3 ways to eat bytes Graham Bloice – Software Developer

Slides:



Advertisements
Similar presentations
Module 3: Block 3 Call Management
Advertisements

1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 2 Getting Started.
Chapter 7 Constructors and Other Tools. Copyright © 2006 Pearson Addison-Wesley. All rights reserved. 7-2 Learning Objectives Constructors Definitions.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Copyright © 2003 Pearson Education, Inc. Slide 1.
Chapter 1 The Study of Body Function Image PowerPoint
BASIC SKILLS AND TOOLS USING ACCESS
RXQ Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) Customer Supplier Customer authorizes Enrollment ( )
1 Hyades Command Routing Message flow and data translation.
Writing Pseudocode And Making a Flow Chart A Number Guessing Game
18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.
3 Copyright © 2005, Oracle. All rights reserved. Basic Java Syntax and Coding Conventions.
7 Copyright © 2005, Oracle. All rights reserved. Creating Classes and Objects.
8 Copyright © 2005, Oracle. All rights reserved. Creating the Web Tier: JavaServer Pages.
6 Copyright © 2005, Oracle. All rights reserved. Building Applications with Oracle JDeveloper 10g.
Click to edit Master title style Page - 1 OneSky Teams Step-by-Step Online Corporate Communication Support 2006.
State of New Jersey Department of Health and Senior Services Patient Safety Reporting System Module 2 – New Event Entry.
Exit a Customer Chapter 8. Exit a Customer 8-2 Objectives Perform exit summary process consisting of the following steps: Review service records Close.
Custom Services and Training Provider Details Chapter 4.
Chapter 6 File Systems 6.1 Files 6.2 Directories
Mike Scott University of Texas at Austin
Course Objectives After completing this course, you should be able to:
REVIEW: Arthropod ID. 1. Name the subphylum. 2. Name the subphylum. 3. Name the order.
1 Chapter 10 - Structures, Unions, Bit Manipulations, and Enumerations Outline 10.1Introduction 10.2Structure Definitions 10.3Initializing Structures 10.4Accessing.
Intel VTune Yukai Hong Department of Mathematics National Taiwan University July 24, 2008.
Chapter 1: Introduction to Scaling Networks
ETS4 - What's new? - How to start? - Any questions?
Chapter 17 Linked Lists.
Data Structures Using C++
User Friendly Price Book Maintenance A Family of Enhancements For iSeries 400 DMAS from Copyright I/O International, 2006, 2007, 2008, 2010 Skip Intro.
Project 5: Virtual Memory
Microsoft Access.
Vanderbilt Business Objects Users Group 1 Reporting Techniques & Formatting Beginning & Advanced.
EIS Bridge Tool and Staging Tables September 1, 2009 Instructor: Way Poteat Slide: 1.
2000 Prentice Hall, Inc. All rights reserved. 1 Chapter 10 - Structures, Unions, Bit Manipulations, and Enumerations Outline 10.1Introduction 10.2Structure.
© Copyright by Deitel & Associates, Inc. and Pearson Education Inc. All Rights Reserved. 1 Outline 24.1 Test-Driving the Ticket Information Application.
INTRODUCTION Lesson 1 – Microsoft Word Word Basics
1 What is JavaScript? JavaScript was designed to add interactivity to HTML pages JavaScript is a scripting language A scripting language is a lightweight.
Chapter 20 Network Layer: Internet Protocol
Benchmark Series Microsoft Excel 2013 Level 2
CAR Training Module PRODUCT REGISTRATION and MANAGEMENT Module 2 - Register a New Document - Without Alternate Formats (Run as a PowerPoint show)
Chapter 6 File Systems 6.1 Files 6.2 Directories
HORIZONT 1 XINFO ® The IT Information System PL/1 HORIZONT Software for Datacenters Garmischer Str. 8 D München Tel ++49(0)89 /
 Copyright I/O International, 2013 Visit us at: A Feature Within from Item Class User Friendly Maintenance  Copyright.
Basel-ICU-Journal Challenge18/20/ Basel-ICU-Journal Challenge8/20/2014.
4 Oracle Data Integrator First Project – Simple Transformations: One source, one target 3-1.
1..
CONTROL VISION Set-up. Step 1 Step 2 Step 3 Step 5 Step 4.
© 2012 National Heart Foundation of Australia. Slide 2.
DISTRIBUTED OBJECTS AND REMOTE INVOCATION
 2000 Prentice Hall, Inc. All rights reserved. Chapter 14 - Advanced C Topics Outline 14.1Introduction 14.2Redirecting Input/Output on UNIX and DOS Systems.
1 BRState Software Demonstration. 2 After you click on the LDEQ link to download the BRState Software you will get this message.
Chapter 10: The Traditional Approach to Design
Systems Analysis and Design in a Changing World, Fifth Edition
Types of selection structures
Lilian Blot CORE ELEMENTS SELECTION & FUNCTIONS Lecture 3 Autumn 2014 TPOP 1.
©Brooks/Cole, 2001 Chapter 12 Derived Types-- Enumerated, Structure and Union.
Essential Cell Biology
PSSA Preparation.
Chapter 11 Creating Framed Layouts Principles of Web Design, 4 th Edition.
Essential Cell Biology
Energy Generation in Mitochondria and Chlorplasts
Import Tracking and Landed Cost Processing An Enhancement For AS/400 DMAS from  Copyright I/O International, 2001, 2005, 2008, 2012 Skip Intro Version.
South Dakota Library Network MetaLib User Interface South Dakota Library Network 1200 University, Unit 9672 Spearfish, SD © South Dakota.
User Defined Functions Lesson 1 CS1313 Fall User Defined Functions 1 Outline 1.User Defined Functions 1 Outline 2.Standard Library Not Enough #1.
User Friendly Item Relationship Maintenance A Family of Enhancements For iSeries 400 DMAS from  Copyright I/O International, 2006, 2007, 2008, 2010 Skip.
TCP/IP Protocol Suite 1 Chapter 18 Upon completion you will be able to: Remote Login: Telnet Understand how TELNET works Understand the role of NVT in.
Chapter 9: Using Classes and Objects. Understanding Class Concepts Types of classes – Classes that are only application programs with a Main() method.
Extending Wireshark For A New Protocol Varun NotiBala CISC 856 – University of Delaware 2 nd Dec 2008 Acknowledgements Dr. Paul Amer.
Changing Wireshark with Lua. Changing Wireshark with Lua: Writing a Lua Plug-in to Create a Custom Decoder Hadriel Kaplan 128 Technology, Inc.
Presentation transcript:

