Lua Dissectors for Airstream PyShark
This directory contains example Lua dissectors that can be used with Wireshark/tshark to decode custom protocols in PyShark.
Installation
-
Copy the Lua dissector files to your Wireshark plugins directory:
- Linux/Mac:
~/.local/lib/wireshark/plugins/or~/.config/wireshark/plugins/ - Windows:
%APPDATA%\Wireshark\plugins\
- Linux/Mac:
-
Restart Wireshark/tshark or reload Lua plugins (Ctrl+Shift+L in Wireshark)
-
The dissectors will automatically be available to PyShark
Example Custom Protocol Dissector
The example_custom_protocol.lua demonstrates:
- Creating a custom protocol dissector
- Defining protocol fields
- Parsing packet structure
- Registering for specific UDP ports
- Heuristic dissection
Using with PyShark
Once installed, PyShark will automatically use these dissectors:
import pyshark
# Capture with custom dissector
capture = pyshark.FileCapture('capture.pcap')
for packet in capture:
if hasattr(packet, 'custom'):
print(f"Custom packet: {packet.custom.msg_type}")
Creating Your Own Dissectors
- Copy
example_custom_protocol.luaas a template - Modify the protocol name, fields, and parsing logic
- Register for appropriate ports or use heuristic detection
- Place in Wireshark plugins directory
Benefits for Airstream
Custom Lua dissectors enable:
- Decoding proprietary protocols (IENA, Chapter 10, etc.)
- Adding metadata extraction
- Protocol-specific statistics
- Enhanced filtering capabilities
Testing Dissectors
Test your dissector in Wireshark GUI first:
- Open a capture file
- Check if protocol appears in packet list
- Verify field extraction in packet details
- Use display filters like
custom.msg_type == 1
Then use with airstream_pyshark.py:
./airstream_pyshark.py -p capture.pcap --filter "custom"