Re: [Wireshark-dev] Expert item for TCP RST flag

2014-01-09 Thread Michael Tuexen 
On Jan 9, 2014, at 4:22 PM, Jeff Morriss  wrote:

> On 01/09/2014 07:40 AM, Joerg Mayer wrote:
>> On Tue, Jan 07, 2014 at 05:09:11PM -0800, Gerald Combs wrote:
>>> On 1/7/14 4:19 PM, Joerg Mayer wrote:
 Right now TCP packets with RST are marked as severity chat. Is there a 
 reason
 why this isn't warn?
>>> 
>>> Some applications use RSTs as a way to quickly close connections.
>>> Internet Explorer is probably the most common example.
>> 
>> Just curious: How does an application do that (rst instead of proper
>> fin-sequence)? Kill the process that opened the tcp socket?
> 
> By calling close() instead of shutdown() on the socket fd.
... you need to enable the liger option with a timeout of 0.
Calling close() will trigger the RST. If you call close on a
socket with an empty receiver buffer, you trigger the FIN stuff.

Best regards
Michael
> 
> ___
> Sent via:Wireshark-dev mailing list 
> Archives:http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
> 

___
Sent via:Wireshark-dev mailing list 
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Decrypting SSL in dissector

2014-01-09 Thread Dirk Jagdmann 
do you have a new_register_dissector("amp", ...) in the proto_register_amp()
function? Otherwise the SSL dissector can not match the "amp" string to a
dissector handle/function.

-- 
---> Dirk Jagdmann
> http://cubic.org/~doj
-> http://llg.cubic.org
___
Sent via:Wireshark-dev mailing list 
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Decrypting SSL in dissector

2014-01-09 Thread Rob Napier 
That was exactly it. Thank you!

I'm now seeing a much less critical issue:

The amp protocol starts off unencrypted, and then switches to SSL after
some negotiation. When I first start wireshark (without providing a
decryption key), I see the two AMP negotiation packets, and then SSLv3
packets. When I add the decryption key, the initial two handshake packets
get re-decoded as "SSL Continuation Data" and I lose the unencrypted
handshake information. The encrypted traffic then dissects correctly.

Is this expected? Is it possible to view both the encrypted and unencrypted
portions of the protocol on the same port?

-Rob


On Thu, Jan 9, 2014 at 11:38 AM, Dirk Jagdmann  wrote:

> do you have a new_register_dissector("amp", ...) in the
> proto_register_amp()
> function? Otherwise the SSL dissector can not match the "amp" string to a
> dissector handle/function.
>
>
___
Sent via:Wireshark-dev mailing list 
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] ui/qt/about_dialog.cpp

2014-01-09 Thread Gisle Vanem 

Why is main.cpp included in ui/qt/about_dialog.cpp like this:
 ...
 #include "wireshark_application.h"
 #include "main.cpp"
 #include 

And then main.cpp is also present in qtshark.pro. This gives multiple
defined symbols while linking. What's the idea behind this?

--gv


___
Sent via:Wireshark-dev mailing list 
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Expert item for TCP RST flag

2014-01-09 Thread Jeff Morriss 

On 01/09/2014 07:40 AM, Joerg Mayer wrote:

On Tue, Jan 07, 2014 at 05:09:11PM -0800, Gerald Combs wrote:

On 1/7/14 4:19 PM, Joerg Mayer wrote:

Right now TCP packets with RST are marked as severity chat. Is there a reason
why this isn't warn?


Some applications use RSTs as a way to quickly close connections.
Internet Explorer is probably the most common example.


Just curious: How does an application do that (rst instead of proper
fin-sequence)? Kill the process that opened the tcp socket?


By calling close() instead of shutdown() on the socket fd.

___
Sent via:Wireshark-dev mailing list 
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] Regarding Wireshark Related Projects

2014-01-09 Thread evil prince 
Hi,

I had worked with proxy servers and have intermediate level of
networking.Want to contribute to the wireshark projects.What should i do?

