The Int64 object.

147

Lua Support in Wireshark

10.16.1.27. int64:lshift(numbits)
Returns a Int64 of the bitwise logical left-shift operation, by the given number of bits.
Since: 1.11.3

Arguments
numbits

The number of bits to left-shift by.

Returns
The Int64 object.

10.16.1.28. int64:rshift(numbits)
Returns a Int64 of the bitwise logical right-shift operation, by the given number of bits.
Since: 1.11.3

Arguments
numbits

The number of bits to right-shift by.

Returns
The Int64 object.

10.16.1.29. int64:arshift(numbits)
Returns a Int64 of the bitwise arithmetic right-shift operation, by the given number of bits.
Since: 1.11.3

Arguments
numbits

The number of bits to right-shift by.

Returns
The Int64 object.

10.16.1.30. int64:rol(numbits)
Returns a Int64 of the bitwise left rotation operation, by the given number of bits (up to 63).
Since: 1.11.3

Arguments
numbits

The number of bits to roll left by.

Returns
The Int64 object.

10.16.1.31. int64:ror(numbits)
Returns a Int64 of the bitwise right rotation operation, by the given number of bits (up to 63).
Since: 1.11.3

148

Lua Support in Wireshark

Arguments
numbits

The number of bits to roll right by.

Returns
The Int64 object.

10.16.1.32. int64:bswap()
Returns a Int64 of the bytes swapped. This can be used to convert little-endian 64-bit numbers to
big-endian 64 bit numbers or vice versa.
Since: 1.11.3

Returns
The Int64 object.

10.16.2. UInt64
UInt64 represents a 64 bit unsigned integer, similar to Int64.
For details, see: http://wiki.wireshark.org/LuaAPI/Int64.

10.16.2.1. UInt64.decode(string, [endian])

Decodes an 8-byte Lua binary string, using given endianness, into a new UInt64 object.
Since: 1.11.3

Arguments
string

The Lua string containing a binary 64-bit integer.

endian (optional)

If set to true then little-endian is used, if false then big-endian; if

missing/nil, native host endian.

Returns
The UInt64 object created, or nil on failure.

10.16.2.2. UInt64.new([value], [highvalue])

Creates a UInt64 Object.
Since: 1.11.3

Arguments
value (optional)

A number, UInt64, Int64, or string of digits to assign the value

of the new UInt64 (default=0).

highvalue (optional)

If this is a number and the first argument was a number, then the
first will be treated as a lower 32-bits, and this is the high-order
32-bit number.

Returns
The new UInt64 object.

149

Lua Support in Wireshark

10.16.2.3. UInt64.max()
Gets the max possible value.
Since: 1.11.3

Returns
The max value.

10.16.2.4. UInt64.min()
Gets the min possible value (i.e., 0).
Since: 1.11.3

Returns
The min value.

10.16.2.5. UInt64.fromhex(hex)
Creates a UInt64 object from the given hex string.
Since: 1.11.3

Arguments
hex

The hex-ascii Lua string.

Returns
The new UInt64 object.

10.16.2.6. uint64:encode([endian])
Encodes the UInt64 number into an 8-byte Lua binary string, using given endianness.
Since: 1.11.3

Arguments
endian (optional)

If set to true then little-endian is used, if false then big-endian; if

missing/nil, native host endian.

Returns
The Lua binary string.

10.16.2.7. uint64:__call()
Creates a UInt64 Object.
Since: 1.11.3

Returns
The new UInt64 object.

150

Lua Support in Wireshark

10.16.2.8. uint64:tonumber()
Returns a Lua number of the UInt64 value - this may lose precision.
Since: 1.11.3

Returns
The Lua number.

10.16.2.9. uint64:__tostring()
Converts the UInt64 into a string.

Returns
The Lua string.

10.16.2.10. uint64:tohex([numbytes])
Returns a hex string of the UInt64 value.
Since: 1.11.3

Arguments
numbytes (optional)

The number of hex-chars/nibbles to generate, negative means

uppercase (default=16).

Returns
The string hex.

10.16.2.11. uint64:higher()
Returns a Lua number of the higher 32-bits of the UInt64 value.

