Contrib - Wireshark Wiki

This page contains a collection of user-created public scripts, macros, colouring rules and other useful plugins.

Colouring Rules
Display Filter Macros
Lua Plugins
Extcap Plugins

Colouring Rules

Coloring rule files use an extension to keep them unique within the wiki. They need to be renamed when applied to a profile.

Color profile	Profile version	Minimum Wireshark version	Description
colorfilters.rtps	16-03-05	2.1.0	These color filters are for RTPS protocol

Display Filter Macros

None yet.

Lua Plugins

Protocol Dissectors

Lua plugin	Lua plugin version	Minimum Wireshark version	Description	Sample capture
citp.lua	12-01-24	1.10.0	This plugin dissects CITP (Controller Interface Transport Protocol), as described at www.citp-protocol.org. CITP is used in the event and entertainment industries to allow lighting consoles, media servers and visualizers to interchange operation information with an open protocol. The plugin is hosted on github.	none
cr3.lua	14-09-02	1.10.0	This plugin dissects packets for the Crimson v3 protocol related to the ICS HMI touchpanels made by Red Lion Controls (redlion.net). These devices support updates over TCP port 789. This minimal dissector is a starting point for understanding this protocol. The plugin is hosted on github.	none
dpt.lua	14-08-28	1.10.0	This plugin dissects dissect the DPT protocol used by Diffusion (www.pushtechnology.com). The plugin is hosted on github.	DPT samples
fpm.lua	1.0	1.10.0	This plugin dissects Forwarding Plane Manager (FPM) messages over TCP, which internally contain Netlink protocol messages. The open source Quagga, Zebra, and commercial ZebOS routing stacks/engines all use FPM to communicate to the forwarding plane of a router.	segmented_fpm.pcap
gits.lua	15-01-19	1.10.0	This plugin dissects packets for PwnAdventure 3, an MMORPG game designed to be hacked (pwnadventure.com). The plugin is hosted on github.	gits15.tar.gz
guacamole.lua	1.5	unknown	This plugin dissects the Guacamole Protocol	/Lua/Examples/Guacamole
inetx_generic.lua, et al	15-03-27	1.12.0	This plugin dissects iNet-X (CTEIP Integrated Network Enhanced Telemetry) and IENA packet formats. See Curtis-Wright for details. The plugin is hosted on github.	test samples
kdnet.lua	2017-02-19	2.0.2	Reverse-engineered Windows Kernel Debugger UDP protocol. Plugin, pcap and keys are hosted on Github
LyncPacketDissector1.00.lua / Lync-Skype4B-Plugin2.00.lua	1.00 / 2.0	1.10.0 / 2.0	This plugin dissects Microsoft Lync AV Edge and Internal Edge AV traffic, STUN/TURN traffic on Microsoft Lync Edge port, and the dynamically assigned RTP and RTCP traffic by using ports allocated in STUN requests. For more information, see myskypelab.com.	none
omci.lua and BinDecHex.lua	14-3-13-r11	1.4.3	This plugin dissects packets for ONT Management and Control Interface (OMCI) protocol (ITU Rec. G984.4). The purpose of the dissector is to decode OMCI data flowing between Optical Line Termination (OLT, the network side) and Optical Network Termination (ONT, the end user side). Both Lua files are needed, as one depends on the other. The plugin is hosted on google.	omci-example.pcap
packet-simplemessage.lua	0.1.9	1.10.0	This plugin dissects the ROS-Industrial SimpleMessage protocol, as defined on www.ros.org. The plugin is hosted on github.	simple_move.pcapng
rtp_ext_onvif_replay.lua	15-06-02	1.10.0	This plugin dissects ONVIF (Open Network Video Interface Forum) media streams in RTP packets, as defined in ONVIF Spec 2.10 section 6.2. The plugin is hosted on github.	none
satp.lua	r133	1.10.0	This plugin dissects the Secure Anycast Tunneling Protocol (SATP), as defined in IETF draft draft-gsenger-secure-anycast-tunneling-protocol-02. The plugin is hosted on SVN.	nullcypher-pings.pcap
SMPTE-2022-6.lua	14-02-14	1.10	This plugin dissects SMPTE 2022-6 High Bit Rate Media Signals over IP Networks (HBRMT). The plugin is hosted on github.	none
someip.lua, et al	15-03-27	1.12.0	This plugin dissects packets for Scalable service-Oriented MiddlewarE over IP (SOME/IP), from the AUTOSAR (AUTomotive Open System ARchitecture) 4.2. The plugin is hosted on github.	none
SPDMwid.lua	2024-03-30	4.2.2	This plugin dissects packets for Security Protocol Data Model (SPDM), proposed by DMTF. It has support for versions 1.0.0 and 1.1.0 of the specification	example.pcapng
stomp.lua	15-07-04	1.10.0	This plugin dissects STOMP protocol packets, both over raw TCP and over HTTP/Websocket. The plugin this was based on is hosted on github, but the file in this wiki is newer, and can do things the one on github cannot; it was based on an answer to a question on ask.wireshark.org.	websocket_stomp.pcapng
wg.lua	2017-03-03	2.0.2	This plugin dissects the WireGuard VPN tunnel protocol. Plugin, pcap and keys are on hosted on Github.
xpl_dissector.lua	1.2	1.10.0	This plugin dissects xPL protocol packets, used for home automation control. The plugin is hosted on the author's web site.	xpl_dissector_testdata.pcap

