 Last December I was providing Wireshark training and I got a question about CSV data. If it's possible to make a dye sector for CSV data and how to do that. Now, I work for NVISO and we have clients for which we provide private training. So I will give training on malware analysis, malicious documents, Wireshark. And here I was providing training online because of COVID on Wireshark. And in the first day we covered all kinds of topics of Wireshark and second day writing our own dye sectors in Lua. Now, let me show you a capture file here. It's actually a file that I constructed. It's not something that I captured. So this is a TCP connection. And this is the data of that TCP connection. As you can see here, zero pipe character, one two three seven pipe character, KKKK and so on pipe character command. So the data that is exchanged here over TCP consists of different fields. And the fields here in this example are separated by a pipe character. But since Wireshark has no idea of this protocol, it is not dissecting this protocol and you just have data. You don't have the individual fields. And I created a CSV dye sector to split this up in different fields. So after I got the question I looked into this and I made a dye sector in Lua for this. Let me close this. So this is how I'm going to launch the dissect. So I launch Wireshark. It is on Windows, but on Linux and OS X it's the same thing. Upper case X as option. And then we can provide a Lua script CSV dye sector Lua. So this dye sector will be loaded in Wireshark. And then we also open the same capture file that I just opened. Let me do this. And now you can see here, you see, instead of data, you see CSV dye sector protocol data. And if I click on this, you can see the different fields here. They are selected. So field 1, 0, you see, well, like this, you see it being selected here. 1, 3, 3, 7, KKK command. Now the fact of having this also makes that you can filter on this. For example, with display filters. If you look at the bottom here, you see the field is csvdyesector.field2. So I can say, for example, csvdyesector.field2 equals 1, 3, 3, 7. And it's not a number. It's a string. So I put in quotes like this. And now this packet gets selected. You can also say if it is not, and then you don't see anything. This dye sector can be configured. There is only one parameter that can be changed here through preferences. And that is the separator character. So here it is a pipe character. But that is something that you can change. For example, a comma like this. And then we only have one field because there is no comma here that separates. I can change this back, separator, pipe character. And now we have back or fields. You can also make other changes to the behavior of this dye sector. But that is something that you have to do in the script itself, in the Lua script itself. So let me close this and let me open that script here. Let's zoom in a bit. Okay. So here you have some values that you can change. For example, you can change the name of the dye sector itself csvdyesector. You can put in another name. This is also the port on which it will do its dye section by default. 1, 2, 3, 4. You can change this 4, 3, 2, 1, for example. This will now be the default port. Let me save this. And now if I do this again, it's not recognized so it is not dissected. However, this is something that you can always do with Wireshark. That is say here, right click, decode as. And then you can say, so you see there is no the default here for port 1, 2, 3, 4. But you can say, okay, I want you to dissect this as csv here csvdyesector like this. And now as you can see it gets decoded. So that is one of the things that you can change the port name here. Also the maximum number of fields. That is something that also needs to be defined in the dye sector and this is here 10. Now you might want to make this bigger, of course, if you have more fields, but also make this smaller for the following reason. If I type now csvdyesector, sorry. And here you can see I have 10 different fields. Although only 4 fields from 1 to 4 are actually present. So you could change this to 4 and then don't have that many fields. That's one thing. Another thing is also that you can give names to each field instead of field 1, field 2 and so on. So let's say that field 2, that's actually the port. So here in field names and here above you can see an example with fields 1 start, field 4 command. You can say field 2 equals port. Let me save this and let me launch this again. I should have changed the port also back to 1, 2, 3, 4. So let me do that. And now you can see here field 1, but the field 2 is named port. And it is indeed port as you can see here. You can say csvdyesector port.