I'm writing a Wireshark dissector in Lua. Is there a way to get the network interface the current frame was received on/transmitted from within the dissector?
0
votes
1 Answers
1
votes
There is a frame field called frame.interface_id, available since Wireshark 1.8.0 according to the Wireshark Display Filter Reference page, which should give you the ID of the interface. The ID seems to match the enumeration given in the results of dumpcap -D (or tshark -D) if you subtract 1 from the enumeration. In other words, both dumpcap and tshark count interfaces starting with 1 in the respective -D outputs, while Wireshark seems to start counting from 0. This inconsistency seems like a bug to me and I would suggest filing a Wireshark bug report against this inconsistent behavior.
EDIT (since it seems impossible to format this in a coherent way using comments):
To access the field, you would use a field extractor, see: https://www.wireshark.org/docs/wsdg_html_chunked/lua_module_Field.html
For example:
local fe_interface_id = Field.new("frame.interface_id")
function foo.dissector(buffer, pinfo, tree)
local f_interface_id = fe_interface_id()
pinfo.cols.info:append(", Interface ID=" .. tostring(f_interface_id))
end