Shubham Meena.
___
Sent via:Wireshark-dev mailing list 
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Expert item for TCP RST flag

2014-01-09 Thread Ed Beroset 
Joerg Mayer wrote:

>The reason for my question is that someone had network trouble and looked
>at the error/warning items. Had RST been at that level, he would have found
>the problem lots of work hours earlier - the RSTs were indications of a
>real problem.
>
>So the question is: Do we allow lazy application writers to "hide" indications
>of real problems in the network?

For what it's worth, I emphatically agree that RST abuse is is a problem (see 
RFC-3360 for still more corroboration http://tools.ietf.org/search/rfc3360).  
By flagging these as warning indications rather than chat, misbehaving 
applications will be more apparent, but at the potential risk of flooding the 
poor network engineer with irrelevant data.  However, I think that it's 
probably data that can easily be filtered out.  For that reason, I'd strongly 
endorse changing them to "warning" level.

Ed
___
Sent via:Wireshark-dev mailing list 
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Decrypting SSL in dissector

2014-01-09 Thread Rob Napier 
A little more followup on this one because I'm seeing some even odder
behaviors in wireshark than in tshark.

I load my plugin for my new protocol "amp" that relies on SSL (as described
below). I then go to the SSL preferences to add a decrypt key:

IP address: 
Port:l 52230
Protocol: amp
Key File: 
Password: 

This returns the following error:

error in column 'Protocol': Could not find dissector for: 'amp'
Valid dissectors are:
'http' TCP 443
'smtp' TCP 465
'ldap' TCP 636
'imap' TCP 993
'pop' TCP 995
'q931.tpkt' TCP 1300
'skinny' TCP 2443
'sip.tcp' TCP 5061
'amp' TCP 52230


Note that 'amp' is in the list of known protocols, but it still says it
can't find the dissector. If I enter "http" as the protocol, it goes
forward fine. I notice that XMPP is not among the listed protocols, but if
I enter that as the protocol, it also goes forward fine.

Is there a registration call I'm missing?

-Rob


On Tue, Jan 7, 2014 at 3:23 PM, Rob Napier  wrote:

> Kurt Knochner helpfully pointed me here versus my original
> ask.wireshark.org 
> question
> .
>
> I'm writing a new dissector for a protocol that can include SSL traffic.
> It is somewhat similar to LDAP in that it can start a session unencrypted
> and switch to SSL on the same port when a certain message is received, so
> I've based my code on packet-ldap. I've also referred to packet-pop,
> packet-http, and packet-xmpp, which all have various forms of this code.
>
> At the appropriate points, my code is successfully getting to:
>
> call_dissector(ssl_handle, tvb, pinfo, tree);
>
> But in the output of tshark, I don't see any decrypted data:
>
> tshark -o "ssl.desegment_ssl_records: TRUE" -o 
> "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list: 
> 172.16.244.160,52230,amp,cacert.key" -r ../tests/AMP-connect-SSL-trimmed.pcap 
> -x
>
> All this prints is the encrypted data.
>
> If I switch the protocol to ldap, http or xmpp, then I get SSL decryption:
>
> tshark -o "ssl.desegment_ssl_records: TRUE" -o 
> "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list: 
> 172.16.244.160,52230,ldap,cacert.key" -r 
> ../tests/AMP-connect-SSL-trimmed.pcap -x
>
> Frame (140 bytes):
>   00 0c 29 22 80 34 00 50 56 c0 00 08 08 00 45 00   ..)".4.PV.E.
> 0010  00 7e 31 1a 40 00 40 06 c8 9c ac 10 f4 01 ac 10   .~1.@.@.
> 0020  f4 a0 f0 e6 cc 06 5d df 0c 2f b2 cc ff fa 80 18   ..]../..
> 0030  20 00 39 1d 00 00 01 01 08 0a 34 15 f0 11 09 a1.9...4.
> 0040  28 8f 17 03 00 00 20 ad d1 99 13 3a 22 ec 45 b9   (. :".E.
> 0050  b1 ec 0e 1f 52 e7 84 d8 b9 27 9a 72 60 66 17 f2   R'.r`f..
> 0060  95 2a 82 8e 5a 3b 39 17 03 00 00 20 3c fc 1e d2   .*..Z;9 <...
> 0070  b2 de 70 01 9b a7 00 b1 e9 3f 06 87 1d 5a 51 67   ..p..?...ZQg
> 0080  51 9d 2e 59 0b b1 35 a0 a2 de 37 a6   Q..Y..5...7.
> Decrypted SSL data (9 bytes):
>   00 00 00 01 01 00 00 00 02.
>
> My code is almost identical to the ldap code. I've tried basing my code on
> the http, pop, xmpp code (which are all a little different), to no effect.
> I also tried going back to the dissector_t interface rather than
> new_dissector_t, but that didn't change anything.
>
> if (amp_info &&
> amp_info->start_tls_frame &&
> ( pinfo->fd->num >= amp_info->start_tls_frame))
> {
> guint32 old_start_tls_frame;
>
> dissector_delete_uint("tcp.port", AMP_PORT, amp_handle);
> ssl_dissector_add(AMP_PORT, "amp", TRUE);
>
> old_start_tls_frame = amp_info->start_tls_frame;
> amp_info->start_tls_frame = 0; /* make sure we don't call SSL again */
> pinfo->can_desegment++; /* ignore this layer so SSL can use the TCP 
> resegment */
>
> int dissected_length = call_dissector(ssl_handle, tvb, pinfo, tree);
>
> amp_info->start_tls_frame = old_start_tls_frame;
> ssl_dissector_delete(AMP_PORT, "amp", TRUE);
>
> /* restore AMP as the dissector for this port */
> dissector_add_uint("tcp.port", AMP_PORT, amp_handle);
>
> /* we are done */
> return dissected_length;
> }
>
> I'm not certain where next to troubleshoot. Is there something else
> dissectors need to do in order to use SSL? I'm not getting warnings or
> errors.
> -Rob
>
___
Sent via:Wireshark-dev mailing list 
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Expert item for TCP RST flag