Returns
The Lua number.

10.16.2.12. uint64:lower()
Returns a Lua number of the lower 32-bits of the UInt64 value.

Returns
The Lua number.

10.16.2.13. uint64:__unm()
Returns the UInt64, in a new UInt64, since unsigned integers cant be negated.
Since: 1.11.3

Returns
The UInt64 object.

151

Lua Support in Wireshark

10.16.2.14. uint64:__add()
Adds two UInt64 together and returns a new one (this may wrap the value).
Since: 1.11.3

10.16.2.15. uint64:__sub()
Subtracts two UInt64 and returns a new one (this may wrap the value).
Since: 1.11.3

10.16.2.16. uint64:__mul()
Multiplies two UInt64 and returns a new one (this may truncate the value).
Since: 1.11.3

10.16.2.17. uint64:__div()
Divides two UInt64 and returns a new one (integer divide, no remainder). Trying to divide by zero
results in a Lua error.
Since: 1.11.3

Returns
The UInt64 result.

10.16.2.18. uint64:__mod()
Divides two UInt64 and returns a new one of the remainder. Trying to modulo by zero results in
a Lua error.
Since: 1.11.3

Returns
The UInt64 result.

10.16.2.19. uint64:__pow()
The first UInt64 is taken to the power of the second UInt64/number, returning a new one (this
may truncate the value).
Since: 1.11.3

Returns
The UInt64 object.

10.16.2.20. uint64:__eq()
Returns true if both UInt64 are equal.
Since: 1.11.3

10.16.2.21. uint64:__lt()
Returns true if first UInt64 < second.

152

Lua Support in Wireshark

Since: 1.11.3

10.16.2.22. uint64:__le()
Returns true if first UInt64 second.
Since: 1.11.3

10.16.2.23. uint64:bnot()
Returns a UInt64 of the bitwise not operation.
Since: 1.11.3

Returns
The UInt64 object.

10.16.2.24. uint64:band()
Returns a UInt64 of the bitwise and operation, with the given number/Int64/UInt64. Note that
multiple arguments are allowed.
Since: 1.11.3

Returns
The UInt64 object.

10.16.2.25. uint64:bor()
Returns a UInt64 of the bitwise or operation, with the given number/Int64/UInt64. Note that
multiple arguments are allowed.
Since: 1.11.3

Returns
The UInt64 object.

10.16.2.26. uint64:bxor()
Returns a UInt64 of the bitwise xor operation, with the given number/Int64/UInt64. Note that
multiple arguments are allowed.
Since: 1.11.3

Returns
The UInt64 object.

10.16.2.27. uint64:lshift(numbits)
Returns a UInt64 of the bitwise logical left-shift operation, by the given number of bits.
Since: 1.11.3

Arguments
numbits

The number of bits to left-shift by.

153

Lua Support in Wireshark

Returns
The UInt64 object.

10.16.2.28. uint64:rshift(numbits)
Returns a UInt64 of the bitwise logical right-shift operation, by the given number of bits.
Since: 1.11.3

Arguments
numbits

The number of bits to right-shift by.

Returns
The UInt64 object.

10.16.2.29. uint64:arshift(numbits)
Returns a UInt64 of the bitwise arithmetic right-shift operation, by the given number of bits.
Since: 1.11.3

Arguments
numbits

The number of bits to right-shift by.

Returns
The UInt64 object.

10.16.2.30. uint64:rol(numbits)
Returns a UInt64 of the bitwise left rotation operation, by the given number of bits (up to 63).
Since: 1.11.3

Arguments
numbits

The number of bits to roll left by.

Returns
The UInt64 object.

10.16.2.31. uint64:ror(numbits)
Returns a UInt64 of the bitwise right rotation operation, by the given number of bits (up to 63).
Since: 1.11.3

Arguments
numbits

The number of bits to roll right by.

Returns
The UInt64 object.

154

Lua Support in Wireshark

10.16.2.32. uint64:bswap()
Returns a UInt64 of the bytes swapped. This can be used to convert little-endian 64-bit numbers to
big-endian 64 bit numbers or vice versa.
Since: 1.11.3

Returns
The UInt64 object.

10.17. Binary encode/decode support

The Struct class offers basic facilities to convert Lua values to and from C-style structs in binary Lua
strings. This is based on Roberto Ierusalimschys Lua struct library found in http://www.inf.puc-rio.br/
~roberto/struct/, with some minor modifications as follows:
Added support for Int64/UInt64 being packed/unpacked, using e/E.
Can handle long long integers (i8 / I8); though theyre converted to doubles.
Can insert/specify padding anywhere in a struct. (X eg. when a string is following a union).
Can report current offset in both pack and unpack (=).
Can mask out return values when you only want to calculate sizes or unmarshal pascal-style strings
using ( & ).
All but the first of those changes are based on an email from Flemming Madsen, on the lua-users
mailing list, which can be found here.
The main functions are Struct.pack, which packs multiple Lua values into a struct-like Lua binary
string; and Struct.unpack, which unpacks multiple Lua values from a given struct-like Lua binary
string. There are some additional helper functions available as well.
All functions in the Struct library are called as static member functions, not object methods, so they
are invoked as "Struct.pack()" instead of "object:pack()".
The fist argument to several of the Struct functions is a format string, which describes the layout
of the structure. The format string is a sequence of conversion elements, which respect the current
endianness and the current alignment requirements. Initially, the current endianness is the machines
native endianness and the current alignment requirement is 1 (meaning no alignment at all). You can
change these settings with appropriate directives in the format string.
The supported elements in the format string are as follows:
(empty space) ignored.
!n flag to set the current alignment requirement to n (necessarily a power of 2); an absent n means
the machines native alignment.
> flag to set mode to big endian (i.e., network-order).
< flag to set mode to little endian.
x a padding zero byte with no corresponding Lua value.
b a signed char.
B an unsigned char.

155

Lua Support in Wireshark

h a signed short (native size).

H an unsigned short (native size).
l a signed long (native size).
L an unsigned long (native size).
T a size_t (native size).
in a signed integer with n bytes. An absent n means the native size of an int.
In like in but unsigned.
e signed 8-byte Integer (64-bits, long long), to/from a Int64 object.
E unsigned 8-byte Integer (64-bits, long long), to/from a UInt64 object.
f a float (native size).
d a double (native size).
s a zero-terminated string.
cn a sequence of exactly n chars corresponding to a single Lua string. An absent n means 1. When
packing, the given string must have at least n characters (extra characters are discarded).
c0 this is like cn, except that the n is given by other means: When packing, n is the length of
the given string; when unpacking, n is the value of the previous unpacked value (which must be a
number). In that case, this previous value is not returned.
xn pad to n number of bytes, default 1.
Xn pad to n alignment, default MAXALIGN.
( to stop assigning items, and ) start assigning (padding when packing).
= to return the current position / offset.

Note
Using i, I, h, H, l, L, f, and T is strongly discouraged, as those sizes are systemdependent. Use the explicitly sized variants instead, such as i4 or E.

Note
Unpacking of i/I is done to a Lua number, a double-precision floating point, so
unpacking a 64-bit field (i8/I8) will lose precision. Use e/E to unpack into a Wireshark
Int64/UInt64 object instead.

10.17.1. Struct
10.17.1.1. Struct.pack(format, value)
Returns a string containing the values arg1, arg2, etc. packed/encoded according to the format string.

Arguments
format

The format string

156

Lua Support in Wireshark

value

One or more Lua value(s) to encode, based on the given format.

Returns
The packed binary Lua string, plus any positions due to = being used in format.

10.17.1.2. Struct.unpack(format, struct, [begin])

Unpacks/decodes multiple Lua values from a given struct-like binary Lua string. The number of
returned values depends on the format given, plus an additional value of the position where it stopped
reading is returned.

Arguments
format

The format string

struct

The binary Lua string to unpack

begin (optional)

The position to begin reading from (default=1)

Returns
One or more values based on format, plus the position it stopped unpacking.

10.17.1.3. Struct.size(format)
Returns the length of a binary string that would be consumed/handled by the given format string.

