Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Alert on captured packet

From: Tony Trinh <tony19 () gmail com>
Date: Mon, 9 Jan 2012 21:56:47 -0500
Yes, a Lua tap can do this. For example, you can use the following script
to beep 3 times when it detects UDP packet lengths between 1034 and 1037.
The beeps can get annoying.


local _filter = 'udp.length > 1034 and udp.length < 1037'

local function make_tap(filter)
local tap = Listener.new(nil, filter)

function tap.packet()
-- beep 3 times
for i=1,3 do print '\007' end
 -- you can also show a message box here with
-- new_dialog() or report_failure(), but you'll
 -- need a flag to prevent opening a whole bunch
-- of message boxes
end
 return tap
end

-- If not running from Wireshark, enable the tap immediately, then
-- abort, or else we'll get an error below for trying to do GUI
-- stuff from the command line.
if not gui_enabled() then
make_tap(_filter)
 return
end

local function make_win()
local tap = nil
 local win = TextWindow.new("Watcher")
 local function remove_tap()
 if tap then tap:remove() end
tap = nil
end
 win:set("Press Start to begin watching")
win:set_atclose(remove_tap)
 win:add_button("Start", function()
if tap then
 report_failure("Already started")
return
end
 win:set("Watching for:\n" .. _filter)
tap = make_tap(_filter)
 end)
 win:add_button("Stop", function()
 if not tap then
report_failure("Not started")
return
 end
 remove_tap()
 win:set("Press Start to begin watching")
end)
end

register_menu("Lua/Test", make_win, MENU_TOOLS_UNSORTED or 8)




On Mon, Jan 9, 2012 at 10:59 AM, Harper <Helge.Kruse-nospam () gmx net> wrote:


I have a protocol, where the same request is sent again and again. Suddenly
a request is answered with another reponse as it done usually. I have
configured Wireshark to use multiple files to capture all the data.

Now I want to get an alert (message box, email, anything else) when this
event occurs. This can be done by manually look in each capture file. But
this is a bit cumbersome. Can this be done with Wireshark tools or with an
plug-in? Probably a LUA plug-in could do this?

The creteria for the alert should be something like
 udp.length > 1034 and udp.length< 1037


Thanks,
Harper

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org
?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: