This is a dissector for Wireshark written in Lua that decodes Handshake packets.
Although all packet types have been added, a few haven't been tested yet. Please send a pcap if you are able to capture them (or confirm it works and PR a check mark :D).
| Type | Packet | Parser | Tested |
|---|---|---|---|
| 0 | VERSION | ✔️ | ✔️ |
| 1 | VERACK | ✔️ | ✔️ |
| 2 | PING | ✔️ | ✔️ |
| 3 | PONG | ✔️ | ✔️ |
| 4 | GETADDR | ✔️ | ✔️ |
| 5 | ADDR | ✔️ | ✔️ |
| 6 | INV | ✔️ | ✔️ |
| 7 | GETDATA | ✔️ | ✔️ |
| 8 | NOTFOUND | ✔️ | |
| 9 | GETBLOCKS | ✔️ | ✔️ |
| 10 | GETHEADERS | ✔️ | ✔️ |
| 11 | HEADERS | ✔️ | ✔️ |
| 12 | SENDHEADERS | ✔️ | ✔️ |
| 13 | BLOCK | ✔️ | ✔️ |
| 14 | TX | ✔️ | ✔️ |
| 15 | REJECT | ✔️ | ✔️ |
| 16 | MEMPOOL | ✔️ | |
| 17 | FILTERLOAD | ✔️ | ✔️ |
| 18 | FILTERADD | ✔️ | |
| 19 | FILTERCLEAR | ✔️ | |
| 20 | MERKLEBLOCK | ✔️ | ✔️ |
| 21 | FEEFILTER | ✔️ | |
| 22 | SENDCMPCT | ✔️ | ✔️ |
| 23 | CMPCTBLOCK | ✔️ | ✔️ |
| 24 | GETBLOCKTXN | ✔️ | ✔️ |
| 25 | BLOCKTXN | ✔️ | ✔️ |
| 26 | GETPROOF | ✔️ | ✔️ |
| 27 | PROOF | ✔️ | ✔️ |
| 28 | CLAIM | ✔️ | |
| 29 | AIRDROP | ✔️ | ✔️ |
| 30 | UNKNOWN | ✔️ |
Simply clone this repository into Wireshark's plugin directory.
Make sure the directory is called handshake and not anything else.
To find the location of Wireshark's (personal) plugin directory, Open Wireshark -> Help -> About Wireshark -> Folder tab -> Personal Lua Plugins (not Personal Plugins) Once cloned,
{PersonalLuaPlugins}/handshake/handshake.luamust exist.
cd ~/.local/lib/wireshark/plugins/
git clone https://github.com/htools-org/wireshark-handshake-protocol handshakeThen, restart Wireshark or reload plugins (Ctrl + Shift + L).
That's it!
Once installed, Handshake packets will automatically be decoded.
The Packet Details pane will have a new tree called Handshake Protocol Data. Expand it to explore the packet.
Some handy display filters:
// Filter by a specific packet type
handshake && handshake.type == 0;
// [add more]Contributions are always welcome!
Each packet type has its own file to keep the code clean and is mostly commented.
If you plan to add a new type, a good place to start is by cloning packet_version.lua and replacing the name, type, fields, and parse.
Remember to add the new type in handshake.lua!
Feel free to create a new issue if there's anything missing or could use more info.