Arguments
format

The format string

Returns
The size number

10.17.1.4. Struct.values(format)
Returns the number of Lua values contained in the given format string. This will be the number of
returned values from a call to Struct.unpack() not including the extra return value of offset position.
(i.e., Struct.values() does not count that extra return value) This will also be the number of arguments
Struct.pack() expects, not including the format string argument.

Arguments
format

The format string

Returns
The number of values

10.17.1.5. Struct.tohex(bytestring, [lowercase], [separator])

Converts the passed-in binary string to a hex-ascii string.

Arguments
bytestring

A Lua string consisting of binary bytes

157

Lua Support in Wireshark

lowercase (optional)

True to use lower-case hex characters (default=false).

separator (optional)

A string separator to insert between hex bytes (default=nil).

Returns
The Lua hex-ascii string

10.17.1.6. Struct.fromhex(hexbytes, [separator])

Converts the passed-in hex-ascii string to a binary string.

Arguments
hexbytes

A string consisting of hexadecimal bytes like "00 B1 A2" or

"1a2b3c4d"

separator (optional)

A string separator between hex bytes/words (default=" ").

Returns
The Lua binary string

10.18. GLib Regular Expressions

Lua has its own native pattern syntax in the string library, but sometimes a real regex engine is more
useful. Wireshark comes with GLibs Regex implementation, which itself is based on Perl Compatible
Regular Expressions (PCRE). This engine is exposed into Wiresharks Lua engine through the wellknown Lrexlib library, following the same syntax and semantics as the Lrexlib PCRE implementation,
with a few differences as follows:
There is no support for using custom locale/chartables
dfa_exec() doesnt take ovecsize nor wscount arguments
dfa_exec() returns boolean true for partial match, without subcapture info
Named subgroups do not return name-keyed entries in the return table (i.e., in match/tfind/exec)
The flags() function still works, returning all flags, but two new functions compile_flags() and
match_flags() return just their respective flags, since GLib has a different and smaller set of such
flags, for regex compile vs. match functions
Using some assertions and POSIX character classes against strings with non-ASCII characters might
match high-order characters, because glib always sets PCRE_UCP even if G_REGEX_RAW is set.
For example, [:alpha;] matches certain non-ASCII bytes. The following assertions have this issue:
\b, \B, \s, \S, \w, \W. The following character classes have this issue: [:alpha:], [:alnum:], [:lower:],
[:upper:], [:space:], [:word:], and [:graph:].
The compile flag G_REGEX_RAW is always set/used, even if you didnt specify it. This is because
GLib runs PCRE in UTF-8 mode by default, whereas Lua strings are not UTF-aware.
Since: 1.11.3
This page is based on the full documentation for Lrexlib at http://rrthomas.github.io/lrexlib/
manual.html
The GLib Regular expression syntax (which is essentially PCRE syntax) can be found at https://
developer.gnome.org/glib/2.38/glib-regex-syntax.html

158

Lua Support in Wireshark

10.18.1. GRegex
GLib Regular Expressions based on PCRE.
Since: 1.11.3

10.18.1.1. Notes
All functions that take a regular expression pattern as an argument will generate an error if that pattern
is found invalid by the regex library.
All functions that take a string-type regex argument accept a compiled regex too. In this case, the
compile flags argument is ignored (should be either supplied as nils or omitted).
The capture flag argument cf may also be supplied as a string, whose characters stand for compilation
flags. Combinations of the following characters (case sensitive) are supported:
i = G_REGEX_CASELESS - Letters in the pattern match both upper- and lowercase letters. This
option can be changed within a pattern by a (?i) option setting.
m = G_REGEX_MULTILINE - By default, GRegex treats the strings as consisting of a single line
of characters (even if it actually contains newlines). The start of line metacharacter (^) matches
only at the start of the string, while the end of line metacharacter ($) matches only at the end of
the string, or before a terminating newline (unless G_REGEX_DOLLAR_ENDONLY is set). When
G_REGEX_MULTILINE is set, the start of line and end of line constructs match immediately
following or immediately before any newline in the string, respectively, as well as at the very start
and end. This can be changed within a pattern by a (?m) option setting.
s = G_REGEX_DOTALL - A dot metacharater (.) in the pattern matches all characters, including
newlines. Without it, newlines are excluded. This option can be changed within a pattern by a ("?
s") option setting.
x = G_REGEX_EXTENDED - Whitespace data characters in the pattern are totally ignored except
when escaped or inside a character class. Whitespace does not include the VT character (code 11).
In addition, characters between an unescaped # outside a character class and the next newline
character, inclusive, are also ignored. This can be changed within a pattern by a (?x) option setting.
U = G_REGEX_UNGREEDY - Inverts the greediness of the quantifiers so that they are not
greedy by default, but become greedy if followed by ?. It can also be set by a (?U) option setting
within the pattern.

