airstream/lua_dissectors/README.md

# Lua Dissectors for Airstream PyShark

This directory contains example Lua dissectors that can be used with Wireshark/tshark to decode custom protocols in PyShark.

## Installation

1. Copy the Lua dissector files to your Wireshark plugins directory:
   - **Linux/Mac**: `~/.local/lib/wireshark/plugins/` or `~/.config/wireshark/plugins/`
   - **Windows**: `%APPDATA%\Wireshark\plugins\`

2. Restart Wireshark/tshark or reload Lua plugins (Ctrl+Shift+L in Wireshark)

3. The dissectors will automatically be available to PyShark

## Example Custom Protocol Dissector

The `example_custom_protocol.lua` demonstrates:
- Creating a custom protocol dissector
- Defining protocol fields
- Parsing packet structure
- Registering for specific UDP ports
- Heuristic dissection

## Using with PyShark

Once installed, PyShark will automatically use these dissectors:

```python
import pyshark

# Capture with custom dissector
capture = pyshark.FileCapture('capture.pcap')
for packet in capture:
    if hasattr(packet, 'custom'):
        print(f"Custom packet: {packet.custom.msg_type}")
```

## Creating Your Own Dissectors

1. Copy `example_custom_protocol.lua` as a template
2. Modify the protocol name, fields, and parsing logic
3. Register for appropriate ports or use heuristic detection
4. Place in Wireshark plugins directory

## Benefits for Airstream

Custom Lua dissectors enable:
- Decoding proprietary protocols (IENA, Chapter 10, etc.)
- Adding metadata extraction
- Protocol-specific statistics
- Enhanced filtering capabilities

## Testing Dissectors

Test your dissector in Wireshark GUI first:
1. Open a capture file
2. Check if protocol appears in packet list
3. Verify field extraction in packet details
4. Use display filters like `custom.msg_type == 1`

Then use with airstream_pyshark.py:
```bash
./airstream_pyshark.py -p capture.pcap --filter "custom"
```
first working 2025-08-03 20:20:55 -04:00			`# Lua Dissectors for Airstream PyShark`

			`This directory contains example Lua dissectors that can be used with Wireshark/tshark to decode custom protocols in PyShark.`

			`## Installation`

			`1. Copy the Lua dissector files to your Wireshark plugins directory:`
			- Linux/Mac: `~/.local/lib/wireshark/plugins/` or `~/.config/wireshark/plugins/`
			- Windows: `%APPDATA%\Wireshark\plugins\`

			`2. Restart Wireshark/tshark or reload Lua plugins (Ctrl+Shift+L in Wireshark)`

			`3. The dissectors will automatically be available to PyShark`

			`## Example Custom Protocol Dissector`

			The `example_custom_protocol.lua` demonstrates:
			`- Creating a custom protocol dissector`
			`- Defining protocol fields`
			`- Parsing packet structure`
			`- Registering for specific UDP ports`
			`- Heuristic dissection`

			`## Using with PyShark`

			`Once installed, PyShark will automatically use these dissectors:`

			```python
			`import pyshark`

			`# Capture with custom dissector`
			`capture = pyshark.FileCapture('capture.pcap')`
			`for packet in capture:`
			`if hasattr(packet, 'custom'):`
			`print(f"Custom packet: {packet.custom.msg_type}")`
			```

			`## Creating Your Own Dissectors`

			1. Copy `example_custom_protocol.lua` as a template
			`2. Modify the protocol name, fields, and parsing logic`
			`3. Register for appropriate ports or use heuristic detection`
			`4. Place in Wireshark plugins directory`

			`## Benefits for Airstream`

			`Custom Lua dissectors enable:`
			`- Decoding proprietary protocols (IENA, Chapter 10, etc.)`
			`- Adding metadata extraction`
			`- Protocol-specific statistics`
			`- Enhanced filtering capabilities`

			`## Testing Dissectors`

			`Test your dissector in Wireshark GUI first:`
			`1. Open a capture file`
			`2. Check if protocol appears in packet list`
			`3. Verify field extraction in packet details`
			4. Use display filters like `custom.msg_type == 1`

			`Then use with airstream_pyshark.py:`
			```bash
			`./airstream_pyshark.py -p capture.pcap --filter "custom"`
			```