3 ways to eat bytes Graham Bloice – Software Developer Wireshark Dissectors 3 ways to eat bytes Graham Bloice – Software Developer

Introduction Software Developer with Trihedral UK Limited Use C++ and scripting for SCADA toolkit VTScada™ Use Wireshark with industrial tele-control protocols Wireshark Core Developer First contributed to Wireshark in 1999 Maintain DNP3 dissector Frequent contributor to “Ask Wireshark” Mostly fixing formatting and converting “answers” to comments  Sharkfest 2014

Topics to be Covered Wireshark internals brief overview Dissectors Where dissectors fit in Dissectors Brief overview Paths to implementation Complexity and performance tradeoffs Sharkfest 2014

Wireshark Internals Wireshark provides a framework for loading, dissection and visualization of network traffic Wireshark framework allows individual dissectors access to network data via libwiretap Wireshark framework provides utility functions for dissectors when dissecting data Wireshark framework allows dissectors to write out products of dissection Sharkfest 2014

Dissectors overview Dissectors “register” their interest in data from a lower level protocol dissector, e.g. tcp port 54321 The lower level dissector hands the payload body to the registered dissector Dissectors “pick apart” a protocol into the individual elements of the protocol message Each element of a protocol may have a type, e.g. integer, string, bit field, timestamp Dissectors provide elements that may be used in display filters Sharkfest 2014

Dissector output Set the protocol column Set the info column Create tree entries as required Create subtree entries for protocol components Add values, text to tree entries Call sub-dissectors as required Sharkfest 2014

Dissector Construction Options Text based Built-in, with compilation – ASN.1, IDL External, without compilation – Wireshark Generic Dissector (WSGD)* Scripting language based Built-in, Lua*, Python (not in Windows) External, Python (pyreshark) C based* Traditional format, requires a development environment Sharkfest 2014

