{"id":13774674,"url":"https://github.com/markopaul0/wirebait","last_synced_at":"2025-05-11T06:33:33.878Z","repository":{"id":215839776,"uuid":"109505547","full_name":"MarkoPaul0/WireBait","owner":"MarkoPaul0","description":"Run and test your Lua Wireshark dissector without Wireshark or capture data.","archived":false,"fork":false,"pushed_at":"2021-02-24T01:14:37.000Z","size":484,"stargazers_count":56,"open_issues_count":5,"forks_count":15,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-11-25T02:32:15.669Z","etag":null,"topics":["dissector","lua","lua-library","pcap","test","wireshark","wireshark-dissector"],"latest_commit_sha":null,"homepage":"","language":"Lua","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MarkoPaul0.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-11-04T15:17:41.000Z","updated_at":"2024-11-22T07:36:29.000Z","dependencies_parsed_at":"2024-01-15T03:41:48.378Z","dependency_job_id":null,"html_url":"https://github.com/MarkoPaul0/WireBait","commit_stats":null,"previous_names":["markopaul0/wirebait"],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MarkoPaul0%2FWireBait","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MarkoPaul0%2FWireBait/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MarkoPaul0%2FWireBait/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MarkoPaul0%2FWireBait/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MarkoPaul0","download_url":"https://codeload.github.com/MarkoPaul0/WireBait/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253528415,"owners_count":21922623,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dissector","lua","lua-library","pcap","test","wireshark","wireshark-dissector"],"created_at":"2024-08-03T17:01:29.194Z","updated_at":"2025-05-11T06:33:33.438Z","avatar_url":"https://github.com/MarkoPaul0.png","language":"Lua","funding_links":[],"categories":["\u003ca id=\"6fa0e0d1f898fba299b2566a33602841\"\u003e\u003c/a\u003eWireshark"],"sub_categories":[],"readme":"# WireBait\n\n![Author](https://img.shields.io/badge/author-MarkoPaul0-red.svg?style=flat-square)\n[![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-blue.svg?style=flat-square)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)\n![GitHub last commit](https://img.shields.io/github/last-commit/MarkoPaul0/WireBait.svg?style=flat-square\u0026maxAge=300)\n![GitHub (pre-)release](https://img.shields.io/github/release/MarkoPaul0/WireBait/all.svg?style=flat-square)\n![GitHub (pre-)release](https://img.shields.io/github/commits-since/MarkoPaul0/WireBait/latest.svg?style=flat-square)\n![Travis CI](https://travis-ci.com/MarkoPaul0/WireBait.svg?branch=master)\n\u003c!--\n![GitHub release](https://img.shields.io/github/release/MarkoPaul0/WireBait/all.svg?style=flat-square)\n--\u003e\n\n## **UPDATE: this repo is no longer supported. The concept is interesting, but bringing it to life would take time I don't want to allocate.** I'll leave this repo outthere for people to experiment.\n\nLua library to facilitate the development of [Wireshark](https://www.wireshark.org/) dissectors by enabling users to run them against packet data without Wireshark. The packet data can come from a hexadecimal string or a *.pcap* file.\nThe goal here is to provide a tool reducing development time when creating a new dissector.\n\n**The following is an example of output produced when running your dissector with WireBait as a \"standalone\" script.**\n  ```\n------------------------------------------------------------------------------------------------------------------------------[[\nNo.         | Time                | Source            | Destination       | Protocol  | Length    | Info          \n1           | 02:02:47.146635     | 192.168.0.1       | 255.255.255.255   | Demo      | 173       | 59121 → 7437  Len=32 \n\n 0E 07 DE 02 22 FC 03 19   75 5A 7F FF FF FF FF FF  |  Demo Protocol\n FF 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  |  └─ Unsigned integers:\n                                                     |     └─ 8-bit uint: 14\n                                                     |     └─ 16-bit uint: 2014\n                                                     |     └─ 24-bit uint: 140028\n                                                     |     └─ 32-bit uint: 52000090\n                                                     |     └─ 64-bit uint: 9223372036854775807\n]]------------------------------------------------------------------------------------------------------------------------------\n  ```\n\n## Content\n[What does it do?](#what_does_it_do)\u003cbr/\u003e\n[Requirements](#requirements)\u003cbr/\u003e\n[Quick start](#quick_start)\u003cbr/\u003e\n[Examples](#examples)\u003cbr/\u003e\n[State of the project](#status)\u003cbr/\u003e\n[What's next and how to contribute?](#whats_next)\u003cbr/\u003e\n[Licensing](#licensing)\u003cbr/\u003e\n\n\n\u003ca name=\"what_does_it_do\"/\u003e\n\n## What does it do?\nIt simply exposes the [Wireshark Lua API](https://www.wireshark.org/docs/wsdg_html_chunked/wsluarm_modules.html) ([or here](https://wiki.wireshark.org/LuaAPI)) and attempts to reproduce its behavior. As a result, your script becomes \"self sufficient\" and you can execute it directly and without Wireshark. If you provide it with some data, it will print a text version of the dissection tree along with the payload in hexadecimal format. **Now you can make changes to your dissector and see the effects immediately without leaving your Lua IDE!**\n\n\u003ca name=\"requirements\"/\u003e\n\n## Requirements\n* You have a Lua interpreter 5.2 or above \n* You have a dissector and data to test it (hex string or pcap file)\n* You have a Lua debugger (I like [ZeroBrane Studio](https://studio.zerobrane.com/)) [only a requirement for step by step debugging]\n  \nNote that WireBait does not interact at all with Wireshark.\n\n\u003ca name=\"quick_start\"/\u003e\n\n## Quick start\nGetting started takes less than a minute:\n  1. Make sure your Lua interpreter is 5.2 (in **Zerobrane Studio** go to **Project \u003e Lua Interpreter** and select **Lua 5.2**)\n  2. Add the **wirebaitlib/** directory to your Lua path\n  3. Add the following snippet of code on top of the dissector you want to run/debug:\n```lua\nif disable_lua == nil and enable_lua == nil and not _WIREBAIT_ON_ then\n  local wirebait = require(\"wirebaitlib\");\n  local dissector_tester = wirebait.new({only_show_dissected_packets=true});\n  dissector_tester:dissectHexData(\"72ABE636AFC86572\") -- To dissect hex data from a string (no pcap needed) \n  dissector_tester:dissectPcap(\"path_to_your_pcap_file.pcap\") -- To dissect packets from a pcap file\n  return\nend\n```\n  4. Edit the code snippet and decide if your dissector should read *hexadecimal data* **and/or** a *pcap file* of your choice. Note that you can add this snippet in a file other than your dissector file. In this case you'll have to add an additional argument in the constructor of the dissector tester, specifying the path to your dissector file, just like so:\n  ```lua\n  local dissector_tester = wirebait.new({dissector_filepath=\"path_to_your_dissector.lua\", only_show_dissected_packets=true});\n  ```\n  5. Execute your dissector script. Enjoy :smiley: **And please, feel free to give me feedback!**\n  \n \u003ca name=\"examples\"/\u003e\n \n ## Example 1 Dissecting data from a hexadecimal string\n  If you run the example dissector script **[demo_dissector.lua](example/demo_dissector.lua)**, which dissects the data provided as an hexadecimal string, you should get the following output:\n  ```\n------------------------------------------------------------------------------------------------------------------------------[[\nDissecting hexadecimal data (no pcap provided)\n\n 0E 07 DE 02 22 FC 03 19   75 5A 7F FF FF FF FF FF  |  Demo Protocol\n FF FF F2 F8 22 FD DD 04   FC E6 8A A6 80 00 00 00  |  └─ Unsigned integers:\n 00 00 00 01 57 69 72 65   62 61 69 74 00 62 79 20  |     └─ 8-bit uint: 14\n 4D 61 72 6B 6F 50 61 75   6C 30 00 00 AA BB CC 11  |     └─ 16-bit uint: 2014\n 22 33 C0 A8 0E 1C AB CD   EF 12 34 56 78 90 AB CD  |     └─ 24-bit uint: 140028\n EF 12 34 56 78 90 00 00   00 00 00 00 00 00 00 00  |     └─ 32-bit uint: 52000090\n 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  |     └─ 64-bit uint: 9223372036854775807\n 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  |  └─ Signed integers:\n 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  |     └─ 8-bit int: -14\n 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  |     └─ 16-bit int: -2014\n 00 00 00 00 00 00 00 00   00 00 00 00 00           |     └─ 24-bit int: -140028\n                                                     |     └─ 32-bit int: -52000090\n                                                     |     └─ 64-bit int: -9223372036854775807\n                                                     |  └─ Strings:\n                                                     |     └─ String: Wirebait\n                                                     |     └─ Stringz: Wirebait\n                                                     |  └─ Other types:\n                                                     |     └─ bytes: aabbcc112233c0a80e1cabcdef1234567890abcdef1234567890...\n                                                     |     └─ ethernet: aa:bb:cc:11:22:33\n                                                     |     └─ IPv4: 192.168.14.28\n                                                     |     └─ GUID: abcdef12-3456-7890-abcd-ef1234567890\n]]------------------------------------------------------------------------------------------------------------------------------\n  ```\n**In wireshark the same dissection would look like this:**\n\n![](example/screenshots/demo_in_wireshark.png)\n\n**Something to note is that the hex string only contains the UDP (or TCP) payload**, i.e. only the data to be dissected. No need to worry about making up ethernet, IP, or TCP/UDP headers.\n\n ## Example 2 Dissecting data from a *.pcap* file\n  If you run the example dissector script **[demo_dissector2.lua](example/demo_dissector2.lua)**, which dissects the same data as in the first example but provided by the **[demo.pcap](example/captures/demo.pcap)** file, you should get the same dissection output. One difference is that you will also get packet information that is provided by ethernet, IP, and TCP/UDP headers:\n ```\n------------------------------------------------------------------------------------------------------------------------------[[\nNo.         | Time                | Source            | Destination       | Protocol  | Length    | Info          \n1           | 02:02:47.146635     | 192.168.0.1       | 255.255.255.255   | Demo      | 173       | 59121 → 7437  Len=173 \n\n 0E 07 DE 02 22 FC 03 19   75 5A 7F FF FF FF FF FF  |  Demo Protocol\n FF FF F2 F8 22 FD DD 04   FC E6 8A A6 80 00 00 00  |  └─ Unsigned integers:\n .......\u003ctrimmed output, same as example 1\u003e\n ```\n\n\u003ca name=\"status\"/\u003e\n\n## State of the project\nA few notes about the current state of the project:\n  * TCP reassembly is not supported\n  * Only \"*.pcap*\" files are supported\n  * Pcap files must be written in native byte order\n  \nFor more information you can check what I'm up to in the [Project section](https://github.com/MarkoPaul0/WireBait/projects/1).\n  \n\u003ca name=\"whats_next\"/\u003e\n\n## What's next and how to contribute?\nRight now I would like to collect feedback from Wireshark users. People who already have Lua dissectors can really help by running their dissectors using Wirebait. I would really appreciate any form of feedback about this tool.\n\nI think - *without having collected feedback yet* - the next logical step is to **expand Wirebait to enable users to unit test their dissectors**. The clear cut specifications of protocol definitions are in my opinion a school book example of when unit test driven development makes sense. With unit tests, any protocol or dissector update can be tackled quicly while reducing the risk of introducing new bugs.\n\n\u003ca name=\"licensing\"/\u003e\n\n## Licensing \nWireBait for Wireshark is a lua package to help create Wireshark Dissectors\nCopyright (C) 2015-2017 Markus Leballeux\n\nThis program is free software; you can redistribute it and/or modify\nit under the terms of the GNU General Public License as published by\nthe Free Software Foundation; either version 2 of the License, or\n(at your option) any later version.\n\nThis program is distributed in the hope that it will be useful,\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\nGNU General Public License for more details.\n\nYou should have received a copy of the GNU General Public License along\nwith this program; if not, write to the Free Software Foundation, Inc.,\n51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.\n**(Checkout the full [license](LICENSE.txt))**\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmarkopaul0%2Fwirebait","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmarkopaul0%2Fwirebait","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmarkopaul0%2Fwirebait/lists"}