On Mon, Mar 16, 2020 at 09:21:11AM +0100, Dario Lombardo wrote:
> On Mon, Mar 16, 2020 at 7:37 AM Ankish Shah <ankishshah998998@xxxxxxxxx>
> wrote:
>
> > I've downloaded and built wireshark on Ubuntu machine and I was going
> > through the documentation of building new dissectors.
> > I have a couple of doubts.
> > 1. When I write code for a new dissector, do I have to build the entire
> > wireshark once again (it takes around 10-12 mins on my system), or is there
> > any option to compile only the new files and see the results?
> >
>
> The build system just compiles what changed on disk. You can skip the
> linking phase, if you want to just compile your dissector, by issuing
> make/ninja epan/dissectors/CMakeFiles/dissectors.dir/packet-dns.c.o (to
> compile packet-dns.c, for instance). But this won't give you a fully
> functional wireshark, just serves to see if your dissector compiles.
If you want to test your changes, linking is pretty much mandatory. You
would typically run `ninja` again to ensure everything is built. If you
are just using tshark, it suffices to run `ninja tshark`. Likewise, if
you are testing with the GUI only, you can use `ninja wireshark`.
A trick if you want to run a syntax check only with Clang, configure
CMake to generate a special file:
cmake -DCMAKE_EXPORT_COMPILE_COMMANDS=1 \
-DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ ...
then you can use this for quick syntax checks for one file:
clang-check epan/dissectors/packet-dns.c
If you have a separate build dir, then either run from the source dir:
clang-check -p=/path/to/build epan/dissectors/packet-dns.c
or run it from the build tree:
clang-check /path/to/wireshark/epan/dissectors/packet-dns.c
> > 2. Once I code new dissectors, how do I test it using wireshark? For
> > example, if you create a dissector to capture packets on port '12345' and
> > the packet includes a flag bit and an ipv4 address, how do you actually
> > create the packet, send it on port 12345 and see the results on wireshark?
> >
>
> You have bunch of options here. From writing a pcap file manually yourself,
> to write your payload manually and send it through the network with netcat,
> to use high level software such as scapy. It really depends on your
> knowledge of the protocol and on your confidence with the raw hex writing.
> Wireshark doesn't give support for writing sample captures. My suggestion
> is: start from an existing capture (in pcap format, that is easier), modify
> it with hex editors such as ghex2 on ubuntu, and open it from disk with
> wireshark, without involving the network. After all you're working on a
> dissector that works both on captured or saved traffic.
Generally I would recommend generating a simulation using an actual
protocol implementation. That ensures that you do not write a dissector
according to a misunderstanding of a protocol. For example, if I need a
HTTP trace, I could use Firefox or curl.
If you know the protocol well, and want to craft a packet capture
programmatically, a straightforward approach is using Scapy as Dario
suggested. That way you can use Python to script your problem. Here I
was trying to generate a trace to test TCP reassembly:
https://git.lekensteyn.nl/peter/wireshark-notes/tree/crafted-pkt/make-tcp.py
But at minimum you can use something like:
from scapy.all import *
pkt = IP()/TCP(sport=54321, dport=12345)/b'your payload here'
wrpcap('test.pcap', pkt)
--
Kind regards,
Peter Wu
https://lekensteyn.nl