Demonstration protocol Made up for this presentation Has a header with a byte indicating the message type, and a short (2 bytes in big-endian format) for the total message length (including the header) Commands are: connect (20) and connect_ack (21) that have a long (4 bytes in little-endian format) id disconnect (60) and disconnect_ack (61) that have a long (4 bytes in little-endian format) id request_data and request_reply that have a byte indicating the data type and for the reply an actual data value; Data type 0 – a little-endian short Data type 1 – a little-endian long Data type 2 – a 15 character string Sharkfest 2014

Text based Dissectors Protocol definition held in text file(s) in human readable form Definitions are interpreted or compiled to produce a dissector Low barrier to entry, although ASN.1 and IDL requires a development environment to compile resulting dissector Interpreted text files are least performant option Least flexible option for access to libwireshark infrastructure Sharkfest 2014

Wireshark Generic Dissector (WSGD) A Wireshark add-on created by Olivier Aveline, info at http://wsgd.free.fr/ Allows dissection of a protocol based on a text description of the protocol elements Available for Windows and Linux as a plug-in module Has some limitations but relatively simple to use and doesn’t require a development environment Sharkfest 2014

WSGD Dissectors Copy the appropriate version of the plugin into your Wireshark installation: Global plugins Personal plugins Copy (or create) the definition files in the required location: As specified by the environment variable “WIRESHARK_GENERIC_DISSECTOR_DIR” Profiles directory User data directory Global plugin directory Wireshark main directory Sharkfest 2014

WSGD Basics – Protocol Definition # Protocol identification PROTONAME SharkFest 14 Protocol (WSGD) PROTOSHORTNAME SF14 PROTOABBREV sf14 # Protocol parent, controls when dissector is called PARENT_SUBFIELD tcp.port PARENT_SUBFIELD_VALUES 54321 # Message header, protocol starts with a header MSG_HEADER_TYPE T_msg_header # Message type identifier, must be part of header MSG_ID_FIELD_NAME Function # Message title field, shown in Info column MSG_TITLE InfoString # Message size field, from field in header MSG_TOTAL_LENGTH Length # Message body type: MSG_MAIN_TYPE T_msg_switch(Function) # Field definitions PROTO_TYPE_DEFINITIONS include sf14.fdesc; Sharkfest 2014

WSGD Basics – Field Definitions I # Message type enumeration enum8 T_Type_message { connect 20 # must be an integer connect_ack - # "-" indicates previous value + 1 request_data 40 request_reply - disconnect 60 disconnect_ack - } # Header definition struct T_msg_header byte_order big_endian; T_Type_message Function; uint16 Length; hide var string InfoString = print ("%s", Function); # Note type conversion byte_order little_endian; Sharkfest 2014

WSGD Basics – Field Definitions II # Messages struct T_msg_connect { T_msg_header Header; uint32 ID; } struct T_msg_connect_ack struct T_msg_disconnect struct T_msg_disconnect_ack Sharkfest 2014

WSGD Basics – Field Definitions III # Data value enumeration enum8 T_Type_dataid { read_short 0 read_long 1 read_string 2 } struct T_msg_request_data T_msg_header Header; T_Type_dataid Data_ID; struct T_msg_request_reply switch(Data_ID) case T_Type_dataid::read_short : uint16 Data_Short; case T_Type_dataid::read_long : uint32 Data_Long; case T_Type_dataid::read_string : string(15) Data_String; struct T_msg_unknown raw(*) end_of_msg; Sharkfest 2014

WSGD Basics – Field Definitions IV # Main switch switch T_msg_switch T_Type_message { case T_Type_message::connect : T_msg_connect ""; case T_Type_message::connect_ack : T_msg_connect_ack ""; case T_Type_message::request_data : T_msg_request_data ""; case T_Type_message::request_reply : T_msg_request_reply ""; case T_Type_message::disconnect : T_msg_disconnect ""; case T_Type_message::disconnect_ack : T_msg_disconnect_ack ""; default : T_msg_unknown ""; } Sharkfest 2014

