Testing Wireshark plugins

2
votes

I have a Wireshark dissector written in Lua and want to test it standalone. I've extracted some generic functionality that does not depend on Wireshark functions (and test these in isolation in my LuaJIT IDE), but now I'm at a point where I need to test the buffer inspection and conversion functions (buffer(1,2):uint() et. al.). Is there some way to access the builtin Lua functions (perhaps in the Wireshark test suite) from my LuaJIT interpreter or (alternatively) can I programmatically rerun a script over some PCAP file (using tshark) and programmatically print test results to stdout or a file? Another use case for me would be to manually specify packets and test my dissector functions on them (i.e. having the packets as code instead of having to generate a PCAP file with the packets to test).

How do other people test their Wireshark dissectors?

3
luawireshark

3 Answers

2
votes

I've been developing a Lua debugger that allows to debug Lua code running in Wireshark "live" (including dissectors). I haven't tested with the latest versions of Wireshark, but don't see why it wouldn't continue working. You can see the example of how this is done here: http://notebook.kulchenko.com/zerobrane/debugging-wireshark-lua-scripts-with-zerobrane-studio.

I don't think there is a way to re-run a script over a PCAP file directly, but you can "replay" the traffic from a capture file using one of the traffic generators (for example, bit-twist) and debug your script in a usual way.

2
votes

If you mean test for debugging, Paul's ZeroBrane Studio is the only one I know of that's easy to get working with Wireshark.

If you mean automated testing (i.e., so it can be repeated for regression, etc.), then what we do in Wireshark itself to test them is run them via a shell script by using tshark with the "-X lua_script:<script>" option, in verbose mode output to a text file, and then verify the output file has what we expect it to have. (for example by using another Lua script that checks the output text file)

If you clone the repo, or browse it online, you can see that in the test/suite-wslua.sh file, which is the Lua API test suite shell script. And the Lua scripts that are tested are in the test/lua directory.

1
votes

This question is quite old and answered but I thought I had something relevant to share. I have been working on Wirebait, which is a tool specifically designed to run your Wireshark dissectors as you write them.

All you have to do is load the module and add a five liner snippet on top of your dissector script. Then if you use an IDE such as Paul Kulchenko's ZeroBrane Studio, Wirebait allows you to literally write and debug your code on the fly, no need for wireshark. You can even get away without a pcap file if you don't have one. It's still new, but I'm able to use it with UDP dissectors quite reliably.