Extending Wireshark for a New Protocol

CISC 856

Extending Wireshark For A New Protocol

Homework

In this homework assignment we will extend wireshark for a new application protocol

1) Install SSH Secure shell client for windows provided by University of Delaware

http://www.udel.edu/topics/connect/sw/ssh/index.html

2) Install xming server for windows from sourceforge.net

http://sourceforge.net/project/showfiles.php?group_id=156984&package_id=175377

Donwnload and install using the Xming-6-9-0-31-setup.exe available in the above link

After installation run the xming server on your windows machine.

3) Use secure SSH Secure Shell client to login to to my laptop, (referred as server in this document) I will email the IP Address by end of today day - 2nd December 2008. Username – varun, password - varun

4) Enable SSH tunneling setting in the Secure SSH client before you SSH to the server. This step along with xming server running on you windows client machine, will enable tunneling of the windows opened by the server application – Wireshark on to your windows machine

Edit->Settings->Profile Settings->Connection->Tunneling-> X11 Tunneling select checkbox.

5) Upon login you will be in the home directory - /home/varun

6) Change directory to /home/varun/wireshark-1.0.4/plugins/<your-team-name>

7) The module packet-<your-team-name.c> contains the wireshark plugin source code for the new protocol we discussed in class. The backbone code for dissecting the new application protocol is provided. You are free to change the protocol name and display information as described in the protocol registration (Step 5 of slides), but do not change the function names and file names as this affects the make files.

8) Some parts of the dissection code have been deleted. Your task is to write code so that all parts of the FOO PDU are displayed in the Wireshark user interface. I have provided comments that give a hint about what each section of code is doing and also provided a tag 'HW' where ever you need to add code.

9) The TSAP port number is declared as a static in variable and is missing. Please declare this to a unique value – suggestion is to use 25000 + <Your team number>.

10) The function call to register the dissector function and the T-SAP is missing in the routine proto_reg_handoff_<yourprotocol>. Add this – Refer step Step 6

11) The data structure containing the dissection information for sequence number is missing. You can use the data structure for PDU Type as a reference and add this. Also note that sequence number is 16 bit unsigned integer and we have data types FT_INT8 and FT_INT16 at our disposal. The last 4 parameters of the structure can be NULL, 0x00, NULL, HFILL respectively. (Step 8)

Also ensure that the data structure for sequence number is added to the dissection tree. (Step 9)

12) The code is ready now. Write and quit out of packet-<your-team>.c. Run commands 'make' and 'sudo make install' in your plugin directory. Use 'varun' as the password. Check for compiler errors.

13) Go to directory /home/varun/wireshark-1.0.4 and run command 'sudo ./wireshark'. This will pop up the wireshark user interface on the windows machine. Select the lo interface 127.0.0.1 for packet capture. You can also use the wlan0 but this mean you will have to send the PDUs from your windows machine to the server. Set wireshark to filter only PDUs relevant to your

experiment, else wireshark captures lots of other PDUs

14) Open a 2 new ssh connection windows to the server. Change to the directory /home/varun/udpserver/. Run ./a.out. This will launch the udp server that gobbles packets on a given UDP port. (The udp server asks for a input port to listen on, provide this appropriately. It also asks for the PDU size and the length of FOO PDU)

15) In the second SSH window change to directory /home/varun/udpclient. The file client.c contains the code that generates the FOO PDUs and send them to the server over UDP. Run the client

using ./a.out from this (udpclient) directory. Provide the same port number as in step 14.

16) Notice the packets being captured in the wireshark window as you provide inputs to the udpclient.

Take a dump of wireshark and correlate it with your client trace. What packets correspond to what section of the client trace.

17) Submit a copy of the packet-<your-team>.c module

18) Interesting activity. Let us assume the FOO PDU is extended to have a length field. The length field is set to the number of bytes / 4 and our plugin should display the actual byte data that arrived in the length field as a decimal number. This can be done by adding a new data structure of unsigned int 8 bytes and registering this. But how would you display the actual length i.e value of the length field multiplied by 8.

HINT : Look at the file /home/varun/wireshark-1.0.4/epan/dissectors/packet-ip.c

The IP Header length which is nibble (this is a hint) is being extracted and multiplied by 4 before populating the header length in Wireshark.

Question – Give the function name of the function -

1) That is extracting the IP Header Length from the raw tvb buffer

2) That adds the actual header length to the protocol tree after multiplying by 4.

It is similar to proto_tree_add_item we have used in the code previously with some formatting information.

19) Extra credit problems:

1. Get your wireshark output to display the specific flag values

2. Get your wireshark output to correctly display the sequence numbers.

They should be 1,2,3,... not 256,512,...

In your submission, EXPLICITLY show how you accomplished the extracredit(s).