AgeCommit message (Collapse)AuthorFilesLines quick utility to sort a TCP stream in a captureHEADmasterPeter Wu1-0/+58
There is a known issue where out-of-order TCP segments breaks HTTP/2 dissection and TLS reassembly, even with the TCP Reassemble out-of-order segments preference enabled. This utility works around that issue by sorting TCP segments within a capture. Requires scapy, install with: pip3 install scapy
2020-04-01file-zip: parse mtime into a human-readable formPeter Wu1-4/+28
2020-03-02doc: initial draft of wireshark-dissection-and-reassembly.mdPeter Wu1-0/+134
Before making the reassembly API (epan/reassembly.c) even more complicated, and to solve TCP reassembly problems with TCP/TLS/HTTP2, let's have a look at potential solutions, possibly from the literature.
2020-02-13lua/doh-get.lua: fix base64url decodingPeter Wu1-0/+15
Avoids malformed packet exception with certain unpadded values. See also
2020-02-07lua: add DoH GET dissectorPeter Wu1-0/+39
Quick hack that allows me to debug DoH GET requests. See also
2019-11-20sslkeylog: add macOS supportPeter Wu3-8/+82
Tested with macOS 10.15.1 (Catalina). Works with python3 3.7.5 (requests library) and openssl 1.1.1d (s_client) from Homebrew. Does not work with curl 7.64.1 in /usr/bin/curl because it is signed and does not allow DYLD environment variables to be passed when SIP is enabled.
2019-04-18crafted-pkt/ actual fragment TCPPeter Wu1-3/+7
Actually fragment or coalesce TLS records across TCP segments.
2019-04-18crafted-pkt/ test for bug 3303Peter Wu1-0/+79
Dumb fuzzer for verifying that handshake reassembly works. remove RPATH settingPeter Wu1-10/+0
Since v2.9.1rc0-449-ga37388fbb6 it is no longer possible to override CMAKE_INSTALL_RPATH to create relocatable build directories. An attempt to add this feature in a generic way to older CMake versions failed, see I do not really need relocatable builds at the moment and can wait until CMake 3.14 is released should I need it in the future.
2019-01-28extcap: add ssh-dumpcap examplePeter Wu1-0/+108
Based on ssh-tcpdump, but uses dumpcap and supports specifying the hostname and interface through capture options. Should probably integrate that with ssh-tcpdump, but I quickly needed something working. Known issues: - On exit Wireshark assumes that stderr is an error. - dumpcap does not exit on the remote server, tracked by - Stopping a capture, killing dumpcap and starting a capture again results in a corrupted dissection (interpreted as ERF). The pcapng file on the filesystem is ok, it is just a GUI problem. Tested with Wireshark v2.9.1rc0-558-geec3ce3bb2. use lld only for Clang 8 and newerPeter Wu1-5/+12
GCC does not support -fuse-ld=lld and LLD 7.0.1 has a bug that causes crashes when (statically) linking code that uses thread-local storage without a PLT. switch to lld, remove unused stuffPeter Wu1-13/+8
Remove ENABLE_xxx options that are enabled by default, check CMakeOptions.txt instead if you want to see available values. Skip rebuilding if only tests change. Remove -fsanitize options since these are set via CMake options. Use lld instead of gold since it is almost twice as fast as gold: lld 4.8s gold 9.2s bfd 10.8s Tested (n=3) with lld 7.0.1-1 and binutils 2.31.1-4 on Arch Linux, Linux 4.19.12-arch1-1-ARCH, i7-6700HQ, wireshark v2.9.1rc0-363-g178d81f804. Commands: time cmake -GNinja /tmp/wireshark -DCMAKE_BUILD_TYPE=Debug \ -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ \ -DCMAKE_C_FLAGS="-fdiagnostics-color -fuse-ld=lld" \ -DCMAKE_CXX_FLAGS="-fdiagnostics-color -fuse-ld=lld" \ -DDISABLE_WERROR=1 -DENABLE_ASAN=1 -DENABLE_UBSAN=1 time ninja && rm -rf run time ninja # measured this with various -fuse-ld= values. Total build time is about 21s for cmake, 3m18s for the initial ninja. Ignoring the noise, a full build somehow takes about the same time as with gold, but incremental builds with lld are consistently faster.
2019-01-13file-tar: basic POSIX tar archive dissectorPeter Wu1-0/+217
Support the POSIX tar format only and not other dialects.
2018-12-19windows-libs: include missing gcc libs for GnuTLSPeter Wu1-4/+14
Tested in a clean Win7 SP1 x64 image.
2018-12-19windows-libs: add script to build GnuTLS packagePeter Wu2-0/+552
Tested with MSVC 2015 (Win64). Use Fedora packages as Debian does not have MinGW packages for GnuTLS.
2018-12-18file-ar: fix processing of regular .a archivesPeter Wu1-20/+22
Do not try to dissect its data as COFF, it could be something else.
