wireshark


Building wireshark-2.4.2 on CentOS 7 (64bit)

Recently we were trying to compile WireShark from source on a CentOS 7 (64bit) with GTK3 disabled (./configure --disable-gtk3;).

As seen in the truncated logs below we got some errors.
To resolve them we had to install a few packages using yum.
Specifically, our solution involved the installation of the following:

sudo yum install libgcrypt-devel qt5-qttools-devel libpcap-devel -y;

Truncated logs:

...
checking for libgcrypt-config... no
checking for LIBGCRYPT - version >= 1.4.2... no
configure: error: libgcrypt not found; install libgcrypt-devel package for your system
libgcrypt-devel.i686 libgcrypt-devel.x86_64 
[[email protected] wireshark-2.4.2]$ sudo yum install libgcrypt-devel -y

checking for lrelease-qt5... no
checking for lrelease... no
configure: error: I couldn't find lrelease-qt5 or lrelease; make sure it's installed and in your path
[[email protected] wireshark-2.4.2]$ sudo yum install qt5-qttools-devel

checking whether to use libpcap for packet capture... yes
checking for pcap-config... no
checking for extraneous pcap header directories... not found
checking pcap.h usability... no
checking pcap.h presence... no
checking for pcap.h... no
configure: error: Header file pcap.h not found; if you installed libpcap
from source, did you also do "make install-incl", and if you installed a
binary package of libpcap, is there also a developer's package of libpcap,
and did you also install that package?
[[email protected] wireshark-2.4.2]$ sudo yum install libpcap-devel

[[email protected] wireshark-2.4.2]$ ./configure --disable-gtk3

 

Advertisements

How to process tcpdump live data stream from a remote machine on a local WireShark

Recently we needed to process the results of a tcpdump command using the GUI version of WireShark on machine that did not have a window manager installed. That device was an embedded device, for which it did not make sense to even consider installing a window manager on it. So, in order to process the results of the tcpdump command we decided to use another machine that had a full working window manager installed and was able to operate the GUI version of WireShark.

For our solution to work some requirements were expected to be met by the embedded device (a.k.a. remote machine).

  1. tcpdump was installed on the remote machine
  2. ssh server was installed on the remote machine and allowed us to connect to it remotely
  3. there was a user that had remote ssh rights on the remote machine that also had the rights to execute tcpdump on the needed interfaces

Synopsis of our solution:

Just execute the following on the machine with the GUI (a.k.a. local machine)

mkfifo /tmp/board;
wireshark -k -i /tmp/board &
ssh [email protected] "tcpdump -s 0 -U -n -w - -i lo not port 22" > /tmp/board;

Explanation of our solution:

Following are the steps that we performed on the local machine to pipe the results of tcpdump on the remote machine on the wireshark on the local machine.

  1. First we created a named pipe as follows:
    mkfifo /tmp/board;
    You can name your pipe anyway you like and place it in any folder you wish. We used /tmp as our pipe is a temporary construct that we do not care to preserve across time/restarts.
  2. Then we started wireshark from a terminal so that we could pass as capture interface the named pipe we just created using the -i /tmp/board parameter. The -k parameter instructs wireshark to start the capture session immediately.
    wireshark -k -i /tmp/board &
    Since this operation was going to execute for a long time, we sent it to the background to release the terminal for further use by placing the & symbol at the end of the command.
  3. Finally, we started tcpdump over ssh on a board and redirected its output to our named pipe.
    ssh [email protected] "tcpdump -s 0 -U -n -w - -i lo not port 22" > /tmp/board;
    The parameters we used on tcpdump have the following effects:
    -s 0 instructs tcpdump to set the snapshot length of data from each packet to the default value of 262144 bytes.
    -U Since the -w option is not specified, make the printed packet output packet-buffered. Which means that it will print the description of the contents of each packet without waiting for the output buffer to get full.
    -n Does not convert host addresses to names. This can be used to avoid DNS lookups.
    -w - Write the raw packets to Standard Output rather than parsing them.
    -i lo Defines which interface to listen on. We wanted the loopback interface to listen to everything.
    not port 22 Since we used ssh to start this command, we do not want to listen to the data that we produce as well and flood the inputs.

