In December 2020 I provided online Wireshark training to one of our NVISO clients. During the second day, when we cover the development of custom dissectors written in Lua, a question about CSV data came up. When the data exchanged over TCP, for example, has the CSV format (fields separated by a separator), how can I write a dissector for that?
While answering the question, I realized that this is a case that could be solved with a generic dissector. And the same night, I developed the first version.
Say you have a packet capture with a TCP connection. And the data exchanged over TCP consists of different fields, separated by a separator character.
Like this example:
Because Wireshark does not recognize the protocol used in this TCP connection, the content is just displayed as data.
With Lua dissector csv-dissector.lua, the data is dissected into different fields:
The separator character (pipe character | in this example) is something that can be configured:
Other changes can be made, but these have to be made in the code of the dissector itself:Changing the port Changing the number of fields Change the name of the fields