2018-12-18file-ar: extend with PE support (.exe/.dll)Peter Wu1-12/+183
2018-12-17file-ar: fix dissection of llvm-dlltool archivesPeter Wu1-16/+54
Add Storage Classes dissection and fix for llvm-dlltool output which has a large "//" archive member (longnames) that are newline-terminated instead of null-terminated. Tested against the output .lib file from LLVM 7.0.0-1: llvm-dlltool -m i386:x86-64 -d libgnutls-30.def -l libgnutls-30.lib -D libgnutls-30.dll
2018-12-17file-ar: ar and COFF dissector for WiresharkPeter Wu1-0/+523
Created in order to compare libgcrypt-20.dll.a as created by MinGW versus libgcrypt-20.lib as created by MSVC. Based on file-zip.lua.
2018-10-23sslkeylog.c: fix OpenSSL 1.1.1 support when library is not loadedPeter Wu1-17/+21
When was not yet loaded, it would assume that an older library was already loaded and avoid the new API. That assumption is not correct, it is also possible that no library was loaded at all as is the case with Python. Test: ./ python -c \ 'import requests;print(requests.head(""))' Before this fix it would output all zeroes as secret (a sign that something is wrong).
2018-10-23sslkeylog.c: support TLS 1.3 and OpenSSL 1.1.1Peter Wu1-4/+99
OpenSSL 1.1.1 adds TLS 1.3 support which uses a new secrets format. Previously it resulted in garbage keylog files, this has been fixed now. OpenSSL 1.1.1 also introduces a new API for secrets extraction. Consumers can use it like this (curl uses this code for example): static void keylog_callback(const SSL *ssl, const char *line) { /* write line and terminating '\n' */ } { SSL_CTX *ctx; ... SSL_CTX_set_keylog_callback(ctx, keylog_callback); SSL *ssl = SSL_new(ctx); } In case you cannot change the source code for an application, you can use sslkeylog.c again. This will basically perform the above step, set the key log callback before calling SSL_new. Since the new OpenSSL 1.1.1 API requires no further interception of SSL_read and other functions, a new NO_OPENSSL_110_SUPPORT macro was to avoid intercepting these. Additionally, a NO_OPENSSL_102_SUPPORT macro avoids the need for OpenSSL development headers. Caveat: when building with OpenSSL <= 1.0.2, will not be compatible with runtime OpenSSL 1.1.0. OpenSSL 1.1.1 still works though. Use of SSL_new and interception via SSL_CTX_set_keylog_callback was initially proposed by Derick Rethans, thanks for the suggestion! implement paginationPeter Wu1-17/+36
Apparently the undocumented pagination limit is 100. script to delete old buildsPeter Wu1-0/+57
Large artifacts may be accumulated and at the moment hits the 50GB limit. Deleting them one by one is cumbersome, so here is a way to automate it. Motivation:
2018-09-21tls13scan: allow SNI overridePeter Wu1-0/+5
2018-08-11tls13/scan: advertise draft versions even with final TLS 1.3Peter Wu1-6/+13
If the final 1.3 version is not supported, negotiation could fail if TLS 1.2 is not allowed. This is the case with
2018-08-11tls13/scan: poke for the final TLS 1.3 versionPeter Wu1-4/+14
2018-08-11tls13/scan: add tool to scan for supported TLS 1.3 draftsPeter Wu1-0/+312
Source is from April 3rd, 2018 or before.
2018-08-04make-libs: ensure directory prefixPeter Wu1-20/+21
Ensure that files are put within a subdirectory within the zip. Remove extra info (timestamps/uid/gid) and sort the URLs while at it.