 


Ubuntu: Headless wireshark (or wireshark from terminal)

Recently, we wanted to use wireshark on an Ubuntu through ssh and no X-Server forwarding enabled.
After a quick search we found tshark.

TShark is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. TShark‘s native capture file format is pcap format, which is also the format used by tcpdump and various other tools.
Without any options set, TShark will work much like tcpdump. It will use the pcap library to capture traffic from the first available network interface and displays a summary line on stdout for each received packet.
TShark is able to detect, read and write the same capture files that are supported by Wireshark.

From: man tshark

Install tshark on Ubuntu

sudo apt-get install tshark -y;

Using tshark to capture all traffic on eth0 to a pcap file

sudo tshark -i eth0 -w something.pcap;

Note: If you just want to capture network traffic on a network interface and not use the additional features wireshark has to offer, you can also use tcpdumpas follows

#The following command will create a files that has in its name the current date and time using the date function.
sudo tcpdump -i eth0 -w "data.`date +%Y-%m-%d\ %H.%M`.pcap";


How to capture all network traffic of a single process

Method A: Using strace

If the process is not started yet, you can start it as a new process and monitor it using the following

strace -f -e trace=network -s 10000 <PROCESS WITH ARGUMENTS>;

If the process is already started and you know its PID you can use the following

strace -f -e trace=network -s 10000 -p <PID>;

strace is a very helpful utility that can be used to trace system calls and signals.

Parameters Legend:

  • -f Instructs strace to trace all child processes as they are created by the currently traced processes as a result of the fork, vfork and clone system calls.
    Note that -p PID -f will attach all threads of process PID if it is multi-threaded, not only thread with id PID.
  • -e trace=%network strace will trace all the network related system calls only if used alone.
  • -s strsize Specifies the maximum string size to print (the default is 32). Note that filenames are not considered strings and are always printed in full.
  • -p PID Attaches strace to the process with the process ID PID and starts tracing. The trace may be terminated at any time by a keyboard interrupt signal (CTRL-C). strace will respond by detaching itself from the traced process(es) leaving it (them) to continue running. Multiple -p options can be used to attach to many processes in addition to command (which is optional if at least one -p option is given). -p "`pidof APPLICATION`" syntax is supported.

In the simplest case strace runs the specified command until it exits. It intercepts and records the system calls which are called by a process and the signals which are received by a process. The name of each system call, its arguments and its return value are printed on standard error or to the file specified with the -o option.
strace is a useful diagnostic, instructional, and debugging tool. System administrators, diagnosticians and trouble-shooters will find it invaluable for solving problems with programs for which the source is not readily available since they do not need to be recompiled in order to trace them. Students, hackers and the overly-curious will find that a great deal can be learned about a system and its system calls by tracing even ordinary programs. And programmers will find that since system calls and signals are events that happen at the user/kernel inter‐ face, a close examination of this boundary is very useful for bug isolation, sanity checking and attempting to capture race conditions.

From: man strace

Method B: Using an isolated network namespace and Wireshark

Please note that this method might not work for all kernels.
It was tested on Fedora 25 (64 bit) with success.

Create the test network namespace

A network namespace is logically another copy of the network stack, with its own routes, firewall rules, and network devices.
With the following command we will create a network namespace called test.

sudo ip netns add test;

ip netns add NAME Creates a new named network namespace.
If NAME is available in /var/run/netns/ this command creates a new network namespace and assigns to it then name NAME.

Create two virtual network interfaces (veth0 and veth1) for our Virtual eXtended LAN (VXLAN)

The following command will create veth0 and veth1 virtual network interfaces.

sudo ip link add veth0 type veth peer name veth1;

ip link add with no link argument specified to a physical device to operate on, it adds a VXLAN virtual link.
Note: veth1 will act as a gateway later on.

