Wireshark-users: Re: [Wireshark-users] openvpn and packet sniffing
From: Bill Fassler <bill.fassler@xxxxxxxxx>
Date: Tue, 12 Dec 2006 06:07:29 -0800 (PST)
Thanks this may prove helpful. I am using 0.99.3 though, are the differences so profound that I should upgrade? (I would also have to build it myself since I've already written a plugin that I also use for another purpose).
I did notice upon further inspection that the traffic is "encapsulated" in other words after the initial UDP packet headers I have approximately 5 bytes of data and then it appears it may be IP and UDP header stuff again. I am still trying to figure it out but being "encapsulated" makes sense since it is a VPN tunnel. I thought it was PPP but now I am a not so sure.
I think I need a little further analysis before I can determine the appropriate approach, but thanks a lot for your input. I'm sure it will come in handy.
Regards,
Bill
Douglas Pratley <Douglas.pratley@xxxxxxxxxx> wrote:
Need a quick answer? Get one in minutes from people who know. Ask your question on Yahoo! Answers.
I did notice upon further inspection that the traffic is "encapsulated" in other words after the initial UDP packet headers I have approximately 5 bytes of data and then it appears it may be IP and UDP header stuff again. I am still trying to figure it out but being "encapsulated" makes sense since it is a VPN tunnel. I thought it was PPP but now I am a not so sure.
I think I need a little further analysis before I can determine the appropriate approach, but thanks a lot for your input. I'm sure it will come in handy.
Regards,
Bill
Douglas Pratley <Douglas.pratley@xxxxxxxxxx> wrote:
I'm looking at a similar thing at the moment with a view to adding some UI features allowing a more arbitrary selection of protocol in "decode as", but anything I do will be a few weeks away.If you're running 0.99.4 and you're happy to look at the code to work out how the particular dissectors are working, and to write Lua macros, then you might be able to do something by manipulating the dissector tables using Lua.Look at_If_ you can identify the protocol you want to direct the packets to (PPP?), _and_ the one that you are directing from (UDP?) you might be able to set UDP port <x> to dissect as PPP.Failing that, if you can just add the PPP dissector to the underlying protocol's heuristics table (if it has one), I think it will appear in the "decode as" list.This is all a bit vague because I have just started looking at this; it may or may not work, and I don't know if it's the sort of hackery you're looking for.I have tried both suggestions for me to view the RTP/SIP/SDP traffic contained in the UDP packets travelling through an OpenVPN tunnel. Neither worked for this reason: The payload of the UDP packets do indeed contain such traffic as RTP SIP etc as appropriate, but they are all preceeded by a tunneling protocol. In my case it appears to be PPP. I can not use "Decode as" because in the transport options PPP is not listed. This is unfortunate because obviously there are dissectors or plugins in the Wireshark software that will do the trick but I don't seem to have them available to dissect the protocol when it is in the payload instead of the link layer. I am trying to confirm that the protocol is indeed PPP. In the mean time is there anyway to add more options to the decode as within the transport layer?
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Bill Fassler
Sent: 08 December 2006 22:58
To: Community support list for Wireshark
Subject: [Wireshark-users] openvpn and packet sniffing
Bill
Check out the all-new Yahoo! Mail beta - Fire up a more powerful email and get things done faster.
This message should be regarded as confidential. If you have received this email in error please notify the sender and destroy it immediately.
Statements of intent shall only become binding when confirmed in hard copy by an authorised signatory. The contents of this email may relate to dealings with other companies within the Detica Group plc group of companies.
Detica Limited is registered in England under No: 1337451.
Registered offices: Surrey Research Park, Guildford, Surrey, GU2 7YP, England.
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users
Need a quick answer? Get one in minutes from people who know. Ask your question on Yahoo! Answers.
- References:
- Re: [Wireshark-users] openvpn and packet sniffing
- From: Douglas Pratley
- Re: [Wireshark-users] openvpn and packet sniffing
- Prev by Date: [Wireshark-users] RTP & Pro-MPEG FEC Analysis
- Next by Date: Re: [Wireshark-users] How do I use a display filter to find Malformed packets
- Previous by thread: Re: [Wireshark-users] openvpn and packet sniffing
- Next by thread: [Wireshark-users] Please help
- Index(es):