Wireshark-dev: Re: [Wireshark-dev] VB: decoding thru unencrypted VPN tunnel
From: Bill Fassler <bill.fassler@xxxxxxxxx>
Date: Mon, 19 Mar 2007 07:58:59 -0700 (PDT)
Here is a bigger capture that I took a while back.  This is unencrypted (when the cypher key is NULL).  With my luck, once you get it decoded you'll hear me reciting nursery rhymes or endless "test one... two.... test one... two..."....

In any event, I will try to get another capture with the encryption turned on and I will also provide the key.  I am busier than a one armed wall paper hanger so it may take a day or two.

Also, let me add that I am thrilled that it sounds like you all are willing to help with this. I have only written one plug in and it would take me much much longer than it would you folks.

Regards,
Bill

Anders Broman <a.broman@xxxxxxxxx> wrote:
Hi,
Included a sample dissector, note that as Joerg says some more packets would
Make it possible to make a more useful dissector.
Best regards
Anders

________________________________________
Från: wireshark-dev-bounces@xxxxxxxxxxxxx
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] För Bill Fassler
Skickat: den 16 mars 2007 14:01
Till: Developer support list for Wireshark
Ämne: Re: [Wireshark-dev] decoding thru unencrypted VPN tunnel

Ah, yes. I already have that documentation and the problem is I don't see
how those 5 bytes relate to the document description. Like I said, the 5th
byte is apparently a sequence number and increments by one each packet.  The
first byte is always 0x30... etc... now if you can look at the 5 bytes I am
seeing and help me map them to the protocol description then I would be very
grateful, but I fail to see the correlation...

Now you see my biggest problem. I am having trouble mapping what I see to
the protocol description.

Bill

Anders Broman wrote:
Hi,
What should be done is to make a dissector for OpenVPN packages a protocol
description
Of sorts can be found at
http://svn.openvpn.net/projects/openvpn/trunk/openvpn/ssl.h

Best regards
Anders

________________________________________
Från: wireshark-dev-bounces@xxxxxxxxxxxxx
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] För Bill Fassler
Skickat: den 15 mars 2007 22:14
Till: wireshark-dev@xxxxxxxxxxxxx
Ämne: Re: [Wireshark-dev] decoding thru unencrypted VPN tunnel

I haven't heard from anyone since my last post.  Is the general opinion that
I should use the LUA interface, write a dissector, use "decode as" with a
byte offset (if possible) or some other method? The VPN tunnel is OpenVPN,
but I am not yet familiar with the 5 byte header into the encapsulated
payload. I guess I could write a simple plugin that doesn't decode the first
5 bytes and then passes the rest of the payload to the IP dissector and all
should roll downhill......

Bill

________________________________________
Food fight? Enjoy some healthy debate
in the Yahoo! Answers Food & Drink Q&A.

_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev


________________________________________
Need Mail bonding?
Go to the Yahoo! Mail Q&A for great tips from Yahoo! Answers users.


Now that's room service!
Choose from over 150,000 hotels
in 45,000 destinations on Yahoo! Travel
to find your fit.

Attachment: vpn_dissect.pcap
Description: 3476642339-vpn_dissect.pcap