packet-analyzer is a simple Wireshark frame dissector plugin written in Lua, which provides easily cross platform dissection for viewing customized protocols. The main reason for using the plugin is the need to read custom payloads, which have no official known protocol.
For more information about Lua dissectors: https://wiki.wireshark.org/Lua
-
To dissect packets place both sub_protocol.lua, fields-properties.lua in the Wireshark plugins directory (may need to be created).
The standard user path on Windows install
%APPDATA%\Wireshark\plugins\On a linux install use:
//usr/share/wireshark/pluginsOn a macOs install use:
/Users/usr/.config/wireshark/plugins -
Set the custom protocol properties in 'fields-properties' file
-
Open Wireshark, or load Lua plugins while Wireshark is open with command/ctrl+shift+l
The attached/create-topics Kafka capture, contains TCP frames assign to a Kafka broker. The new sub-protocol, parse kafka messages of type 19 (create-topic)
-- wireshark_filter: filter parameter from Wireshark
-- https://www.wireshark.org/docs/man-pages/wireshark-filter.html
wireshark_filter = "kafka.api_key"
-- filter_value: currently, only '==' is supported
filter_value = 19
The fields fetched in the example are: API Key, Client ID, Topic Name, Number of partitions, Replication factor
fields={
-- {start,number of bytes,type: HEX/DEC/ASCII,field label},
{66,2,"DEC","API Key"},
{75,6,"ASCII","Client ID"},
{86,11,"ASCII","Topic Name"},
{95,4,"DEC","Number of partitions"},
{99,2,"DEC","Replication factor"},
}
Wireshark already has a Kafka dissector script, so the result can be compared and checked.
On Wireshark, when API Key is 19, the frame contains a new tree:
