{"id":27976510,"url":"https://github.com/misp/misp-wireshark","last_synced_at":"2025-06-15T19:10:24.950Z","repository":{"id":142313562,"uuid":"460862209","full_name":"MISP/misp-wireshark","owner":"MISP","description":"Lua plugin to extract data from Wireshark and convert it into MISP format","archived":false,"fork":false,"pushed_at":"2023-10-23T09:36:32.000Z","size":1822,"stargazers_count":48,"open_issues_count":4,"forks_count":6,"subscribers_count":9,"default_branch":"main","last_synced_at":"2025-05-08T01:34:26.214Z","etag":null,"topics":["dfir","misp","misp-format","network-forensic","threat-intelligence","wireshark","wireshark-plugin"],"latest_commit_sha":null,"homepage":"https://misp.github.io/misp-wireshark/","language":"Lua","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MISP.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-02-18T13:23:47.000Z","updated_at":"2025-04-18T05:05:16.000Z","dependencies_parsed_at":null,"dependency_job_id":"bc9677a2-42a0-4df2-bf8c-3a875ba8f04b","html_url":"https://github.com/MISP/misp-wireshark","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/MISP/misp-wireshark","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MISP%2Fmisp-wireshark","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MISP%2Fmisp-wireshark/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MISP%2Fmisp-wireshark/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MISP%2Fmisp-wireshark/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MISP","download_url":"https://codeload.github.com/MISP/misp-wireshark/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MISP%2Fmisp-wireshark/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260036164,"owners_count":22949256,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dfir","misp","misp-format","network-forensic","threat-intelligence","wireshark","wireshark-plugin"],"created_at":"2025-05-08T01:27:31.275Z","updated_at":"2025-06-15T19:10:24.930Z","avatar_url":"https://github.com/MISP.png","language":"Lua","funding_links":[],"categories":[],"sub_categories":[],"readme":"# misp-wireshark\n\n`misp-wireshark` is a Lua plugin intended to help analysts extract data from Wireshark and convert it into the [MISP Core format](https://www.misp-project.org/datamodels/)\n\n[![](https://raw.githubusercontent.com/MISP/misp-wireshark/main/doc/pictures/misp-wireshark.png)](https://youtu.be/B7xs5SwhlTA)\n\n## Usage\n\n### Wireshark\n\n1. Go to `Tools` located in Wireshark's top bar and click on `MISP: Export to MISP format`\n2. Enter the export options to configure the behavior of the exporter\n    - ![Plugin options](doc/pictures/options.png)\n    - `Main filter`: Fill this field to filter the exported data. Essentially, it will just be a copy/paste from the global filter in the interface. (This cannot be done automatically because of [this](https://github.com/MISP/misp-wireshark/blob/89578d5c0eac9a23dc6f60afe223996ee0e50e32/misp-wireshark.lua#L70))\n    - `Include HTTP payload`: Should the payloads sent via HTTP be included as a file in the output\n    - `Export path`: The location where the exported file should be saved when clicking on `Save to file`\n    - `Tags`: Optional tags can be attached to some MISP attributes. \n3. Copy or save in a file the data to be imported in MISP\n    - ![Plugin output](doc/pictures/output.png)\n4. Import in MISP\n    - ![MISP result](doc/pictures/misp.png)\n\n### Tshark\nCommand-line options are the same parameters as in the user interface:\n- `filters`: The filter expression to be applied\n- `include_payload`: Should potentials payload be also exported. Accept `y` or `n`\n- `export_path`: The folder under which the json should be saved. If not supplied, default to stdout\n- `tags`: Optional tags to be attached to some MISP attributes\n\n\n**Example**\n\n```bash\ntshark \\\n    -r ~/Downloads/capture.cap \\\n    -X lua_script:/home/john/.local/lib/wireshark/plugins/misp-wireshark/misp-wireshark.lua \\\n    -X lua_script1:filters=\"ip.addr == 127.0.0.1\" \\\n    -X lua_script1:include_payload=n \\\n    -X lua_script1:tags=\"tlp1,tlp2\" \\\n    frame.number == 0\n```\n*Note: As we did not supply an export path, the result is printed on stdout. However, to avoid mixing both the plugin output and tshark output, we provide a filter to tshark that will filter out every packets. However, this filter is not used by the plugin. Only the filter provided via `-X lua_script1:filters` is used.*\n\n*Based on the example above, `frame.number == 0` is only used to prevent the output of tshark while `ip.addr == 127.0.0.1` is actually used by the plugin*\n\n## Installation\n\nOn linux, clone the repository in wireshark's plugin location folder\n\n```bash\nmkdir -p ~/.local/lib/wireshark/plugins\ncd ~/.local/lib/wireshark/plugins\ngit clone https://github.com/MISP/misp-wireshark \ncd misp-wireshark/\ngit submodule update --init --recursive\n```\n\n## Updates\n\n```bash\ngit pull\ngit submodule update\n```\n\n\n## Notes about `community-id`\n:warning: In order for this plugin to use [community-id](https://github.com/corelight/community-id-spec), wireshark must be at version 3.3.1 or higher.\n\nBy default, `community-id` is disabled. To enable it, you have to perform these steps:\n1. On the top bar go to `Analyze/Enabled Protocols...`\n2. Search for `CommunityID` in the list\n3. Check the checkbox\n\n\n## Exports supported in MISP object format\n\n- [`network-connection`](https://www.misp-project.org/objects.html#_network_connection) from tcp\n- [`http-request`](https://www.misp-project.org/objects.html#_http_request) from tcp.http, including HTTP payloads\n- [`dns-record`](https://www.misp-project.org/objects.html#_dns_record) from udp.dns\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmisp%2Fmisp-wireshark","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmisp%2Fmisp-wireshark","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmisp%2Fmisp-wireshark/lists"}