Change the active namespace of the veth0 interface

With the following command, we move veth0 to our test network namespace.

sudo ip link set veth0 netns test;

Some devices are not allowed to change network namespace: loopback, bridge, ppp, wireless. These are network namespace local devices. In such case ip tool will return Invalid argument error. It is possible to find out if device is local to a single network namespace by checking netns-local flag in the output of the ethtool:
ethtool -k DEVICE;
To change network namespace for wireless devices the iw tool can be used. But it allows to change network namespace only for physical devices and by process PID.
From man ip-link

Configure the IP addresses of the virtual interfaces

#Set the IP of veth0 to 192.168.10.1 and veth0 to 192.168.10.254
sudo ip netns exec test ifconfig veth0 up 192.168.10.1 netmask 255.255.255.0;
sudo ifconfig veth1 up 192.168.10.254 netmask 255.255.255.0;

Configure the routing in the test namespace

The following command will set the default gateway for veth0 to be the IP 192.168.10.254 which is the address we gave veth1 in the previous step.

sudo ip netns exec test route add default gw 192.168.10.254 dev veth0;

Then we make sure ip_forward is active by issuing the following command

sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward';

Then, we establish a NAT rule to forward all the traffic of test network namespace to a physical device

sudo iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o <PHYSICAL DEVICE e.g. eth0> -j SNAT --to-source <PHYSICAL DEVICE IP>;

Actually using the isolated network namespace

Add root to the list of users that is allowed to start an X application

xhost +si:localuser:root;

Start wireshark in your test network namespace

sudo ip netns exec test wireshark &

In wireshark start monitoring the data on the device veth0.

Finally, start the application you wish to monitor its network traffic

sudo ip netns exec test firefox;


Compiling Wireshark 1.8.8 on Fedora 25 (64bit)

Recently we received some dissector plugins for Wireshark version 1.8.x, which is not available to install through the repositories.
So, we had to install it ourselves and we decided to use version 1.8.8 that was the latest version of the 1.8.x series available in the following FedoraProject.org page.
The source code is available at https://www.wireshark.org/download/src/all-versions/ and http://pkgs.fedoraproject.org/repo/pkgs/wireshark/.

Download the patched version here: wireshark-1.8.8.7z (patched) (238 downloads)

Synopsis

While configuring we run into a few problems, that we solved by installing the following packages:

sudo dnf install perl-podlators perl-Pod-Html gtk2-devel gtk3-devel libpcap-devel byacc flex -y;

When compiling we run into an error where an a wireshark enum was conflicting with a system one.
To resolve that issue we modified the file: epan/dissectors/packet-gluster.h and at line 357 we removed the next enum:

/* dir-entry types from libglusterfs/src/compat.h */
enum gluster_entry_types {
    DT_UNKNOWN = 0,
    DT_FIFO = 1,
    DT_CHR = 2,
    DT_DIR = 4,
    DT_BLK = 6,
    DT_REG = 8,
    DT_LNK = 10,
    DT_SOCK = 12,
    DT_WHT = 14
};

It is safe to delete it as it exists in the exact same form and same values in the system header files.
Please note that in version 1.8.15 we found the following enum, which shows that it was decided later on to just change the enum fields.

/* dir-entry types from libglusterfs/src/compat.h */
enum gluster_entry_types {
    GLUSTER_DT_UNKNOWN = 0,
    GLUSTER_DT_FIFO = 1,
    GLUSTER_DT_CHR = 2,
    GLUSTER_DT_DIR = 4,
    GLUSTER_DT_BLK = 6,
    GLUSTER_DT_REG = 8,
    GLUSTER_DT_LNK = 10,
    GLUSTER_DT_SOCK = 12,
    GLUSTER_DT_WHT = 14
};

Later during compilation we got the error that there was an undefined reference to g_memmove, we copied the definition of g_memmove (see below) from  packaging/macosx/native-gtk/glibconfig.h at line 81 and pasted it on the first line of the files ui/gtk/export_object_smb.c and epan/dissectors/packet-ssl-utils.c.