2014-01-09 Thread Joerg Mayer 
On Tue, Jan 07, 2014 at 05:09:11PM -0800, Gerald Combs wrote:
> On 1/7/14 4:19 PM, Joerg Mayer wrote:
> > Right now TCP packets with RST are marked as severity chat. Is there a 
> > reason
> > why this isn't warn?
> 
> Some applications use RSTs as a way to quickly close connections.
> Internet Explorer is probably the most common example.

Just curious: How does an application do that (rst instead of proper
fin-sequence)? Kill the process that opened the tcp socket?

Ciao
   Jörg
-- 
Joerg Mayer   
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
___
Sent via:Wireshark-dev mailing list 
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Expert item for TCP RST flag

2014-01-09 Thread Joerg Mayer 
On Tue, Jan 07, 2014 at 05:09:11PM -0800, Gerald Combs wrote:
> On 1/7/14 4:19 PM, Joerg Mayer wrote:
> > Right now TCP packets with RST are marked as severity chat. Is there a 
> > reason
> > why this isn't warn?
> 
> Some applications use RSTs as a way to quickly close connections.
> Internet Explorer is probably the most common example.

The reason for my question is that someone had network trouble and looked
at the error/warning items. Had RST been at that level, he would have found
the problem lots of work hours earlier - the RSTs were infdications of a
real problem.

So the question is: Do we allow lazy application writers to "hide" indications
of real problems in the network?

Ciao
 Jörg
-- 
Joerg Mayer   
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
___
Sent via:Wireshark-dev mailing list 
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Expert item for TCP RST flag

2014-01-09 Thread Edwin Groothuis 
On 8/01/14 12:09 , Gerald Combs wrote:
> On 1/7/14 4:19 PM, Joerg Mayer wrote:
>> Right now TCP packets with RST are marked as severity chat. Is there a reason
>> why this isn't warn?
> 
> Some applications use RSTs as a way to quickly close connections.
> Internet Explorer is probably the most common example.

A host will also send a RST when it gets more data after it has send a
FIN. (But this might be the specific TCP stack I have seen this
behaviour on)

TCP RST is not something I'm worried about.

Edwin

___
Sent via:Wireshark-dev mailing list 
Archives:http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe