2

Is there any initial setup that needs to be configured for wireshark to correctly handle a lua script in a Mac OSX environment?

Attempted to port the Lua answer to question "How to find out the HTTP header length of a packet?" https://stackoverflow.com/a/5794357/1217670

Was unable to get the Solution to work on a Mac.

The solution did work fine on a Windows XP platform with Wireshark 1.6.7, Lua 5.1.

Running the http_extra.lua script on a Mac OSX 10.7.3 with Wireshark 1.6.5, Lua 5.1. the [Header Length (bytes): 917] header field does not appear.
I did enter http.hdr_len in the custom HTTP headers field.

Filtering on http.hdr_len displays nothing.

The http_extra.lua script is placed in the /Applications/Wireshark.app/Contents/Resources/lib/wireshark/plugins directory.
Same results if you move the script to the Personal Plugins Folder.

This is the exact script file which is working perfectly on the Windows XP system.

The About Wireshark Plugins tab lists the http_extra.lua as a type lua script.

Testing the script to create an error validates that wireshark is aware of the script.

I did see a note you need to set LUA_PATH to the global plugins directory. This had no effect.

Appreciate any suggestions.

Community
  • 1
  • 1
phil
  • 193
  • 2
  • 12

2 Answers2

3

Your personal Wireshark plugins directory on OSX is:

~/.config/wireshark/plugins

For older Wireshark versions it may be:

~/.wireshark/plugins

In your case, put the Lua script in:

~/.config/wireshark/plugins/http_extra.lua

See these posts for more on Lua init paths:

rzelek
  • 3,975
  • 1
  • 33
  • 35
  • I just tried this, same result. One thing I just noticed, the field name in the wireshark filter expression box is : http.header.http.hdr_len - http.hdr_len(header length in bytes) ? ? this is wrong? Need to recheck the configurations. – phil Apr 20 '12 at 15:32
  • If the display filter textbox appears red (instead of green), it means there's a syntax error, which includes invalid fields. Verify that the plugin is actually being loaded: Put a print statement at the top of your Lua file, restart Wireshark from the command line, and check the print-out. –  Apr 20 '12 at 16:10
  • This created the filter expression being wrong. "I did enter http.hdr_len in the custom HTTP headers field." Removed the custom http field entry and the incorrect values disappeared. The dissector sets this field header. – phil Apr 21 '12 at 15:15
  • Yes, it was the preference options set incorrectly. They all need to be enabled. And the custom filter must be blank. Your comments had me double checking the configuration closely against the working window configuration. It became obvious I had made a mistake somewhere, since your comments where steps I thought I had taken correctly. – phil Apr 23 '12 at 03:07
  • 2
    In case somebody is looking for this in 2017: Path has changed. Currently, it is `~/.config/wireshark/plugins` – rzelek Jan 25 '17 at 12:48
  • @ArekŻelechowski This comment should be highlighted. – newguy Apr 23 '17 at 14:11
  • @newguy I have edited the original answer. My answer is being peer reviewed now. – rzelek Apr 24 '17 at 10:18
  • The location of the personal plugin folder has changed once again. Currently it is `~/.local/lib/wireshark/plugins`. – PKo Sep 11 '20 at 06:13
2

The Wireshark - Preference - Protocols - HTTP panel must have all four boxes checked for:

  1. Reassemble HTTP headers spanning multiple TCP segments
  2. Reassemble HTTP bodies spanning multiple TCP segments
  3. Reassemble chunked transfer code bodies
  4. Uncompress entity bodies.

The Mac environment now matches the Windows configuration and it yields the same results, showing the [Header Length (bytes): 917].

Same results rather you put the plugin in the global or local plugin directory.

The Mac osx Lua plugin directories path locations are documented in the About Wireshark panel - folders tab.

phil
  • 193
  • 2
  • 12