Scripting language based dissectors Protocol definition held in text file(s) using the script language syntax Definitions are interpreted by the scripting language run-time Scripting run-time exposes access to libwireshark infrastructure Not all libwireshark infrastructure exposed No development environment required Faster than text dissectors, slower than C Sharkfest 2014

Lua dissectors Lua is built-in to Wireshark (on most platforms) The lua support can be used to build dissectors, post- dissectors and taps init.lua in the global configuration directory is run at Wireshark start-up If disable_lua is not set to 0 runs init.lua from the personal configuration directory Loads all lua scripts (*.lua) in the global and personal plugins directory Runs any scripts passed on the command line with –X lua_script:xxx.lua Sharkfest 2014

Lua dissector Basics – Protocol definition -- declare the protocol sf14_proto = Proto("sf14", "SharkFest'14 Protocol (lua)") -- declare the value strings local vs_funcs = { [20] = "connect", [21] = "connect_ack", [40] = "request_data", [41] = "request_reply", [60] = "disconnect", [61] = "disconnect_ack" } local vs_dataid = { [0] = "read short", [1] = "read long", [2] = "read string" Sharkfest 2014

Lua dissector Basics – Field definition -- declare the fields local f_func = ProtoField.uint8("sf14.func", "Function", base.DEC, vs_funcs) local f_len = ProtoField.uint16("sf14.len", "Length", base.DEC) local f_id = ProtoField.uint32("sf14.id", "ID", base.DEC) local f_dataid = ProtoField.uint8("sf14.data.id", "Data ID", base.DEC, vs_dataid) local f_data_short = ProtoField.int16("sf14.data.short", "Data Short", base.DEC) local f_data_long = ProtoField.int32("sf14.data.long", "Data Long", base.DEC) local f_data_string = ProtoField.string("sf14.data.string", "Data String") sf14_proto.fields = { f_func, f_len, f_id, f_dataid, f_data_short, f_data_long, f_data_string } Sharkfest 2014

Lua dissector Basics – Dissector function I function sf14_proto.dissector(buffer, pinfo, tree) -- Set the protocol column pinfo.cols['protocol'] = "SF14" -- create the SF14 protocol tree item local t_sf14 = tree:add(sf14_proto, buffer()) local offset = 0 -- Add the header tree item and populate it local t_hdr = t_sf14:add(buffer(offset, 3), "Header") local func_code = buffer(offset, 1):uint() t_hdr:add(f_func, func_code) t_hdr:add(f_len, buffer(offset + 1, 2)) offset = offset + 3 -- Set the info column to the name of the function pinfo.cols['info'] = vs_funcs[func_code] -- dissect common part for connect and disconnect functions if func_code == 20 or func_code == 21 or func_code == 60 or func_code == 61 then -- A connect or connect ack or disconnect or disconnect_ack t_sf14:add_le(f_id, buffer(offset, 4)) end Sharkfest 2014

Lua dissector Basics – Dissector function II -- A request_data or request_reply message if func_code == 40 or func_code == 41 then -- dissect common part of request functions t_sf14:add(f_dataid, buffer(offset, 1)) -- dissect request_reply data body if func_code == 41 then -- A request_reply local dataid = buffer(offset, 1):uint() offset = offset + 1 if dataid == 0 then -- a read short data item t_sf14:add_le(f_data_short, buffer(offset, 2)) end if dataid == 1 then -- a read long data item t_sf14:add_le(f_data_long, buffer(offset, 4)) if dataid == 2 then -- a read string data item t_sf14:add(f_data_string, buffer(offset, 15)) end end end Sharkfest 2014

Lua dissector Basics – Dissector registration -- load the tcp port table tcp_table = DissectorTable.get("tcp.port") -- register the protocol to port 54321 tcp_table:add(54321, sf14_proto) Sharkfest 2014

C based dissectors Protocol definition, implied in dissector source Dissector source file compiled into libwireshark or as a plugin All libwireshark infrastructure available Full development environment required High knowledge barrier to initial implementation Use existing dissectors as a guide Developers Guide is essential reading, also README.developer Sharkfest 2014

C dissector installation Place source file in epan\dissectors Add entry for source to Makefile.common, epan\CMakeLists.txt Quick test compile in the dissectors directory, e.g. nmake –f Makefile.nmake packet-sf14.obj Rebuild Wireshark in the normal way Sharkfest 2014