10.18.1.2. GRegex.new(pattern)
Compiles regular expression pattern into a regular expression object whose internal representation is
corresponding to the library used. The returned result then can be used by the methods, e.g. match,
exec, etc. Regular expression objects are automatically garbage collected.
Since: 1.11.3

Arguments
pattern

A Perl-compatible regular expression pattern string

Returns
The compiled regular expression (a userdata object)

Errors
A malformed pattern generates a Lua error

159

Lua Support in Wireshark

10.18.1.3. GRegex.flags([table])
Returns a table containing the numeric values of the constants defined by the regex library, with the
keys being the (string) names of the constants. If the table argument is supplied then it is used as the
output table, otherwise a new table is created. The constants contained in the returned table can then
be used in most functions and methods where compilation flags or execution flags can be specified.
They can also be used for comparing with return codes of some functions and methods for determining
the reason of failure.
Since: 1.11.3

Arguments
table (optional)

A table for placing results into

Returns
A table filled with the results.

10.18.1.4. GRegex.compile_flags([table])
Returns a table containing the numeric values of the constants defined by the regex library for compile
flags, with the keys being the (string) names of the constants. If the table argument is supplied then it
is used as the output table, otherwise a new table is created.
Since: 1.11.3

Arguments
table (optional)

A table for placing results into

Returns
A table filled with the results.

10.18.1.5. GRegex.match_flags([table])
Returns a table containing the numeric values of the constants defined by the regex library for match
flags, with the keys being the (string) names of the constants. If the table argument is supplied then it
is used as the output table, otherwise a new table is created.
Since: 1.11.3

Arguments
table (optional)

A table for placing results into

Returns
A table filled with the results.

10.18.1.6. GRegex.match(subject, pattern, [init], [cf], [ef])

Searches for the first match of the regexp pattern in the string subject, starting from offset init, subject
to flags cf and ef. The pattern is compiled each time this is called, unlike the class method match
function.
Since: 1.11.3

160

Lua Support in Wireshark

Arguments
subject

Subject string to search

pattern

A Perl-compatible regular expression pattern string or GRegex object

init (optional)

start offset in the subject (can be negative)

cf (optional)

compilation flags (bitwise OR)

ef (optional)

match execution flags (bitwise OR)

Returns
On success, returns all substring matches ("captures"), in the order they appear in the pattern. false is
returned for sub-patterns that did not participate in the match. If the pattern specified no captures then
the whole matched substring is returned. On failure, returns nil.

10.18.1.7. GRegex.find(subject, pattern, [init], [cf], [ef])

Searches for the first match of the regexp pattern in the string subject, starting from offset init, subject
to flags ef. The pattern is compiled each time this is called, unlike the class method find function.
Since: 1.11.3

Arguments
subject

Subject string to search

pattern

A Perl-compatible regular expression pattern string or GRegex object

init (optional)

start offset in the subject (can be negative)

cf (optional)

compilation flags (bitwise OR)

ef (optional)

match execution flags (bitwise OR)

Returns
On success, returns the start point of the match (a number), the end point of the match (a number),
and all substring matches ("captures"), in the order they appear in the pattern. false is returned for subpatterns that did not participate in the match. On failure, returns nil.

