https://gitlab.com/wireshark/wireshark/-/wikis/home The wireshark wiki

Additional oneliners here: https://github.com/netspooky/notes/blob/main/linux/oneliners.md#tshark-and-wireshark

Install wireshark from source

This is how you do it on Linux at least

git clone https://gitlab.com/wireshark/wireshark.git
cd wireshark
sudo ./tools/debian-setup.sh
mkdir build
cd build
cmake ..
make

Now you can run with:

run/wireshark

Dark Mode

Bootleg QT dark mode on Wireshark >= 3.4.4 on Windows.

"C:\\Program Files\\Wireshark\\Wireshark.exe" -platform windows:darkmode=2

Useful Oneliners

Convert a packet to binary from the command line

tshark -x -r file.pcap -Y “frame.number==[packet#]” | xxd -r > file.bin

tshark find byte patterns

tshark -r some.pcap -Y 'data.data contains "\x12\x34"' -T fields -e data

wireshark get first 500 frames

frame.number < 501

wireshark get frames 450-500

frame.number < 501 and frame.number > 450

tshark just grab some fields (in this case grabbing bgblink.sync1_dv with a filter (here it’s "bgblink.command == 104 and ip.src == 127.0.0.1")

tshark -r gameboy.pcapng -Y "bgblink.command == 104 and ip.src == 127.0.0.1" -T fields -e bgblink.sync1_dv

tshark list all protocols in a given pcap

tshark -r capture.pcap -T fields -e frame.protocols | sort -u

Dissector Notes

https://mika-s.github.io/wireshark/lua/dissector/2017/11/04/creating-a-wireshark-dissector-in-lua-1.html

https://www.wireshark.org/docs/wsdg_html_chunked/wslua_tap_example.html

This is really useful for reference

11.6. Functions For New Protocols And Dissectors

Calling another dissector

https://www.wireshark.org/docs/wsdg_html_chunked/lua_module_Proto.html

The buf(offset):tvb() arg is important. offset is where in the previous buffer to start, and :tvb() casts it from userdata to a tvb

function proto_lap5.dissector(buf, pinfo, tree)
    if buf:len() > HEADER_LEN then
        -- create a new buffer containing only the XLES data,
        -- and pass it to the XLES dissector
        Dissector.get("xles"):call(buf(HEADER_LEN):tvb(), pinfo, tree)
    end
end

Dealing with UTF16 strings

this is actually a really sick way to do this…it goes by the null terminated string…

msg_f = ProtoField.string("mydissector.msg", "msg")
local getMsg = buffer(13) -- starting on byte 13
local msg = getMsg:le_ustring()
subtree:add(msg_f,  getMsg, msg)

Capturing Bluetooth with Wireshark

Tested on Ubuntu 22.04

• Enable Bluetooth in settings
• Use the bluetooth-monitor interface
• Use this filter to get advertising reports bthci_evt.le_meta_subevent == 0x02
• Filter for one device btcommon.eir_ad.entry.device_name == "My Device"
• Filter on MAC addrs bthci_evt.bd_addr == 55:55:55:55:55:55
• See messages with manufacturer data btcommon.eir_ad.entry.data