Lua + Wireshark for traffic trace processing

While at CAIDA the preference is to use CoralReef for processing of traffic traces, sometimes CoralReef can't be used for a job. So I started looking around and found Wireshark + Lua as an alternative. The specific case of traffic trace processing I'm describing here is generating some statistics on wireless traffic similar to crl_stats. My goal is to have some annotations for importing CRAWDAD pcap traces into DatCat, the Internet Measurement Data Catalog we're building.

Getting stuff to work

The Wireshark Wiki has an overview of what needs to be done to get Wireshark and Lua playing nicely together: http://wiki.wireshark.org/Lua. I found the standard build of Wireshark on the FreeBSD machines I've been using doesn't include Lua support, so I built both Lua and Wireshark locally. The only catch there, if you don't want to do a make install on your Lua build is to do a make local after building, so you can point the Wireshark configure at your Lua build dir (./configure --with-lua=<lua-build-dir>).

Wireshark Lua interface

While documentation is a little sparse, the examples in the Wireshark Wiki are a good start.

End result

The trace_stats.lua script is the result of my first ventures into Wireshark + Lua. There is probably more efficient ways to do things, but this gets the job done (please let me know if you are a more experienced with wireshark and/or lua and see where I could improve this). A typical command line for use of this Lua script with tshark (the command line interface for Wireshark) would be something like:


tshark -q -zio,phs -Xlua_script:trace_stats.lua -r <trace.pcap>

The output should look something like:


===================================================================
Protocol Hierarchy Statistics
Filter: frame

frame                                    frames:473318 bytes:78330831
  wlancap                                frames:473318 bytes:78330831
    wlan                                 frames:473318 bytes:78330831
      wlan_mgt                           frames:349680 bytes:48571658
      llc                                frames:31864 bytes:17492505
        ip                               frames:31091 bytes:17383950
          udp                            frames:3709 bytes:1299745
            short                        frames:3495 bytes:1241812
            isakmp                       frames:140 bytes:42252
              short                      frames:139 bytes:42128
              malformed                  frames:1 bytes:124
            malformed                    frames:26 bytes:3539
            enip                         frames:36 bytes:9802
              short                      frames:36 bytes:9802
            edonkey                      frames:12 bytes:2340
          short                          frames:5195 bytes:3014835
          tcp                            frames:22150 bytes:13064352
          igmp                           frames:37 bytes:5018
            short                        frames:37 bytes:5018
        short                            frames:361 bytes:51389
        wlccp                            frames:39 bytes:5196
          short                          frames:39 bytes:5196
        netbios                          frames:9 bytes:2466
          short                          frames:9 bytes:2466
      malformed                          frames:33 bytes:2904
      data                               frames:33 bytes:5018
===================================================================
=== extra stats ===================================================
start_time: 1110513904.4937
end_time: 1110515186.3749
ipv4_src_address_count: 258
ipv4_dst_address_count: 261
ipv4_tcp_src_port_count: 579
ipv4_tcp_dst_port_count: 419
ipv4_udp_src_port_count: 248
ipv4_udp_dst_port_count: 238
ipv4_icmp_type_code_count: 0
===================================================================