This page contains a collection of user-created public scripts, macros, colouring rules and other useful plugins.

Colouring Rules

Coloring rule files use an extension to keep them unique within the wiki. They need to be renamed when applied to a profile.

Color profile

Profile version

Minimum Wireshark version

Description

colorfilters.rtps

16-03-05

2.1.0

These color filters are for RTPS protocol

Display Filter Macros

None yet.

Lua Plugins

Protocol Dissectors

Lua plugin

Lua plugin version

Minimum Wireshark version

Description

Sample capture

citp.lua

12-01-24

1.10.0

This plugin dissects CITP (Controller Interface Transport Protocol), as described at www.citp-protocol.org. CITP is used in the event and entertainment industries to allow lighting consoles, media servers and visualizers to interchange operation information with an open protocol. The plugin is hosted on github.

none

cr3.lua

14-09-02

1.10.0

This plugin dissects packets for the Crimson v3 protocol related to the ICS HMI touchpanels made by Red Lion Controls (redlion.net). These devices support updates over TCP port 789. This minimal dissector is a starting point for understanding this protocol. The plugin is hosted on github.

none

dpt.lua

14-08-28

1.10.0

This plugin dissects dissect the DPT protocol used by Diffusion (www.pushtechnology.com). The plugin is hosted on github.

DPT samples

fpm.lua

1.0

1.10.0

This plugin dissects Forwarding Plane Manager (FPM) messages over TCP, which internally contain Netlink protocol messages. The open source Quagga, Zebra, and commercial ZebOS routing stacks/engines all use FPM to communicate to the forwarding plane of a router.

segmented_fpm.pcap

gits.lua

15-01-19

1.10.0

This plugin dissects packets for PwnAdventure 3, an MMORPG game designed to be hacked (pwnadventure.com). The plugin is hosted on github.

gits15.tar.gz

guacamole.lua

1.4

unknown

This plugin dissects the Guacamole Protocol

inetx_generic.lua, et al

15-03-27

1.12.0

This plugin dissects iNet-X (CTEIP Integrated Network Enhanced Telemetry) and IENA packet formats. See Curtis-Wright for details. The plugin is hosted on github.

test samples

kdnet.lua

2017-02-19

2.0.2

Reverse-engineered Windows Kernel Debugger UDP protocol. Plugin, pcap and keys are hosted on Github

LyncPacketDissector1.00.lua / Lync-Skype4B-Plugin2.00.lua

1.00 / 2.0

1.10.0 / 2.0

This plugin dissects Microsoft Lync AV Edge and Internal Edge AV traffic, STUN/TURN traffic on Microsoft Lync Edge port, and the dynamically assigned RTP and RTCP traffic by using ports allocated in STUN requests. For more information, see myskypelab.com.

none

omci.lua and BinDecHex.lua

14-3-13-r11

1.4.3

This plugin dissects packets for ONT Management and Control Interface (OMCI) protocol (ITU Rec. G984.4). The purpose of the dissector is to decode OMCI data flowing between Optical Line Termination (OLT, the network side) and Optical Network Termination (ONT, the end user side). Both Lua files are needed, as one depends on the other. The plugin is hosted on google.

omci-example.pcap

packet-simplemessage.lua

0.1.9

1.10.0

This plugin dissects the ROS-Industrial SimpleMessage protocol, as defined on www.ros.org. The plugin is hosted on github.

simple_move.pcapng

rtp_ext_onvif_replay.lua

15-06-02

1.10.0

This plugin dissects ONVIF (Open Network Video Interface Forum) media streams in RTP packets, as defined in ONVIF Spec 2.10 section 6.2. The plugin is hosted on github.

none

satp.lua

r133

1.10.0

This plugin dissects the Secure Anycast Tunneling Protocol (SATP), as defined in IETF draft draft-gsenger-secure-anycast-tunneling-protocol-02. The plugin is hosted on SVN.

nullcypher-pings.pcap

SMPTE-2022-6.lua

14-02-14

1.10

This plugin dissects SMPTE 2022-6 High Bit Rate Media Signals over IP Networks (HBRMT). The plugin is hosted on github.

none

someip.lua, et al

15-03-27

1.12.0

This plugin dissects packets for Scalable service-Oriented MiddlewarE over IP (SOME/IP), from the AUTOSAR (AUTomotive Open System ARchitecture) 4.2. The plugin is hosted on github.

none

stomp.lua

15-07-04

1.10.0

This plugin dissects STOMP protocol packets, both over raw TCP and over HTTP/Websocket. The plugin this was based on is hosted on github, but the file in this wiki is newer, and can do things the one on github cannot; it was based on an answer to a question on ask.wireshark.org.

websocket_stomp.pcapng

wg.lua

2017-03-03

2.0.2

This plugin dissects the WireGuard VPN tunnel protocol. Plugin, pcap and keys are on hosted on Github.

xpl_dissector.lua

1.2

1.10.0

This plugin dissects xPL protocol packets, used for home automation control. The plugin is hosted on the author's web site.

