erikdw · July 24, 2023 09:22
diff --git a/statsd_dissector.lua b/statsd_dissector.lua
 -- Usage: tshark -X lua_script:statsd_dissector.lua -r capture.pcap
 -- Usage: tshark -X lua_script:statsd_dissector.lua -T fields -e statsd.metric_name -e statsd.value -e statsd.metric_type -e stats.metric_tags -r capture.pcap

 local statsd = Proto("statsd","Statsd Protocol")

 local pf_metric_name = ProtoField.new("Metric Name", "statsd.metric_name", ftypes.STRING)
 local pf_value = ProtoField.new("Value", "statsd.value", ftypes.STRING)
 local pf_metric_type = ProtoField.new("Metric Type", "statsd.metric_type", ftypes.STRING)
 local pf_metric_tags = ProtoField.new("Metric Tags", "statsd.metric_tags", ftypes.STRING)

 statsd.fields = { pf_metric_name, pf_value, pf_metric_type, pf_metric_tags }

 function statsd.dissector(tvbuf,pktinfo,root)
  local pktlen = tvbuf:reported_length_remaining()
  local tvbr = tvbuf:range(0,pktlen)

  -- <metric name>:<value>|<metric type>[|@<sample rate>]|tags
  -- e.g.,
  -- foo.values:5000|g|#record_family:bar,record_name:baz,type:sor,version:v2.2.6-12-gebf65ae
  --   metric_name: foo.values
  --   metric_type: g (gauge)
  --   metric_tags: record_family:bar,record_name:baz,type:sor,version:v2.2.6-12-gebf65ae
  local payload = tvbr:string()
  local a, b, metric_name, value, metric_type, metric_tags = string.find(payload, "^([^:]+):([^|]+)|([^|]+)|([^|]+)")

  if a then
    pktinfo.cols.protocol:set("Statsd")
    pktinfo.cols.info:set(payload)

    local pos = 0
    local tree = root:add(statsd, tvbr)

    tree:add(pf_metric_name, tvbuf:range(pos, metric_name:len()), metric_name)
    pos = pos + metric_name:len() + 1

    tree:add(pf_value, tvbuf:range(pos, value:len()), value)
    pos = pos + value:len() + 1

    tree:add(pf_metric_type, tvbuf:range(pos, metric_type:len()), metric_type)
    pos = pos + metric_type:len()

    tree:add(pf_metric_tags, tvbuf:range(pos, metric_tags:len()), metric_tags)
    pos = pos + metric_tags:len()
  end
 end

 DissectorTable.get("udp.port"):add(8125, statsd)
	-- Usage: tshark -X lua_script:statsd_dissector.lua -r capture.pcap
	-- Usage: tshark -X lua_script:statsd_dissector.lua -T fields -e statsd.metric_name -e statsd.value -e statsd.metric_type -e stats.metric_tags -r capture.pcap

	local statsd = Proto("statsd","Statsd Protocol")

	local pf_metric_name = ProtoField.new("Metric Name", "statsd.metric_name", ftypes.STRING)
	local pf_value = ProtoField.new("Value", "statsd.value", ftypes.STRING)
	local pf_metric_type = ProtoField.new("Metric Type", "statsd.metric_type", ftypes.STRING)
	local pf_metric_tags = ProtoField.new("Metric Tags", "statsd.metric_tags", ftypes.STRING)

	statsd.fields = { pf_metric_name, pf_value, pf_metric_type, pf_metric_tags }

	function statsd.dissector(tvbuf,pktinfo,root)
	local pktlen = tvbuf:reported_length_remaining()
	local tvbr = tvbuf:range(0,pktlen)

	-- <metric name>:<value>\|<metric type>[\|@<sample rate>]\|tags
	-- e.g.,
	-- foo.values:5000\|g\|#record_family:bar,record_name:baz,type:sor,version:v2.2.6-12-gebf65ae
	-- metric_name: foo.values
	-- metric_type: g (gauge)
	-- metric_tags: record_family:bar,record_name:baz,type:sor,version:v2.2.6-12-gebf65ae
	local payload = tvbr:string()
	local a, b, metric_name, value, metric_type, metric_tags = string.find(payload, "^([^:]+):([^\|]+)\|([^\|]+)\|([^\|]+)")

	if a then
	pktinfo.cols.protocol:set("Statsd")
	pktinfo.cols.info:set(payload)

	local pos = 0
	local tree = root:add(statsd, tvbr)

	tree:add(pf_metric_name, tvbuf:range(pos, metric_name:len()), metric_name)
	pos = pos + metric_name:len() + 1

	tree:add(pf_value, tvbuf:range(pos, value:len()), value)
	pos = pos + value:len() + 1

	tree:add(pf_metric_type, tvbuf:range(pos, metric_type:len()), metric_type)
	pos = pos + metric_type:len()

	tree:add(pf_metric_tags, tvbuf:range(pos, metric_tags:len()), metric_tags)
	pos = pos + metric_tags:len()
	end
	end

	DissectorTable.get("udp.port"):add(8125, statsd)