10.18.1.8. GRegex.gmatch(subject, pattern, [init], [cf], [ef])

Returns an iterator for repeated matching of the pattern patt in the string subj, subject to flags cf and
ef. The function is intended for use in the generic for Lua construct. The pattern can be a string or a
GRegex object previously compiled with GRegex.new().
Since: 1.11.3

Arguments
subject

Subject string to search

pattern

A Perl-compatible regular expression pattern string or GRegex object

init (optional)

start offset in the subject (can be negative)

cf (optional)

compilation flags (bitwise OR)

ef (optional)

match execution flags (bitwise OR)

161

Lua Support in Wireshark

Returns
The iterator function is called by Lua. On every iteration (that is, on every match), it returns all captures
in the order they appear in the pattern (or the entire match if the pattern specified no captures). The
iteration will continue till the subject fails to match.

10.18.1.9. GRegex.gsub(subject, pattern, [repl], [max], [cf], [ef])

Searches for all matches of the pattern in the string subject and replaces them according to the
parameters repl and max. The pattern can be a string or a GRegex object previously compiled with
GRegex.new().
Since: 1.11.3
For details see: http://rrthomas.github.io/lrexlib/manual.html#gsub

Arguments
subject

Subject string to search

pattern

A Perl-compatible regular expression pattern string or GRegex object

repl (optional)

Substitution source string, function, table, false or nil

max (optional)

Maximum number of matches to search for, or control function, or nil

cf (optional)

Compilation flags (bitwise OR)

ef (optional)

Match execution flags (bitwise OR)

Returns
On success, returns the subject string with the substitutions made, the number of matches found, and
the number of substitutions made.

10.18.1.10. GRegex.split(subject, sep, [cf], [ef])

Splits a subject string subj into parts (sections). The sep parameter is a regular expression pattern
representing separators between the sections. The function is intended for use in the generic for Lua
construct. The function returns an iterator for repeated matching of the pattern sep in the string subj,
subject to flags cf and ef. The sep pattern can be a string or a GRegex object previously compiled
with GRegex.new(). Unlike gmatch, there will always be at least one iteration pass, even if there are
no matches in the subject.
Since: 1.11.3

Arguments
subject

Subject string to search

sep

A Perl-compatible regular expression pattern string or GRegex object

cf (optional)

compilation flags (bitwise OR)

ef (optional)

match execution flags (bitwise OR)

Returns
The iterator function is called by Lua. On every iteration, it returns a subject section (can be an empty
string), followed by all captures in the order they appear in the sep pattern (or the entire match if the

162

Lua Support in Wireshark

sep pattern specified no captures). If there is no match (this can occur only in the last iteration), then
nothing is returned after the subject section. The iteration will continue till the end of the subject.

10.18.1.11. GRegex.version()
Returns a returns a string containing the version of the used library.
Since: 1.11.3

Returns
The version string

10.18.1.12. gregex:match(subject, [init], [ef])

Searches for the first match of the regexp pattern in the string subject, starting from offset init, subject
to flags ef.
Since: 1.11.3

Arguments
subject

Subject string to search

init (optional)

start offset in the subject (can be negative)

ef (optional)

match execution flags (bitwise OR)

Returns
On success, returns all substring matches (captures), in the order they appear in the pattern. false is
returned for sub-patterns that did not participate in the match. If the pattern specified no captures then
the whole matched substring is returned. nil is returned if the pattern did not match.

10.18.1.13. gregex:find(subject, [init], [ef])

Searches for the first match of the regexp pattern in the string subject, starting from offset init, subject
to flags ef.
Since: 1.11.3

Arguments
subject

Subject string to search

init (optional)

start offset in the subject (can be negative)

ef (optional)

match execution flags (bitwise OR)

Returns
On success, returns the start point of the match (a number), the end point of the match (a number),
and all substring matches ("captures"), in the order they appear in the pattern. false is returned for subpatterns that did not participate in the match. On failure, returns nil.

10.18.1.14. gregex:exec(subject, [init], [ef])

Searches for the first match of the compiled GRegex object in the string subject, starting from offset
init, subject to the execution match flags ef.