#define g_memmove(dest,src,len) G_STMT_START { memmove ((dest), (src), (len)); } G_STMT_END

Finally during documentation generation we had a problem with two authors that there were Non-ASCII characters in their names so we updated the file AUTHORS and replaced the names Peter Kovář  with Peter Kovar and Роман Донченко with Roman Donchenko which are strings that only contain ASCII characters.

Download the patched version here: wireshark-1.8.8.7z (patched) (238 downloads)

The Problems One by One

checking for pod2man... /usr/bin/pod2man
checking for pod2html... no
configure: error: I couldn't find pod2html; make sure it's installed and in your path

Solution: sudo dnf install perl-podlators perl-Pod-Html;

checking for GTK+ - version >= 2.12.0 and < 3.0... Package gtk+-2.0 was not found in the pkg-config search path.
Perhaps you should add the directory containing `gtk+-2.0.pc'
to the PKG_CONFIG_PATH environment variable
No package 'gtk+-2.0' found
no
*** Could not run GTK+ test program, checking why...
*** The test program failed to compile or link. See the file config.log for the
*** exact error that occured. This usually means GTK+ is incorrectly installed.
configure: error: Neither Qt nor GTK+ 2.12 or later are available, so Wireshark can't be compiled

Solution: sudo dnf install gtk2-devel gtk3-devel;

checking for pcap-config... no
checking for extraneous pcap header directories... not found
checking pcap.h usability... no
checking pcap.h presence... no
checking for pcap.h... no
configure: error: Header file pcap.h not found; if you installed libpcap
from source, did you also do "make install-incl", and if you installed a
binary package of libpcap, is there also a developer's package of libpcap,
and did you also install that package?

Solution: sudo dnf install libpcap-devel;

libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I../.. -I./../.. -I./.. -DINET6 -DG_DISABLE_DEPRECATED -DG_DISABLE_SINGLE_INCLUDES -DGSEAL_ENABLE -DGTK_DISABLE_DEPRECATED -DGTK_DISABLE_SINGLE_INCLUDES -D_FORTIFY_SOURCE=2 "-D_U_=__attribute__((unused))" -I/usr/local/include -DPLUGIN_DIR=\"/usr/local/lib/wireshark/plugins/1.8.8\" -g -O2 -Wall -W -Wextra -Wdeclaration-after-statement -Wendif-labels -Wpointer-arith -Wno-pointer-sign -Warray-bounds -Wcast-align -Wformat-security -Wold-style-definition -Wno-error=unused-but-set-variable -fexcess-precision=fast -pthread -I/usr/include/gtk-2.0 -I/usr/lib64/gtk-2.0/include -I/usr/include/pango-1.0 -I/usr/include/atk-1.0 -I/usr/include/cairo -I/usr/include/pixman-1 -I/usr/include/libdrm -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/libpng16 -I/usr/include/pango-1.0 -I/usr/include/harfbuzz -I/usr/include/pango-1.0 -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/freetype2 -I/usr/include/libpng16 -I/usr/include/freetype2 -I/usr/include/libpng16 -MT libdissectors_la-packet-gluster_cli.lo -MD -MP -MF .deps/libdissectors_la-packet-gluster_cli.Tpo -c packet-gluster_cli.c  -fPIC -DPIC -o .libs/libdissectors_la-packet-gluster_cli.o
In file included from /usr/include/glib-2.0/glib/gdir.h:32:0,
                 from /usr/include/glib-2.0/glib.h:45,
                 from packet-gluster_cli.c:40:
packet-gluster.h:359:2: error: redeclaration of enumerator 'DT_UNKNOWN'
  DT_UNKNOWN = 0,
  ^
/usr/include/dirent.h:99:5: note: previous definition of 'DT_UNKNOWN' was here
     DT_UNKNOWN = 0,
     ^~~~~~~~~~
packet-gluster.h:360:2: error: redeclaration of enumerator 'DT_FIFO'
  DT_FIFO = 1,
  ^
/usr/include/dirent.h:101:5: note: previous definition of 'DT_FIFO' was here
     DT_FIFO = 1,
     ^~~~~~~
packet-gluster.h:361:2: error: redeclaration of enumerator 'DT_CHR'
  DT_CHR = 2,
  ^
/usr/include/dirent.h:103:5: note: previous definition of 'DT_CHR' was here
     DT_CHR = 2,
     ^~~~~~
packet-gluster.h:362:2: error: redeclaration of enumerator 'DT_DIR'
  DT_DIR = 4,
  ^
/usr/include/dirent.h:105:5: note: previous definition of 'DT_DIR' was here
     DT_DIR = 4,
     ^~~~~~
packet-gluster.h:363:2: error: redeclaration of enumerator 'DT_BLK'
  DT_BLK = 6,
  ^
/usr/include/dirent.h:107:5: note: previous definition of 'DT_BLK' was here
     DT_BLK = 6,
     ^~~~~~
packet-gluster.h:364:2: error: redeclaration of enumerator 'DT_REG'
  DT_REG = 8,
  ^
/usr/include/dirent.h:109:5: note: previous definition of 'DT_REG' was here
     DT_REG = 8,
     ^~~~~~
packet-gluster.h:365:2: error: redeclaration of enumerator 'DT_LNK'
  DT_LNK = 10,
  ^
/usr/include/dirent.h:111:5: note: previous definition of 'DT_LNK' was here
     DT_LNK = 10,
     ^~~~~~
packet-gluster.h:366:2: error: redeclaration of enumerator 'DT_SOCK'
  DT_SOCK = 12,
  ^
/usr/include/dirent.h:113:5: note: previous definition of 'DT_SOCK' was here
     DT_SOCK = 12,
     ^~~~~~~
packet-gluster.h:367:2: error: redeclaration of enumerator 'DT_WHT'
  DT_WHT = 14
  ^
/usr/include/dirent.h:115:5: note: previous definition of 'DT_WHT' was here
     DT_WHT = 14
     ^~~~~~
Makefile:6516: recipe for target 'libdissectors_la-packet-gluster_cli.lo' failed
make[5]: *** [libdissectors_la-packet-gluster_cli.lo] Error 1