C dissector – preliminary declarations #include "config.h" #include <glib.h> #include <epan/packet.h> #define SF14_PORT 54321 #define FUNC_CONNECT 20 #define FUNC_CONN_ACK 21 #define FUNC_REQ_DATA 40 #define FUNC_REQ_REPLY 41 #define FUNC_DISCONNECT 60 #define FUNC_DISC_ACK 61 /* A sample #define of the minimum length (in bytes) of the protocol data. * If data is received with fewer than this many bytes it is rejected by * the current dissector. */ #define SF14_MIN_LENGTH 4 static const value_string sf14_func_vals[] = { { FUNC_CONNECT, "connect" }, { FUNC_CONN_ACK, "connect_ack" }, { FUNC_REQ_DATA, "request_data" }, { FUNC_REQ_REPLY, "request_reply" }, { FUNC_DISCONNECT, "disconnect" }, { FUNC_DISC_ACK, "disconnect_ack" }, { 0, NULL } }; #define READ_SHORT 0 #define READ_LONG 1 #define READ_STRING 2 static const value_string sf14_data_type_vals[] = { { READ_SHORT, "read short" }, { READ_LONG, "read long" }, { READ_STRING, "read string" }, /* Initialize the protocol and registered fields */ static int proto_SF14 = -1; static int hf_SF14_Func_Code = -1; static int hf_SF14_Length = -1; static int hf_SF14_ID = -1; static int hf_SF14_Data_ID = -1; static int hf_SF14_Data_Short = -1; static int hf_SF14_Data_Long = -1; static int hf_SF14_Data_String = -1; /* Initialize the subtree pointers */ static gint ett_SF14 = -1; static gint ett_SF14_hdr = -1; Sharkfest 2014

C dissector – dissection function I /* Code to actually dissect the packets */ static int dissect_SF14(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) { /* Set up structures needed to add the protocol subtree and manage it */ proto_item *ti, *hdr_ti; proto_tree *SF14_tree, *SF14_hdr_tree; /* Other misc. local variables. */ guint offset = 0; guint8 func_code; guint8 data_id; /* Check that there's enough data */ if (tvb_length(tvb) < SF14_MIN_LENGTH) return 0; /* Fetch some values from the packet header using tvb_get_*(). If these * values are not valid/possible in your protocol then return 0 to give * some other dissector a chance to dissect it. */ func_code = tvb_get_guint8(tvb, offset); if (try_val_to_str(func_code, sf14_func_vals) == NULL) /*** COLUMN DATA ***/ /* Set the Protocol column to the constant string of sf14 */ col_set_str(pinfo->cinfo, COL_PROTOCOL, "SF14"); col_clear(pinfo->cinfo, COL_INFO); col_add_str(pinfo->cinfo, COL_INFO, val_to_str(func_code, sf14_func_vals, "Unknown function (%d)")); Sharkfest 2014

C dissector – dissection function II /*** PROTOCOL TREE ***/ /* create display subtree for the protocol */ ti = proto_tree_add_item(tree, proto_SF14, tvb, 0, -1, ENC_NA); SF14_tree = proto_item_add_subtree(ti, ett_SF14); /* create subtree for the header */ hdr_ti = proto_tree_add_text(SF14_tree, tvb, 0, 3, "Header"); SF14_hdr_tree = proto_item_add_subtree(hdr_ti, ett_SF14_hdr); /* Add an item to the subtree, see section 1.6 of README.developer for more * information. */ proto_tree_add_item(SF14_hdr_tree, hf_SF14_Func_Code, tvb, offset, 1, ENC_LITTLE_ENDIAN); offset += 1; /* Continue adding tree items to process the packet here... */ proto_tree_add_item(SF14_hdr_tree, hf_SF14_Length, tvb, offset, 2, ENC_BIG_ENDIAN); offset += 2; /* Now add items depending on the specific function code */ switch (func_code) { case FUNC_CONNECT: case FUNC_CONN_ACK: case FUNC_DISCONNECT: case FUNC_DISC_ACK: proto_tree_add_item(SF14_tree, hf_SF14_ID, tvb, offset, 4, ENC_LITTLE_ENDIAN); offset += 1; break; Sharkfest 2014