2018-08-02windows-libs: add script to build gcrypt libs packagePeter Wu1-0/+80
Tested with MSVC 2015 (Win64) and the WireGuard patches on top of v2.9.0rc0-1338-g9b9a0d0f88. The decryption suite (43 tests) passes. README.Wireshark is based on Pascal's instructions from drop obsolete cmake options, ignore some changesPeter Wu1-5/+2
Do not wake up on running tests (which might touch __pycache__ and pytest files). relative sequence numbersPeter Wu1-1/+2
Change from 2018-07-19 13:03 +0200 report frame and overlap for retransmissionPeter Wu1-8/+28 fix handling of packets with ip.len==0Peter Wu1-2/+2
As present in frame 3 of 25.pcap from add utility to investigate TCP reassembly issuesPeter Wu1-0/+252
While working on improving handling of reassembly in presence of retransmissions, it would be very helpful to have a tool that tells the correct interpretation. This tool does that. It can probably not directly be implemented in Wireshark due to the additional memory requirements. Used to investigate bugs such as
2018-07-12crafted-pkt/ test for bug 13523Peter Wu1-0/+43
Used for crafting the capture in
2018-07-06crafted-pkt/ test Follow TCP Stream edge casesPeter Wu1-0/+110
For testing various issues such as Code coverage checked with Clang 6.0.0 by building packet-tcp.c with options from # is the command to link with the two profiling options eval $(jq -r '.[] | select(.file | contains("packet-tcp.c")) | .command' compile_commands.json | sed 's/^[^ ]\+/clang -fprofile-instr-generate -fcoverage-mapping/') && time bash llvm-profdata merge -sparse tcp.profraw -o tcp.profdata && llvm-cov show epan/dissectors/CMakeFiles/dissectors.dir/packet-tcp.c.o -instr-profile=tcp.profdata /tmp/wireshark/epan/dissectors/packet-tcp.c -name-regex='check_follow_fragments|follow_tcp_tap_listener' Tested against with log: 1c6dc6d31f (master) Some fixes. 777dac163a Follow Stream: ensure linear performance with many packets b853858e84 tcp: remove repetitive "follow_record->is_server" 98c33f532e tcp: fix Follow TCP Stream with missing (but ACKed) segments 8f4abb0346 tcp: fix Follow TCP Stream for overlapping data 9219c4b1b6 tcp: ignore zero-length payloads for Follow TCP Stream 9499a15a4a Qt: fix wrong Follow Stream text position after changing mode All cases are covered, except for one: 1122| 1| data_offset = follow_info->seq[is_server] - sequence; 1123| 1| if (data_length <= data_offset) { 1124| 0| data_length = 0; 1125| 1| } else { To reach that situation, the IP header probably needs to be modified, or the pcap snaplen/caplen fields. Too much work for now and a visual inspection shows that the case does not hurt, so just go for it.
2017-11-09Add, a layer for ScapyPeter Wu1-0/+121
Can be imported as Python module or used separately. Created at 2017-04-23 for converting oss-fuzz reproducers into an actual pcap.
2017-11-07sync-build: enable ASAN/UBSAN via option, remove gcrypt optionPeter Wu1-1/+2
GCRYPT is enabled by default, the option is gone since 2.4. Enable the ASAN option via CMake to ensure that building lemon does not fail if detect_leaks is not set.
2017-11-07lua/trivial: add some more commentsPeter Wu1-7/+23
And remove the unnecessary nothing() function, it was there to test a crash issue.
2017-11-07lua/trivial: trivial protocol examplePeter Wu1-0/+23
Added in 2015-09-27, contains a minimal dissector that does not use fields.
2017-02-25src/sslkeylog.c: fix post-interception tapping for OpenSSL 1.1.0Peter Wu1-27/+40
Lookup SSL_SESSION_get_master_key and SSL_get_client_random at runtime too after intercepting a call instead of a link-time dependency.
2017-02-24src/sslkeylog.c: avoid linker errorsPeter Wu1-25/+42
Since the previous OpenSSL 1.1.0 compatibility patch, addition of the SSL_get_session and SSL_SESSION_get_master_key required them to be available at load time. Since applications are not necessarily linked with -lssl, this can fail. Avoid this dependency by looking up the symbols at runtime. Tested with OpenSSL 1.0.2.k (using python+requests) and OpenSSL_1_1_0-pre6-1439-g0e2c7b3ee (openssl s_client).
2017-01-29notes.txt: add GnuTLS usage for generating pcapsPeter Wu1-0/+12
These steps were used for creating the tests for ("test: add (D)TLS test for AEAD ciphers")
2016-12-22file-zip: remove "._" from field namesPeter Wu1-1/+1
These were not supposed to be exposed in the actual filters, but are used internally because a table value could not act as both a ProtoField and a table of other ProtoFields.
2016-12-22file-zip: further speed up DD searchPeter Wu1-14/+13
The previous implementation took 8.9 seconds with this command: tshark -Xlua_script:file-zip.lua -r TechnicLauncher.jar -Vx -ozip_archive.decompress:FALSE If the signature was not optional, we could optimize and avoid a linear search, using string.find with steps of four bytes on negative match. This would take 5.6 seconds (but does not handle a missing signature). The combined approach that first scans with string.find (assuming a signature) and then falling back to a linear search (assuming no signature) would take 14.4 seconds (terrible in the worst case). So try another approach, doing a byte for byte search (as before), but then delaying the signature check until the length is valid. This improves the running time to 7.5 seconds.
2016-12-22file-zip: speed up data descriptor scanningPeter Wu1-7/+7
Reduce time to process TechnicLauncher.jar from 20 to 9 seconds (ASAN build with tshark -Vx) by reducing TvbRange allocations.
2016-12-22file-zip: allow decompression to be disabledPeter Wu1-2/+4
Allow decompression to be disabled for performance reasons.
2016-12-22file-zip: decode External File AttributesPeter Wu1-2/+14
Found also hints via Anslysis of unix/unix.c was done on Info-ZIP 6.0.
2016-12-21file-zip: decode version field, update referencesPeter Wu1-15/+57
System mappings are taken from the APPNOTE.
2016-12-21file-zip: Deflate decompression supportPeter Wu1-0/+9