163

Lua Support in Wireshark

Since: 1.11.3

Arguments
subject

Subject string to search

init (optional)

start offset in the subject (can be negative)

ef (optional)

match execution flags (bitwise OR)

Returns
On success, returns the start point of the first match (a number), the end point of the first match (a
number), and the offsets of substring matches (captures in Lua terminology) are returned as a third
result, in a table. This table contains false in the positions where the corresponding sub-pattern did
not participate in the match. On failure, returns nil. Example: If the whole match is at offsets 10,20
and substring matches are at offsets 12,14 and 16,19 then the function returns the following: 10, 20,
{ 12,14,16,19 }.

10.18.1.15. gregex:dfa_exec(subject, [init], [ef])

Matches a compiled regular expression GRegex object against a given subject string subj, using a
DFA matching algorithm.
Since: 1.11.3

Arguments
subject

Subject string to search

init (optional)

start offset in the subject (can be negative)

ef (optional)

match execution flags (bitwise OR)

Returns
On success, returns the start point of the matches found (a number), a table containing the end points
of the matches found, the longer matches first, and the number of matches found as the third return
value. On failure, returns nil. Example: If there are 3 matches found starting at offset 10 and ending
at offsets 15, 20 and 25 then the function returns the following: 10, { 25,20,15 }, 3

10.18.1.16. gregex:__tostring()
Returns a string containing debug information about the GRegex object.
Since: 1.11.3

Returns
The debug string

164

Chapter 11. User Interface

11.1. Introduction
Wireshark can be logically separated into the backend (dissecting protocols, file loading and saving,
capturing, etc.) and the frontend (the user interface).
The following frontends are currently maintained by the Wireshark development team:
Wireshark, GTK 2.x based
Wireshark, GTK 3.x based (Wireshark 1.10 and newer)
Wireshark, Qt based (Wireshark 1.11 and newer)
TShark, console based
There are other Wireshark frontends which are not developed nor maintained by the Wireshark
development team:
Packetyzer (Win32 native interface, written in Delphi and released under the GPL, see: http://
www.paglo.com/opensource/packetyzer)
hethereal (web based frontend, not actively maintained and not finished)
This chapter is focused on the Wireshark frontend, and especially on the GTK interface.

11.2. The GTK library

Were switching to Qt
This chapter describes the state of our stable release, which is based on GTK+. A major
effort is underway to migrate Wireshark to Qt. If you would like to add a new interface
feature you should use it and not GTK+.
Wireshark is based on the GTK toolkit. See http://www.gtk.org for details. GTK is designed to hide the
details of the underlying GUI in a platform independent way. As GTK is intended to be a multiplatform
tool, there are some drawbacks, as the result is a somewhat "non native" look and feel.
GTK is available for many different platforms including, but not limited to: Unix/Linux, Mac OS X
and Win32. Its the foundation of the famous GNOME desktop, so the future development of GTK
should be certain. GTK is implemented in plain C (as is Wireshark itself), and available under the
LGPL (Lesser General Public License), making it free to used by commercial and noncommercial
applications.
There are other similar toolkits like wxWidgets which could also be used for Wireshark. Theres no
"one and only" reason for or against any of these toolkits. However, the decision towards GTK was
made a long time ago :-)
As of 2013 there are two major GTK versions available:

11.2.1. GTK Version 2.x

GTK 2.x depends on the following libraries:
GObject (Object library. Basis for GTK and others)

165

User Interface

GLib (A general-purpose utility library, not specific to graphical user interfaces. GLib provides
many useful data types, macros, type conversions, string utilities, file utilities, a main loop
abstraction, and so on.)
Pango (Pango is a library for internationalized text handling. It centers around the PangoLayout
object, representing a paragraph of text. Pango provides the engine for GtkTextView, GtkLabel,
GtkEntry, and other widgets that display text.)
ATK (ATK is the Accessibility Toolkit. It provides a set of generic interfaces allowing accessibility
technologies to interact with a graphical user interface. For example, a screen reader uses ATK to
discover the text in an interface and read it to blind users. GTK+ widgets have built-in support for
accessibility using the ATK framework.)
GdkPixbuf (This is a small library which allows you to create GdkPixbuf ("pixel buffer") objects
from image data or image files. Use a GdkPixbuf in combination with GtkImage to display images.)
GDK (GDK is the abstraction layer that allows GTK+ to support multiple windowing systems.
GDK provides drawing and window system facilities on X11, Windows, and the Linux framebuffer
device.)

