Lua dissector for Wireshark that decodes Inband Flow Analyzer 2.0 (IFA 2.0) / INT-MX telemetry.
It supports two encapsulation modes:
- Native IFA 2.0 carried as IP Protocol 253 with a multi-hop metadata stack
- INT-MX postcard carried inside VXLAN (UDP/4789) and identified using marker MAC addresses
Tested with Arista EOS.
-
Make sure Wireshark has Lua enabled:
- Preferences → Protocols → Lua
-
Install the dissector into your Personal Lua Plugins folder:
- In Wireshark: Help → About Wireshark → Folders
- Look for Personal Lua Plugins and copy
decoder/wireshark-int-decoder.luainto that directory - Or, on macOS, use one of the command-line options below (same goal, simpler updates)
-
Restart Wireshark.
If you want to keep this repository as the source (so updates are picked up automatically), you can symlink the Lua dissector into Wireshark’s personal plugins directory:
mkdir -p ~/.local/lib/wireshark/plugins/
ln -sf "$(pwd)/decoder/wireshark-int-decoder.lua" ~/.local/lib/wireshark/plugins/If you don’t want to clone the repository, download the dissector directly into the plugins directory:
mkdir -p ~/.local/lib/wireshark/plugins/
curl -fsSL "https://raw.githubusercontent.com/titom73/wireshark-ifa-decoder/main/decoder/wireshark-int-decoder.lua" -o ~/.local/lib/wireshark/plugins/wireshark-int-decoder.luaOpen a capture that contains IFA 2.0 traffic. When the dissector runs, the Protocol column will show IFA 2.0, and the packet details will include an IFA 2.0 Telemetry tree.
Useful display filters:
ifa2— frames decoded by this dissectorip.proto == 253— native IFA 2.0 (IP protocol 253)udp.port == 4789— VXLAN traffic (postcard mode is detected inside VXLAN)
For INT-MX postcard packets, the script runs as a post-dissector and looks for:
- Outer UDP destination port 4789 (VXLAN)
- Inner Ethernet marker MACs:
- Destination starts with
00:11:01:00:00:XX - Source starts with
00:12:01:00:00:XX
- Destination starts with
GPL-2.0-only. See LICENSE.