Solution: edit epan/dissectors/packet-gluster.h and at line 357 delete this

/* dir-entry types from libglusterfs/src/compat.h */
enum gluster_entry_types {
    DT_UNKNOWN = 0,
    DT_FIFO = 1,
    DT_CHR = 2,
    DT_DIR = 4,
    DT_BLK = 6,
    DT_REG = 8,
    DT_LNK = 10,
    DT_SOCK = 12,
    DT_WHT = 14
};
libtool: link: gcc -DPYTHON_DIR= -g -O2 -Wall -W -Wextra -Wdeclaration-after-statement -Wendif-labels -Wpointer-arith -Wno-pointer-sign -Warray-bounds -Wcast-align -Wformat-security -Wold-style-definition -Wno-error=unused-but-set-variable -fexcess-precision=fast -pthread -I/usr/include/gtk-2.0 -I/usr/lib64/gtk-2.0/include -I/usr/include/pango-1.0 -I/usr/include/atk-1.0 -I/usr/include/cairo -I/usr/include/pixman-1 -I/usr/include/libdrm -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/libpng16 -I/usr/include/pango-1.0 -I/usr/include/harfbuzz -I/usr/include/pango-1.0 -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/freetype2 -I/usr/include/libpng16 -I/usr/include/freetype2 -I/usr/include/libpng16 -Wl,--as-needed -o .libs/wireshark wireshark-capture-pcap-util-unix.o wireshark-capture-pcap-util.o wireshark-cfile.o wireshark-clopts_common.o wireshark-disabled_protos.o wireshark-frame_data_sequence.o wireshark-packet-range.o wireshark-print.o wireshark-ps.o wireshark-sync_pipe_write.o wireshark-timestats.o wireshark-tap-megaco-common.o wireshark-tap-rtp-common.o wireshark-version_info.o wireshark-capture_ifinfo.o wireshark-capture_sync.o wireshark-capture_ui_utils.o wireshark-airpcap_loader.o wireshark-capture.o wireshark-capture_info.o wireshark-capture_opts.o wireshark-color_filters.o wireshark-file.o wireshark-fileset.o wireshark-filters.o wireshark-g711.o wireshark-merge.o wireshark-proto_hier_stats.o wireshark-recent.o wireshark-summary.o wireshark-tempfile.o wireshark-u3.o .libs/wiresharkS.o -pthread -Wl,--export-dynamic -pthread -Wl,--export-dynamic  -L/usr/local/lib ui/gtk/libgtkui.a ui/gtk/libgtkui_dirty.a ui/libui.a codecs/libcodec.a wiretap/.libs/libwiretap.so epan/.libs/libwireshark.so wsutil/.libs/libwsutil.so -lpcap -lkrb5 -lk5crypto -lcom_err -lgtk-x11-2.0 -lgdk-x11-2.0 -lpangocairo-1.0 -latk-1.0 -lcairo -lgdk_pixbuf-2.0 -lgio-2.0 -lpangoft2-1.0 -lpango-1.0 -lgobject-2.0 -lfontconfig -lfreetype -lgthread-2.0 -lgmodule-2.0 -lglib-2.0 -lm -lz -pthread -Wl,-rpath -Wl,/usr/local/lib
ui/gtk/libgtkui.a(libgtkui_a-export_object_smb.o): In function `insert_chunk':
/home/george/Downloads/wireshark-1.8.8/ui/gtk/export_object_smb.c:230: undefined reference to `g_memmove'
collect2: error: ld returned 1 exit status

Solution: Copy the definition of g_memmove (see below) from  packaging/macosx/native-gtk/glibconfig.h at line 81 and paste it on the first line of the files ui/gtk/export_object_smb.c and epan/dissectors/packet-ssl-utils.c.

#define g_memmove(dest,src,len) G_STMT_START { memmove ((dest), (src), (len)); } G_STMT_END
Making all in doc
make[2]: Entering directory '/home/george/Downloads/wireshark-1.8.8/doc'
/usr/bin/perl ./perlnoutf.pl ./make-authors-short.pl < ../AUTHORS > AUTHORS-SHORT
cp AUTHORS-SHORT ..
/usr/bin/perl ./perlnoutf.pl ./make-authors-format.pl < AUTHORS-SHORT > AUTHORS-SHORT-FORMAT
cat ./wireshark.pod.template AUTHORS-SHORT-FORMAT > wireshark.pod
/usr/bin/pod2man                    \
--center="The Wireshark Network Analyzer"    \
--release=1.8.8                \
wireshark.pod  > wireshark.1
Wide character in printf at /usr/share/perl5/vendor_perl/Pod/Simple.pm line 565.
wireshark.pod around line 3527: Non-ASCII character seen before =encoding in 'KovE<aacute>ř'. Assuming UTF-8
POD document had syntax errors at /usr/bin/pod2man line 71.

and

cat ./wireshark.pod.template AUTHORS-SHORT-FORMAT > wireshark.pod
/usr/bin/pod2man                    \
--center="The Wireshark Network Analyzer"    \
--release=1.8.8                \
wireshark.pod  > wireshark.1
Wide character in printf at /usr/share/perl5/vendor_perl/Pod/Simple.pm line 565.
wireshark.pod around line 3618: Non-ASCII character seen before =encoding in 'Роман'. Assuming UTF-8
POD document had syntax errors at /usr/bin/pod2man line 71.

Solution: update the file AUTHORS and replace the names the names Peter Kovář  with Peter Kovar and Роман Донченко with Roman Donchenko which are strings that only contain ASCII characters.

Download the patched version here: wireshark-1.8.8.7z (patched) (238 downloads)