This page contains a collection of user-created public scripts, macros, colouring rules and other useful plugins.

Colouring Rules

Coloring rule files use an extension to keep them unique within the wiki. They need to be renamed when applied to a profile.

Color profile

Profile version

Minimum Wireshark version

Description

colorfilters.rtps

16-03-05

2.1.0

These color filters are for RTPS protocol

Display Filter Macros

None yet.

Lua Plugins

Protocol Dissectors

Lua plugin

Lua plugin version

Minimum Wireshark version

Description

Sample capture

citp.lua

12-01-24

1.10.0

This plugin dissects CITP (Controller Interface Transport Protocol), as described at www.citp-protocol.org. CITP is used in the event and entertainment industries to allow lighting consoles, media servers and visualizers to interchange operation information with an open protocol. The plugin is hosted on github.

none

cr3.lua

14-09-02

1.10.0

This plugin dissects packets for the Crimson v3 protocol related to the ICS HMI touchpanels made by Red Lion Controls (redlion.net). These devices support updates over TCP port 789. This minimal dissector is a starting point for understanding this protocol. The plugin is hosted on github.

none

dpt.lua

14-08-28

1.10.0

This plugin dissects dissect the DPT protocol used by Diffusion (www.pushtechnology.com). The plugin is hosted on github.

DPT samples

fpm.lua

1.0

1.10.0

This plugin dissects Forwarding Plane Manager (FPM) messages over TCP, which internally contain Netlink protocol messages. The open source Quagga, Zebra, and commercial ZebOS routing stacks/engines all use FPM to communicate to the forwarding plane of a router.

segmented_fpm.pcap

gits.lua

15-01-19

1.10.0

This plugin dissects packets for PwnAdventure 3, an MMORPG game designed to be hacked (pwnadventure.com). The plugin is hosted on github.

gits15.tar.gz

inetx_generic.lua, et al

15-03-27

1.12.0

This plugin dissects iNet-X (CTEIP Integrated Network Enhanced Telemetry) and IENA packet formats. See Curtis-Wright for details. The plugin is hosted on github.

test samples

LyncPacketDissector1.00.lua / Lync-Skype4B-Plugin2.00.lua

1.00 / 2.0

1.10.0 / 2.0

This plugin dissects Microsoft Lync AV Edge and Internal Edge AV traffic, STUN/TURN traffic on Microsoft Lync Edge port, and the dynamically assigned RTP and RTCP traffic by using ports allocated in STUN requests. For more information, see myskypelab.com.

none

omci.lua and BinDecHex.lua

14-3-13-r11

1.4.3

This plugin dissects packets for ONT Management and Control Interface (OMCI) protocol (ITU Rec. G984.4). The purpose of the dissector is to decode OMCI data flowing between Optical Line Termination (OLT, the network side) and Optical Network Termination (ONT, the end user side). Both Lua files are needed, as one depends on the other. The plugin is hosted on google.

omci-example.pcap

packet-simplemessage.lua

0.1.9

1.10.0

This plugin dissects the ROS-Industrial SimpleMessage protocol, as defined on www.ros.org. The plugin is hosted on github.

simple_move.pcapng

rtp_ext_onvif_replay.lua

15-06-02

1.10.0

This plugin dissects ONVIF (Open Network Video Interface Forum) media streams in RTP packets, as defined in ONVIF Spec 2.10 section 6.2. The plugin is hosted on github.

none

satp.lua

r133

1.10.0

This plugin dissects the Secure Anycast Tunneling Protocol (SATP), as defined in IETF draft draft-gsenger-secure-anycast-tunneling-protocol-02. The plugin is hosted on SVN.

nullcypher-pings.pcap

SMPTE-2022-6.lua

14-02-14

1.10

This plugin dissects SMPTE 2022-6 High Bit Rate Media Signals over IP Networks (HBRMT). The plugin is hosted on github.

none

someip.lua, et al

15-03-27

1.12.0

This plugin dissects packets for Scalable service-Oriented MiddlewarE over IP (SOME/IP), from the AUTOSAR (AUTomotive Open System ARchitecture) 4.2. The plugin is hosted on github.

none

stomp.lua

15-07-04

1.10.0

This plugin dissects STOMP protocol packets, both over raw TCP and over HTTP/Websocket. The plugin this was based on is hosted on github, but the file in this wiki is newer, and can do things the one on github cannot; it was based on an answer to a question on ask.wireshark.org.

websocket_stomp.pcapng

xpl_dissector.lua

1.2

1.10.0

This plugin dissects xPL protocol packets, used for home automation control. The plugin is hosted on the author's web site.

xpl_dissector_testdata.pcap

kdnet.lua

2017-02-19

2.0.2

Reverse-engineered Windows Kernel Debugger UDP protocol. Plugin, pcap and keys are hosted on Github

wg.lua

2017-03-03

2.0.2

This plugin dissects the WireGuard VPN tunnel protocol. Plugin, pcap and keys are on hosted on Github.

Statistic Taps or Post-Dissectors

Lua plugin

Lua plugin version

Minimum Wireshark version

Description

transum.lua

9b

1.10.0

The TRANSUM plugin provides four new response time fields (APDU Response Time, Service Time, Request Spread, and Response Spread), powerful filtering options and a quick way to match front-end response times to back-end service delays. See tribelabzero.com for details.

TCPextend-post_dissector.lua

v0.7-20150706

1.10.0

The TCP-extend plugin displays some additional TCP statistics information, as new fields which can be used in display filters, columns, etc. The plugin is hosted on github, which you should see for details.

tcp_stats.lua

2017-06-21

1.10.0

The TCP-Stats plugin scans through all TCP connections and provides a summarized statistics of MSS, Window Scaling, iRTT, Highest Delta and Lowest Window Size. Latest version at github. It is meant to run from tshark, see script header for instructions

File Formats

Lua plugin

Lua plugin version

Minimum Wireshark version

Description

acme_file.lua

1.0

1.11.3

This "capture file" reader reads message logs from Acme Packet (now Oracle) Session Border Controllers, such as sipmsg.log files.

fileshark_pcap.lua

1.0

1.11.3

This "capture file" reader reads pcap files - the old style ones - as a FileShark implementation. What does that mean? It means it reads a pcap file and displays the contents of the file format itself, showing the file header, record headers, etc., and their fields. To do this it creates a "pcapfile" protocol dissector, with associated protocol fields of what pcap file formats have.

file-zip.lua

2016-12-22

1.11.3?

Dissects the structure of a Zip archive using heuristics. Hosted on git.lekensteyn.nl

Other

Lua plugin

Lua plugin version

Minimum Wireshark version

Description

Lua plugin installer

1.0.3-180

1.10.0

The CloudShark plug-in for Wireshark lets you seamlessly sync your Wireshark packet captures with the CloudShark Appliance. After installing the CloudShark plug-in on your system with Wireshark, you will be able to manage, view, analyze, and share your Wireshark captures on CloudShark's website.

Generated by Netzob

N/A

unknown

You can use the Netzob application's exporter to automatically generate Wireshark Lua-based dissectors for proprietary or undocumented protocols, as Lua plugin scripts. (i.e., it generates the Lua scripts to use in Wireshark)

Extcap Plugins

Extcap plugin

Profile version

Minimum Wireshark version

Description

extcap_example.rb

16-03-05

2.1.0

A ruby example extcap application

Contrib (last edited 2017-06-21 15:30:56 by SilvioGissi)