xpl_dissector_testdata.pcap

Statistic Taps or Post-Dissectors

Lua plugin

Lua plugin version

Minimum Wireshark version

Description

arp_host.lua

1.0.0

unknown

Hacked up version of [Extract field values](https://gitlab.com/wireshark/wireshark/-/wikis/Lua/Examples#extract-field-values) to answer [Resolved or Mapped ARP Target IP Address](https://ask.wireshark.org/question/22016/resolved-or-mapped-arp-target-ip-address/)

delta_distance.lua

2021-08-01

1.10.0

Calculates the speed of light distance between packets.

filtcols.lua

1.0.2

unknown

A post-dissector to allow filtering on Protocol and Info columns

gd_tcflag.lua

r27

1.10.0

Track each TCP stream automatically and group its details for express analysis:
* TCP flags used through the lifetime of the conversation, etc.
* Counters of all tcp.analysis.flags seen anywhere in the conversation
* Stats (payload bytes, frames, lowest and highest window size used), etc.
For more details visit homepage at GitHub

ip_src_alternate.lua

1.0.0

unknown

A blend of filtcols.lua and arp_host.lua to answer [How do I find two consecutive frames from the same IP source address](https://ask.wireshark.org/question/22090/how-do-i-find-two-consecutive-frames-from-the-same-ip-source-address/)

ipv6-postdissector.lua

1.2

unknown

An IPv6 post-dissector that fully expands all IPv6 addresses.

tap-subnets.lua

1.4

unknown

A tap that displays IPv4 subnet statistics in a GUI menu.

tap-resolved.lua

1.18

3.2.0

A tap that displays sorted resolved data in a GUI menu.

TCPextend-post_dissector.lua

v0.7-20150706

1.10.0

The TCP-extend plugin displays some additional TCP statistics information, as new fields which can be used in display filters, columns, etc. The plugin is hosted on github, which you should see for details.

tcp_stats.lua

2017-06-21

1.10.0

The TCP-Stats plugin scans through all TCP connections and provides a summarized statistics of MSS, Window Scaling, iRTT, Highest Delta and Lowest Window Size. Latest version at github. It is meant to run from tshark, see script header for instructions

TLSextend

(see github)

1.10.0

Adds a TLS state field by to filter out complete TCP streams based on the presence of ClientHello and/or ServerHello packets in the stream.

tls_conversations.lua

1.0.0

unknown

Started with [Example: Listener written in Lua](https://www.wireshark.org/docs/wsdg_html/#wslua_tap_example) in the WSDG. Tap/Gui version of **TLSextend** (see above). Answers question: [Filter TLS with no Server Hello](https://ask.wireshark.org/question/26618/filter-tls-with-no-server-hello/). Should be doable in `MATE` but it has issues: [[Wireshark-dev] MATE Stop for multi-occurrence field](https://www.wireshark.org/lists/wireshark-dev/202204/msg00000.html) / [MATE: no Match if multiple AVP with same name](https://gitlab.com/wireshark/wireshark/-/issues/18024)

transum.lua

9b

1.10.0

The TRANSUM plugin provides four new response time fields (APDU Response Time, Service Time, Request Spread, and Response Spread), powerful filtering options and a quick way to match front-end response times to back-end service delays. See tribelabzero.com for details.

File Formats

Lua plugin

Lua plugin version

Minimum Wireshark version

Description

acme_file.lua

1.0

1.11.3

This "capture file" reader reads message logs from Acme Packet (now Oracle) Session Border Controllers, such as sipmsg.log files.

file-zip.lua

2016-12-22

1.11.3?

Dissects the structure of a Zip archive using heuristics. Hosted on git.lekensteyn.nl

fileshark_pcap.lua

1.0

1.11.3

This "capture file" reader reads pcap files - the old style ones - as a FileShark implementation. What does that mean? It means it reads a pcap file and displays the contents of the file format itself, showing the file header, record headers, etc., and their fields. To do this it creates a "pcapfile" protocol dissector, with associated protocol fields of what pcap file formats have.

Other

Lua plugin

Lua plugin version

Minimum Wireshark version

Description

Browser SSLKEYLOGFILE

2021-08-01

3.0.0

Runs Chrome or Firefox with the SSLKEYLOGFILE environment variable set to Wireshark's tls.keylog_file preference.

Cloudshark plugin

1.0.5

1.10.0

The CloudShark plug-in for Wireshark makes it seamless to move your capture files from Wireshark to a CloudShark appliance or [https://www.cloudshark.org/](https://www.cloudshark.org/). Once installed, the plugin adds a new CloudShark submenu under the existing Wireshark Tools menu. Capture files are sent to the configured CloudShark appliance or [https://www.cloudshark.org/](https://www.cloudshark.org/) by selecting the upload option under the Tools -> Cloudshark menu. The plugin also works with tshark from the command-line.

[col.lua](uploads/815ba39e89ef7aba3258c09620f0837c/col.lua)

1.3

unknown

Common column functions

Netzob

N/A

unknown

You can use the Netzob application's exporter to automatically generate Wireshark Lua-based dissectors for proprietary or undocumented protocols, as Lua plugin scripts. (i.e., it generates the Lua scripts to use in Wireshark)

Extcap Plugins

Extcap plugin

Profile version

Minimum Wireshark version

Description

extcap_example.rb

16-03-05

2.1.0

A ruby example extcap application

wireshark-fritzbox

Allows running a remote capture from a FRITZ!Box router


Imported from https://wiki.wireshark.org/Contrib on 2020-08-11 23:12:21 UTC