Statistic Taps or Post-Dissectors

Lua plugin	Lua plugin version	Minimum Wireshark version	Description
arp_host.lua	1.0.0	unknown	Hacked up version of Extract field values to answer Resolved or Mapped ARP Target IP Address
delta_distance.lua	2021-08-01	1.10.0	Calculates the speed of light distance between packets.
filtcols.lua	1.0.2	unknown	A post-dissector to allow filtering on Protocol and Info columns
gd_tcflag.lua	r27	1.10.0	Track each TCP stream automatically and group its details for express analysis: * TCP flags used through the lifetime of the conversation, etc. * Counters of all tcp.analysis.flags seen anywhere in the conversation * Stats (payload bytes, frames, lowest and highest window size used), etc. For more details visit homepage at GitHub
ip_src_alternate.lua	1.0.0	unknown	A blend of filtcols.lua and arp_host.lua to answer How do I find two consecutive frames from the same IP source address
ipv6-postdissector.lua	1.2	unknown	An IPv6 post-dissector that fully expands all IPv6 addresses.
tap-subnets.lua	1.4	unknown	A tap that displays IPv4 subnet statistics in a GUI menu.
tap-resolved.lua	1.19	3.2.0	A tap that displays sorted resolved data in a GUI menu.
TCPextend-post_dissector.lua	v0.7-20150706	1.10.0	The TCP-extend plugin displays some additional TCP statistics information, as new fields which can be used in display filters, columns, etc. The plugin is hosted on github, which you should see for details.
tcp_stats.lua	2017-06-21	1.10.0	The TCP-Stats plugin scans through all TCP connections and provides a summarized statistics of MSS, Window Scaling, iRTT, Highest Delta and Lowest Window Size. Latest version at github. It is meant to run from tshark, see script header for instructions
TLSextend	(see github)	1.10.0	Adds a TLS state field by to filter out complete TCP streams based on the presence of ClientHello and/or ServerHello packets in the stream.
tls_conversations.lua	1.0.1	unknown	Started with Example: Listener written in Lua in the WSDG. Tap/Gui version of TLSextend (see above). Answers question: Filter TLS with no Server Hello. Should be doable in `MATE` but it has issues: [Wireshark-dev] MATE Stop for multi-occurrence field / MATE: no Match if multiple AVP with same name
transum.lua	9b	1.10.0	The TRANSUM plugin provides four new response time fields (APDU Response Time, Service Time, Request Spread, and Response Spread), powerful filtering options and a quick way to match front-end response times to back-end service delays. See tribelabzero.com for details.

File Formats

Lua plugin	Lua plugin version	Minimum Wireshark version	Description
acme_file.lua	1.0	1.11.3	This "capture file" reader reads message logs from Acme Packet (now Oracle) Session Border Controllers, such as sipmsg.log files.
file-zip.lua	2016-12-22	1.11.3?	Dissects the structure of a Zip archive using heuristics. Hosted on git.lekensteyn.nl
fileshark_pcap.lua	1.0	1.11.3	This "capture file" reader reads pcap files - the old style ones - as a FileShark implementation. What does that mean? It means it reads a pcap file and displays the contents of the file format itself, showing the file header, record headers, etc., and their fields. To do this it creates a "pcapfile" protocol dissector, with associated protocol fields of what pcap file formats have.

Other

Lua plugin	Lua plugin version	Minimum Wireshark version	Description
ascii.lua	1.4	unknown	Displays the ASCII table.
base64.lua	1.1	unknown	A Base64 Encoder/Decoder Tool.
baseconverter.lua	1.3	unknown	A 64-bit Base Converter Tool.
Browser SSLKEYLOGFILE	2021-08-01	3.0.0	Runs Chrome or Firefox with the SSLKEYLOGFILE environment variable set to Wireshark's tls.keylog_file preference.
Cloudshark plugin	1.0.5	1.10.0	The CloudShark plug-in for Wireshark makes it seamless to move your capture files from Wireshark to a CloudShark appliance or https://www.cloudshark.org/. Once installed, the plugin adds a new CloudShark submenu under the existing Wireshark Tools menu. Capture files are sent to the configured CloudShark appliance or https://www.cloudshark.org/ by selecting the upload option under the Tools -> Cloudshark menu. The plugin also works with tshark from the command-line.
col.lua	1.3	unknown	Common column functions
dtd_gen.lua	N/A	unknown	A DTD generator for Wireshark
hexcalc.lua	1.0.0	unknown	New Tools menu item to convert between hex and decimal
maskmaker.lua	1.1	unknown	An IPv4 Mask Maker Tool.
Netzob	N/A	unknown	You can use the Netzob application's exporter to automatically generate Wireshark Lua-based dissectors for proprietary or undocumented protocols, as Lua plugin scripts. (i.e., it generates the Lua scripts to use in Wireshark)
netspooky/dissectors	N/A	unknown	Apple Bluetooth Protocol dubbed "Continuity" BGB Emulator Link Cable Protocol Postgres Stats Collector Protocol
ouilookup.lua	1.4	unknown	An OUI Lookup Tool.
subnetcalc.lua	1.1	unknown	An IPv4 Subnet Calculator.

Extcap Plugins

Extcap plugin	Profile version	Minimum Wireshark version	Description
extcap_example.rb	16-03-05	2.1.0	A ruby example extcap application
wireshark-fritzbox			Allows running a remote capture from a FRITZ!Box router

Imported from https://wiki.wireshark.org/Contrib on 2020-08-11 23:12:21 UTC