Anyone who’s looked at packets knows about Wireshark. There seems to be considerably less known about Wireshark’s scripting interface though.
While reviewing a very old packet capture I noticed that the host names as resolved by wireshark weren’t consistent with what I knew of the data. Well what can you do? DNS names and IP addresses are in a constant state of flux. It hit me then that the packet capture itself had all the data I needed to create a hosts file for wireshark. It was just a matter of extracting the data from the http requests or the DNS requests/responses into hosts file format and putting a hosts file in the Wireshark directory.
Every http request contains a host header. The purpose of the header is to allow web servers with a single IP address to host websites for more than one domain. The webserver uses the host header to multiplex multiple virtual directories/websites onto a single IP address.
To run the script make sure that you edit the init.lua file in the wireshark directory and comment out the line beginning with disable_lua. The usage is shown below in the script and because we are using tshark we can just redirect the output directly to a hosts file.
Listing 1 – gethttphosts.lua
-- Lua script to extract http host headers to create a hosts
-- file for wireshark name resolution.
-- command line:
-- Tshark –r websurf.pcap –q –X lua_script:gethttphosts.lua
Do
-- Create the field extractors
hostname = Field.new("http.host")
ip_dst = Field.new("ip.dst")
local function init_listener()
-- Create a listener that filters for http requests
local tap = Listener.new("frame", "tcp && http.request")
function tap.reset()
end
function tap.packet(pinfo,tvb,ip)
-- Format the data and output it
local strTemp = tostring(ip_dst()) .. " " ..
tostring(hostname()) .. "\n";
io.write(strTemp);
end
function tap.draw()
end
end
init_listener()
end
cool!!! – thanks a lot for this post!!!
Comment by alex693 — July 1, 2009 @ 4:00 am
Thanks for the post. Do you have any more explanation about how Field.new works? The Lua/Wireshark docs aren’t very helpful. And what does hostname() do? Is that some kind of function/method call?
Thanks!
Comment by Victor — October 21, 2011 @ 12:47 pm
Hello Victor, glad you found the post useful. Hostname is a field extractor that is created at the beginning of the script. To access the dissected packet from within Lua you need to create the field extractors. I don’t really have any other information on field.new. I could only speculate that it is the method used to bind a Lua variable/function name to one of the fields dissected by wireshark.
Comment by networknerd — October 21, 2011 @ 2:05 pm