airstream/lua_dissectors/README.md

# Lua Dissectors for Airstream PyShark

This directory contains example Lua dissectors that can be used with Wireshark/tshark to decode custom protocols in PyShark.

## Installation

1. Copy the Lua dissector files to your Wireshark plugins directory:
   - **Linux/Mac**: `~/.local/lib/wireshark/plugins/` or `~/.config/wireshark/plugins/`
   - **Windows**: `%APPDATA%\Wireshark\plugins\`

2. Restart Wireshark/tshark or reload Lua plugins (Ctrl+Shift+L in Wireshark)

3. The dissectors will automatically be available to PyShark

## Example Custom Protocol Dissector

The `example_custom_protocol.lua` demonstrates:
- Creating a custom protocol dissector
- Defining protocol fields
- Parsing packet structure
- Registering for specific UDP ports
- Heuristic dissection

## Using with PyShark

Once installed, PyShark will automatically use these dissectors:

```python
import pyshark

# Capture with custom dissector
capture = pyshark.FileCapture('capture.pcap')
for packet in capture:
    if hasattr(packet, 'custom'):
        print(f"Custom packet: {packet.custom.msg_type}")
```

## Creating Your Own Dissectors

1. Copy `example_custom_protocol.lua` as a template
2. Modify the protocol name, fields, and parsing logic
3. Register for appropriate ports or use heuristic detection
4. Place in Wireshark plugins directory

## Benefits for Airstream

Custom Lua dissectors enable:
- Decoding proprietary protocols (IENA, Chapter 10, etc.)
- Adding metadata extraction
- Protocol-specific statistics
- Enhanced filtering capabilities

## Testing Dissectors

Test your dissector in Wireshark GUI first:
1. Open a capture file
2. Check if protocol appears in packet list
3. Verify field extraction in packet details
4. Use display filters like `custom.msg_type == 1`

Then use with airstream_pyshark.py:
```bash
./airstream_pyshark.py -p capture.pcap --filter "custom"
```