Object Packet

Represents a packet. A packet in Trisul consists of layers. If your LUA script is processing packets the layering is already done for you.


Packet
      Layer0 : Ethernet Frame (id={974FB098-DE46-45DB-94DA-8D64A3BBCDE5})
      Layer1 : IP Frame id=..
      Layer2 : UDP Frame

You can either work on the packet directly using the rawbytes buffer or locate any layer you want and then work on that. This saves you an enormous amount of work because the layers are quite complicated due to various encapsulation, labels, and other link layer quirks.

Methods

Name In Out Description
timestamp number, number two numbers representing tv_secs and tv_usecs (or nsecs)
rawbytes a Buffer object the full packet
wire_length number packet length
capture_length number number of bytes captured. Could be less than wire_length due to a
snaplen setting
num_layers number number of layers
get_layer number a Layer object get a layer by index
Note: Index starts from 0..num_layers-1 ; unlike LUA
find_layer guid a Layer object get layer identified by the GUID
set_timestamp number, number set timestamp of the packet as seconds, (option) microseconds
set_packetstore_policy number set indication of if and how this packet will be stored
flowid FlowID object get the IP based flow ID of this packet
originid number indicates origination of this packet, such as an interface or stream
set_packet tv_sec,tv_usec,dlt,bytes set the byte content of the packet -ie overwrites the actual packet

Function set_packetstore_policy

Indicate to the Trisul framework how you want this packet to be stored

Purpose

Indicate to Trisul whether you want to store this particular packet or not. This gives you very fine grained packet level control over the PCAP storage. Note that this is only a hint and if there are other LUA scripts which want to store the packet – this hint could be ignored.

Parameters

policy_flags number 0 = Dont store this packet
1 = Store this full packet including payload
2 = Store this packet headers only

Return value

Example


Function set_packet

Sets the packet data.

Purpose

Essentially creates a new packet with a timestamp, DLT (Data Link Type), and bytes buffer.

This method is mainly used in InputFilter scripts which creates new packets from arbitary sources.

Parameters

timestamp secs number tv_sec value from Unix Epoch Time
timestamp usecs number tv_usec value from Unix Epoch Time
dlt number data link type number. This is reused from LIBPCAP values. This number basically tells Trisul what protocol is first in the layer of the packet. The most common DLT numbers are
1 – Ethernet (EN10MB)
101 – Raw
228 – IPv4. See tcpdump data link types for a list of numbers you can use
bytes string the actual packet bytes

Return value

None

Example