Wireshark · Wireshark-users: Re: [Wireshark-users] openvpn and packet sniffing

Wireshark-users: Re: [Wireshark-users] openvpn and packet sniffing

From: "Douglas Pratley" <Douglas.pratley@xxxxxxxxxx>

Date: Mon, 11 Dec 2006 08:57:05 -0000

I'm looking at a similar thing at the moment with a view to adding some UI features allowing a more arbitrary selection of protocol in "decode as", but anything I do will be a few weeks away.

If you're running 0.99.4 and you're happy to look at the code to work out how the particular dissectors are working, and to write Lua macros, then you might be able to do something by manipulating the dissector tables using Lua.

Look at

http://wiki.wireshark.org/Lua

http://wiki.wireshark.org/Lua/Dissector

_If_ you can identify the protocol you want to direct the packets to (PPP?), _and_ the one that you are directing from (UDP?) you might be able to set UDP port <x> to dissect as PPP.

Failing that, if you can just add the PPP dissector to the underlying protocol's heuristics table (if it has one), I think it will appear in the "decode as" list.

This is all a bit vague because I have just started looking at this; it may or may not work, and I don't know if it's the sort of hackery you're looking for.

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Bill Fassler
Sent: 08 December 2006 22:58
To: Community support list for Wireshark
Subject: [Wireshark-users] openvpn and packet sniffing

I have tried both suggestions for me to view the RTP/SIP/SDP traffic contained in the UDP packets travelling through an OpenVPN tunnel. Neither worked for this reason: The payload of the UDP packets do indeed contain such traffic as RTP SIP etc as appropriate, but they are all preceeded by a tunneling protocol. In my case it appears to be PPP. I can not use "Decode as" because in the transport options PPP is not listed. This is unfortunate because obviously there are dissectors or plugins in the Wireshark software that will do the trick but I don't seem to have them available to dissect the protocol when it is in the payload instead of the link layer. I am trying to confirm that the protocol is indeed PPP. In the mean time is there anyway to add more options to the decode as within the transport layer?

Bill

Check out the all-new Yahoo! Mail beta - Fire up a more powerful email and get things done faster.

This message should be regarded as confidential. If you have received this email in error please notify the sender and destroy it immediately.
Statements of intent shall only become binding when confirmed in hard copy by an authorised signatory. The contents of this email may relate to dealings with other companies within the Detica Group plc group of companies.

Detica Limited is registered in England under No: 1337451.

Registered offices: Surrey Research Park, Guildford, Surrey, GU2 7YP, England.

Follow-Ups:
- Re: [Wireshark-users] openvpn and packet sniffing
  - From: Bill Fassler

Prev by Date: Re: [Wireshark-users] Malformed packet when using IPMI RMCP+
Next by Date: [Wireshark-users] How do I use a display filter to find Malformed packets
Previous by thread: Re: [Wireshark-users] decoding RTP outside of conversations preference
Next by thread: Re: [Wireshark-users] openvpn and packet sniffing
Index(es):
- Date
- Thread