C dissector – dissection function III case FUNC_REQ_DATA: case FUNC_REQ_REPLY: /* Dissect the common portion of the two functions */ data_id = tvb_get_guint8(tvb, offset); proto_tree_add_item(SF14_tree, hf_SF14_Data_ID, tvb, offset, 1, ENC_LITTLE_ENDIAN); offset += 1; if (func_code == FUNC_REQ_REPLY) { switch (data_id) { case READ_SHORT: proto_tree_add_item(SF14_tree, hf_SF14_Data_Short, tvb, offset, 2, ENC_LITTLE_ENDIAN); offset += 2; break; case READ_LONG: proto_tree_add_item(SF14_tree, hf_SF14_Data_Long, tvb, offset, 4, ENC_LITTLE_ENDIAN); offset += 4; case READ_STRING: proto_tree_add_item(SF14_tree, hf_SF14_Data_String, tvb, offset, 15, ENC_LITTLE_ENDIAN); offset += 15; default: } } break; default: } /* Return the amount of data this dissector was able to dissect (which may * or may not be the entire packet as we return here). */ return offset; } Sharkfest 2014

C dissector – protocol registration I void proto_register_SF14(void) { /* Setup list of header fields See Section 1.6.1 of README.developer for * details. */ static hf_register_info hf[] = { { &hf_SF14_Func_Code, { "Function", "sf14.func", FT_UINT8, BASE_DEC, VALS(sf14_func_vals), 0x0, "Message Function Code Identifier", HFILL } }, { &hf_SF14_Length, { "Length", "sf14.len", FT_UINT16, BASE_DEC, NULL, 0x0, "Message Length", HFILL } { &hf_SF14_ID, { "ID", "sf14.id", FT_UINT32, BASE_DEC, NULL, 0x0, "Connection ID", HFILL } { &hf_SF14_Data_ID, { "Data_ID", "sf14.data.id", FT_UINT8, BASE_DEC, VALS(sf14_data_type_vals), 0x0, "Data Type Identifier", HFILL } { &hf_SF14_Data_Short, { "data_short", "sf14.data.short", "Data Short", HFILL } { &hf_SF14_Data_Long, { "data_long", "sf14.data.long", "Data Long", HFILL } { &hf_SF14_Data_String, { "data_string", "sf14.data.string", FT_STRING, BASE_NONE, NULL, 0x0, "Data String", HFILL } }; Sharkfest 2014

C dissector – protocol registration II /* Setup protocol subtree array */ static gint *ett[] = { &ett_SF14, &ett_SF14_hdr }; /* Register the protocol name and description */ proto_SF14 = proto_register_protocol("SharkFest'14 Protocol (C)", “SF14", "sf14"); /* Required function calls to register the header fields and subtrees */ proto_register_field_array(proto_SF14, hf, array_length(hf)); proto_register_subtree_array(ett, array_length(ett)); } /* Simpler form of proto_reg_handoff_SF14 which can be used if there are * no prefs-dependent registration function calls. */ void proto_reg_handoff_SF14(void) { dissector_handle_t SF14_handle; /* Use new_create_dissector_handle() to indicate that dissect_SF14() * returns the number of bytes it dissected (or 0 if it thinks the packet * does not belong to SF14). */ SF14_handle = new_create_dissector_handle(dissect_SF14, proto_SF14); dissector_add_uint("tcp.port", SF14_PORT, SF14_handle); Sharkfest 2014

Comparison of dissectors For this simple “protocol”, Wireshark displays are almost identical WSGD and Lua dissectors are quick and easy to develop; edit file and restart Wireshark WSGD facilities are most limited option, Lua more advanced C dissectors easy to distribute, build an installer package, easy to contribute back to Wireshark WSGD 124 lines, Lua 89 lines, C 270 lines Sharkfest 2014

Comparison of dissectors performance No visible difference for a small capture file, 11 packets Medium capture file (~ 1M packets) results: WSGD: 2:16 Lua: 0:39 C: 0:20 Sharkfest 2014

Questions? Other dissector options? Future directions? Sharkfest 2014

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.