11.2.2. GTK Version 3.x

Wireshark (as of version 1.10) has been ported to use the GTK3 library.
GTK 3.x depends on the following libraries:
(See GTK 2.x)

11.2.3. Compatibility GTK versions

The GTK library itself defines some values which makes it easy to distinguish between the versions,
e.g. GTK_MAJOR_VERSION and GTK_MINOR_VERSION will be set to the GTK version at compile
time inside the gtkversion.h header.

11.2.4. GTK resources on the web

You can find several resources about GTK.
First of all, have a look at http://www.gtk.org. This will be the first place to look at. If you want
to develop GTK related things for Wireshark, the most important place might be the GTK API
documentation at http://library.gnome.org/devel/gtk/stable/.
Several mailing lists are available about GTK development, see http://mail.gnome.org/mailman/
listinfo, the gtk-app-devel-list may be your friend.
As its often done wrong: You should post a mail to help the developers there instead of only
complaining. Posting such a thing like "I dont like your dialog, it looks ugly" wont be of much help.
You might think about what you dislike and describe why you dislike it and provide a suggestion for
a better way.

11.3. GUI Reference documents

Although the GUI development of Wireshark is platform independent, the Wireshark development
team tries to follow the GNOME Human Interface Guidelines (HIG) where appropriate. This is the
case, because both GNOME and Wireshark are based on the GTK+ toolkit and the GNOME HIG is
excellently written and easy to understand.
For further reference, see the following documents:

166

User Interface

Android Design: http://developer.android.com/design/index.html (Wireshark doesnt have a mobile

frontend but there is still useful information here)
GNOME Human Interface Guidelines: http://library.gnome.org/devel/hig-book/stable/
The KDE Usability/HIG project: http://techbase.kde.org/Projects/Usability/HIG
OS X Human Interface Guidelines: https://developer.apple.com/library/mac/documentation/
UserExperience/Conceptual/AppleHIGuidelines/Intro/Intro.html
Design apps for the Windows desktop: http://msdn.microsoft.com/en-us/library/Aa511258.aspx

11.4. Adding/Extending Dialogs

This is usually the main area for contributing new user interface features.
XXX: add the various functions from gtk/dlg_utils.h

11.5. Widget naming

It seems to be common sense to name the widgets with some descriptive trailing characters, like:
xy_lb = gtk_label_new();
xy_cb = gtk_checkbox_new();
XXX: add more examples
However, this schema isnt used at all places inside the code.

11.6. Common GTK programming pitfalls

There are some common pitfalls in GTK programming.

11.6.1. Usage of gtk_widget_show() /

gtk_widget_show_all()
When a GTK widget is created it will be hidden by default. In order to show it, a call to
gtk_widget_show() has to be done.
It isnt necessary to do this for each and every widget created. A call to gtk_widget_show_all() on the
parent of all the widgets in question (e.g. a dialog window) can be done, so all of its child widgets
will be shown too.

167

Chapter 12. This Documents License

(GPL)
As with the original license and documentation distributed with Wireshark, this document is covered
by the GNU General Public License (GNU GPL).
If you havent read the GPL before, please do so. It explains all the things that you are allowed to do
with this code and documentation.
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free
51 Franklin Street, Fifth
Everyone is permitted to copy
of this license document, but

Software Foundation, Inc.

Floor, Boston, MA 02110-1301 USA
and distribute verbatim copies
changing it is not allowed.

Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE

168

This Documents License (GPL)

TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that
whole or in part contains or is
part thereof, to be licensed as
parties under the terms of this

you distribute or publish, that in

derived from the Program or any
a whole at no charge to all third
License.

c) If the modified program normally reads commands interactively

when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under

169

This Documents License (GPL)

the scope of this License.

3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you

170

This Documents License (GPL)

may not distribute the Program at all. For example, if a patent

license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY

171

This Documents License (GPL)

YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the
to attach them to the start of each source file
convey the exclusion of warranty; and each file
the "copyright" line and a pointer to where the

program. It is safest
to most effectively
should have at least
full notice is found.

&lt;one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
&lt;signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.

172