wireshark!dissectors!–advanced! · 2017-12-08 ·...
TRANSCRIPT
![Page 1: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/1.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Wireshark Dissectors – Advanced June 17, 2010
Gerald Combs Lead Developer | Wireshark
SHARKFEST ’10 Stanford University June 14-‐17, 2010
![Page 2: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/2.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Protocol Preferences
• Uints, Bools, Enums, Strings, Ranges • General registraKon – Protocol + Callback
• Preference registraKon – Name – Data pointer (usually global)
• Stored in main prefs file
• See also: UATs
![Page 3: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/3.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Preferences Example
![Page 4: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/4.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Example
Gopher Preferences
![Page 5: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/5.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Keeping State
• Order not guaranteed – pinfo-‐>fd-‐>flags.visited
• Within your dissector – Normal C variables
• Up & down the stack – pinfo-‐>private_data
• Across calls – p_add_proto_data – ConversaKons
![Page 6: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/6.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Protocol Data Example
![Page 7: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/7.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
ConversaKons
• Packets between address:port pairs • VersaKle creaKon:
find_conversation + conversation_new
• Easy creaKon: find_or_create_conversation
• Adding / ge`ng data conversation_add_proto_data conversation_get_proto_data
![Page 8: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/8.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
ConversaKon State Example
![Page 9: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/9.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
TCP Reassembly
• TCP messages & tvbuffs have different boundaries
• tcp_dissect_pdus() to the rescue! • epan/dissectors/packet-‐tcp.h • What about other reassembly?
![Page 10: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/10.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Using tcp_dissect_pdus()
![Page 11: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/11.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
General Reassembly
• Collect fragments: fragment_add_XXX • Create tvb: tvb_new_XXX • Create detail tab: add_new_data_source • Dissect the child data: dissect_XXX
![Page 12: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/12.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
IP DefragmentaKon
![Page 13: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/13.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
ExcepKons
• AutomaKc offset = 234567890; uid = tvb_get_ntohs(tvb, offset);
• Manual THROW(ReportedBoundsError); DISSECTOR_ASSERT(offset < 300); REPORT_DISSECTOR_BUG("That wasn't cheese…");
![Page 14: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/14.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Error ReporKng
• Bad: g_assert(len <= MAX_LEN);
• Sort-‐of-‐OK: fprintf(stderr, "Oops."); proto_tree_add_debug_text(…);
• Befer: Expert Info
![Page 15: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/15.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Expert Info
• Adds to expert windows • Similar to syslog • epan/expert.h, epan/expert.c
![Page 16: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/16.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Portability Tips
• We run on Windows (32 & 64), Linux, Solaris, OS X, FreeBSD, NetBSD, OpenBSD, AIX, HP-‐UX, …
• GLib types • Old compilers (Visual C++ 6.0) – No C++ comments
– No C99
![Page 17: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/17.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Portability Kps 2
• No malloc, sprinm, strcpy, open… • sizeof and strlen returns a size_t • Use ep_ and se_ allocated memory
• #ifdef _WIN32 /* not WIN32 */
![Page 18: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/18.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Crashing Wireshark
• Dereference a NULL pointer • Overrun a buffer • Pass a NULL string to a prinm-‐style funcKon • Global pointer to ep_allocated memory
![Page 19: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/19.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Check Your Inputs
![Page 20: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/20.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Speaking of Loops…
![Page 21: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/21.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
What’s the Difference?
![Page 22: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/22.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Making Your Own Package
• Why? • doc/README.packaging
• version.conf + make-‐version.pl
![Page 23: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/23.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Bonus Material
![Page 24: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/24.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Disk Requirements
• Sources (plain) 350 MB • Sources (compiled) 850 MB
• Support libs 250 MB
• Cygwin .5 – 2.0 GB
• Python 50 MB
![Page 25: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/25.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Why won’t you add my code?
• Is it well-‐wrifen? • Did you fuzz it? • Did you send along a capture file? • Should you ping someone?
![Page 26: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/26.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Ptvcursors
• Protocol Tree TVBuff Cursor • Easy way to add a bunch of staKc items
![Page 27: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/27.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Ptvcursor Example
![Page 28: Wireshark!Dissectors!–Advanced! · 2017-12-08 · !!SHARKFEST!‘10!!|!!Stanford!University!!|!!June!14–17,!2010! Wireshark!Dissectors!–Advanced! June17,2010 GeraldCombs Lead%Developer%%|%%Wireshark%](https://reader033.vdocuments.us/reader033/viewer/2022050606/5fad78f2fe2ce66324458bbf/html5/thumbnails/28.jpg)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
AutomaKc GeneraKon
• ASN.1 • CORBA IDL • Samba PIDL
• ProtomaKcs