I have a few pcap files, and I want to extract information such as the five-tuple from them, just like Wireshark does. But at the same time, I also want the parsed information to include application-level details of the traffic (e.g., identifying if certain traffic is from Twitter). For this purpose, I found ndpi.
My question is: Both these software can be used independently, but how can I combine them? After doing some research, I found that ndpi provides Lua scripts that can be added as a plugin to Wireshark, which is great. However, I couldn't find any examples of using tshark in conjunction with ndpi. So, how can I use Wireshark + ndpi to obtain the desired information in the command-line interface (CLI)? Can tshark be used together with ndpi? What resources should I look into?
I found a tshark.lua in the installation directory of ndpi, the script is located in /nDPI/wireshark/tshark/lib/tshark.lua This Lua code implements a class called "tshark" for handling network packet analysis. It relies on the "dkjson" library to handle JSON data. However, it doesn't provide an example of using tshark with ndpi. The only test script flows_example.lua only uses the functions provided by tshark.lua to read the data packets in the pcap file or device, and then builds flow statistics according to the contents of the data packets, and finally outputs the statistical results of each flow.