11.9. Saving Capture Files

11.9. Saving Capture Files
Prev	Chapter 11. Wireshark’s Lua API Reference Manual	Next

The classes/functions defined in this module are for using a Dumper object to make Wireshark save a capture file to disk. Dumper represents Wireshark’s built-in file format writers (see the wtap_name_to_file_type_subtype function).

(The wtap_filetypes table is deprecated, and should only be used in code that must run on Wireshark 3.4.3 and earlier 3.4 releases or in Wireshark 3.2.11 and earlier 3.2.x releases.)

To have a Lua script create its own file format writer, see the chapter titled "Custom file format reading/writing".

11.9.1. Dumper

11.9.1.1. Dumper.new(filename, [filetype], [encap])

Creates a file to write packets. Dumper:new_for_current() will probably be a better choice, especially for file types other than pcapng.

Arguments

filename: The name of the capture file to be created.

filetype (optional): The type of the file to be created - a number returned by wtap_name_to_file_type_subtype(). Defaults to pcapng. (The wtap_filetypes table is deprecated, and should only be used in code that must run on Wireshark 3.4.3 and earlier 3.4.x releases or in Wireshark 3.2.11 and earlier 3.2.x releases.)

encap (optional): The encapsulation to be used in the file to be created - a number entry from the wtap_encaps table. Defaults to per-packet encapsulation for pcapng (which doesn’t have file-level encapsulation; this will create IDBs on demand as necessary) and Ethernet encapsulation for other file types.

Returns

The newly created Dumper object

11.9.1.2. dumper:close()

Closes a dumper.

Errors

Cannot operate on a closed dumper

11.9.1.3. dumper:flush()

Writes all unsaved data of a dumper to the disk.

11.9.1.4. dumper:dump(timestamp, pseudoheader, bytearray)

Dumps an arbitrary packet. Note: Dumper:dump_current() will fit best in most cases.

Arguments

timestamp: The absolute timestamp the packet will have.

pseudoheader: The PseudoHeader to use.

bytearray: The data to be saved

11.9.1.5. dumper:new_for_current([filetype])

Creates a capture file using the same encapsulation as the one of the current packet.

Arguments

filetype (optional): The file type. Defaults to pcapng.

Returns

The newly created Dumper Object

Errors

Cannot be used outside a tap or a dissector

11.9.1.6. dumper:dump_current()

Dumps the current packet as it is.

Errors

Cannot be used outside a tap or a dissector

11.9.2. PseudoHeader

A pseudoheader to be used to save captured frames.

11.9.2.1. PseudoHeader.none()

Creates a "no" pseudoheader.

Returns

A null pseudoheader

11.9.2.2. PseudoHeader.eth([fcslen])

Creates an ethernet pseudoheader.

Arguments

fcslen (optional): The fcs length

Returns

The ethernet pseudoheader

11.9.2.3. PseudoHeader.atm([aal], [vpi], [vci], [channel], [cells], [aal5u2u], [aal5len])

Creates an ATM pseudoheader.

Arguments

aal (optional): AAL number

vpi (optional): VPI

vci (optional): VCI

channel (optional): Channel

cells (optional): Number of cells in the PDU

aal5u2u (optional): AAL5 User to User indicator

aal5len (optional): AAL5 Len

Returns

The ATM pseudoheader

11.9.2.4. PseudoHeader.mtp2([sent], [annexa], [linknum])

Creates an MTP2 PseudoHeader.

Arguments

sent (optional): True if the packet is sent, False if received.

annexa (optional): True if annex A is used.

linknum (optional): Link Number.

Returns

The MTP2 pseudoheader

Prev	Up	Next
11.8. Post-Dissection Packet Analysis	Home	11.10. Wtap Functions For Handling Capture File Types