https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14506
Bug ID: 14506
Summary: PROXY protocol (v2) support (HAproxy) for TCP: skip
and maybe implement a full dissector
Product: Wireshark
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: Enhancement
Priority: Low
Component: Dissection engine (libwireshark)
Assignee: bugzilla-ad...@wireshark.org
Reporter: christian.rohm...@inovex.de
Target Milestone: ---
Build Information:
Wireshark 2.4.4 (Git v2.4.4 packaged as 2.4.4-1~16.04.0)
Copyright 1998-2018 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with Qt 5.5.1, with libpcap, with POSIX capabilities (Linux),
with libnl 3, with GLib 2.48.2, with zlib 1.2.8, with SMI 0.4.8, with c-ares
1.10.0, with Lua 5.2.4, with GnuTLS 3.4.10, with Gcrypt 1.6.5, with MIT
Kerberos, with GeoIP, with nghttp2 1.7.1, with LZ4, with Snappy, with libxml2
2.9.3, with QtMultimedia, without AirPcap, with SBC, with SpanDSP.
Running on Linux 4.13.0-19-generic, with Intel(R) Core(TM) i5-6200U CPU @
2.30GHz (with SSE4.2), with 19947 MB of physical memory, with locale
de_DE.UTF-8, with libpcap version 1.7.4, with GnuTLS 3.4.10, with Gcrypt 1.6.5,
with zlib 1.2.8.
Built using gcc 5.4.0 20160609.
--
More and more servers implement support for the PROXY protocol v2, originally
specified by HAproxy
(https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) which allows a
TCP load-balancer or some sort of proxy to forward information on the original
connections (i.e. source / destination IP and ports, but also SSL client
certificates and others ...)
The spec document lists quite a few implementations ...
- HTTP :
- Apache
- Nginx
- lighttpd
- thttpd
- mini-httpd
- haproxy
- Squid 3
- SSL :
- stud
- stunnel
- nginx
- FTP :
- Pure-ftpd
- vsftpd
- SMTP :
- postfix
- exim
- POP :
- dovecot
- IMAP :
- dovecot
- LDAP :
- openldap
- SSH :
- openssh
- RDP :
- Windows XP SP3
- MQTT:
- HiveMQ (http://www.hivemq.com/docs/hivemq/latest/#proxy-protocol-chapter)
Wireshark or rather libwireshark is quite capable of dissecting all those
application layer protocols. Maybe I looked in the wrong places for a switch
but apparently when adding PROXY protocol data to the dissectors receive
"garbage" on the first bytes of a new connection.
The first step into improving here, would be to be able to "skip" those bytes
added by PROXY protocol before feeding it into the dissector to allow for a
clean decode of the "real" layer 7 protocol. The graphic
https://www.hivemq.com/docs/hivemq/latest/images/proxy/proxy_protocol_tcp.png
illustrates where those PROXY protocol bytes are added.
A really massive improvement would be, if dissecting the PROXY protocol itself
would be implemented, also providing those fields. Being able to filter on
"original IP" in a PCAP between load-balancer and app server would help
tremendously.
I myself found a dissector written in LUA, which works and decodes quite a few
fields already. It actually was part of a bug report:
https://bugs.wireshark.org/bugzilla/attachment.cgi?id=14880
Maybe this code helps to get started?
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
