This is a topic I’m teaching in my “Packet Class: Wireshark” training in Amsterdam next month.

You can configure Wireshark to display TCP flags like Snort does. One way to do this, is to create a post-dissector and then add a column with its output (like in the screenshot above).
I developed a Wireshark Lua dissector generator. You provide it some definitions, like this:
[dissector]
file_prefix = tcp-flags
type = postdissector
description = Wireshark Lua tcp-flags postdissector example
[protocol]
proto = tcpflags
description = TCP Flags Postdissector
[protocolfields]
field_1 = flags
description_a_1 = TCP Flags
description_b_1 = The TCP Flags
[fields]
field_1 = tcp.flags
And then my Python program lua-dissector-generator.py takes this input and generates a Lua post-dissector with one new protocol + field, using an existing field.
--[[
2014/02/21 - 2014/02/21
tcp-flags-postdissector.lua V0.0.1
Wireshark Lua tcp-flags postdissector example
Source code by Didier Stevens, GPL according to Wireshark Foundation ToS
https://DidierStevens.com
Use at your own risk
Shortcommings, or todo's 😉
History:
2014/02/21: start
--]]
local function DefineAndRegister_tcpflags_postdissector()
local oProto_tcpflags = Proto('tcpflags', 'TCP Flags Postdissector')
local oProtoFieldflags = ProtoField.string('tcpflags.flags', 'TCP Flags', 'The TCP Flags')
oProto_tcpflags.fields = {oProtoFieldflags}
local oField_tcp_flags = Field.new('tcp.flags')
function oProto_tcpflags.dissector(buffer, pinfo, tree)
local tcp_flags = oField_tcp_flags()
if tcp_flags ~= nil then
local oSubtree = tree:add(oProto_tcpflags, 'TCP Flags')
oSubtree:add(oProtoFieldflags, tcp_flags.value)
end
end
register_postdissector(oProto_tcpflags)
end
local function Main()
DefineAndRegister_tcpflags_postdissector()
end
Main()
Finally, we add functions to represent the individual TCP flags:
local function DecodeFlag(flags, mask, character)
if bit.band(flags, mask) == 0 then
return '*'
else
return character
end
end
local function TCPFlagIntegerToSnort(tcpflags)
local s_tcp_flags = ''
s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x80, 'C')
s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x40, 'E')
s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x20, 'U')
s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x10, 'A')
s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x08, 'P')
s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x04, 'R')
s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x02, 'S')
s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x01, 'F')
return s_tcp_flags
end
That’s it. You can download this post-dissector here:
wireshark-lua-dissectors_V0_0_3.zip (https)
MD5: 73F9BB860F2204DBDE7FF3A7E5CA413F
SHA256: 900A21C862973294AB25A8966299386BD058A352CEA21CA97BA546DA12964465