Gitiles
Code Review Sign In
gerrit.named-data.net / ndn-tools / 35e6aff92174ad9502ba8868a475a631acf66a99 / . / tools / dissect-wireshark / README.md
blob: 805f2e85d44038843a3fcc88fb394a5330745054 [file] [log] [blame] [view]
Davide Pesaventodb9613e2023-01-20 20:52:21 -0500[diff] [blame]1# NDN Packet Dissector for Wireshark
Alexander Afanasyev6fbb7b42015-08-10 11:53:49 -0700[diff] [blame]2
Davide Pesaventodb9613e2023-01-20 20:52:21 -0500[diff] [blame]3*NOTE: The dissector requires at least version 1.12.6 of Wireshark with LUA support enabled.*
Alexander Afanasyev6fbb7b42015-08-10 11:53:49 -0700[diff] [blame]4
Davide Pesaventodb9613e2023-01-20 20:52:21 -0500[diff] [blame]5The dissection of [NDN packets](https://docs.named-data.net/NDN-packet-spec/current/)
6is supported in the following cases:
Alexander Afanasyev6fbb7b42015-08-10 11:53:49 -0700[diff] [blame]7
Davide Pesaventodb9613e2023-01-20 20:52:21 -0500[diff] [blame]8- NDN packets are encapsulated in IPv4/IPv6 UDP datagrams with source or destination
9 port 6363 or 56363.
Alexander Afanasyev6fbb7b42015-08-10 11:53:49 -0700[diff] [blame]10
Alexander Afanasyev357c2052015-08-10 21:26:52 -0700[diff] [blame]11- NDN packets are encapsulated in IPv4/IPv6 TCP segments with source or destination
12 port 6363.
13
Davide Pesaventodb9613e2023-01-20 20:52:21 -0500[diff] [blame]14- NDN packets are encapsulated in IPv4/IPv6 WebSocket packets with source or destination
15 port 9696.
Alexander Afanasyev357c2052015-08-10 21:26:52 -0700[diff] [blame]16
Alexander Afanasyev7f43c532015-08-12 15:28:51 -0700[diff] [blame]17- NDN packets are encapsulated in Ethernet frames with EtherType 0x8624.
18
Alexander Afanasyev4fb67ea2018-08-02 08:18:28 -0600[diff] [blame]19- NDN packets are encapsulated in PPP frames with protocol type 0x0077.
20
Alexander Afanasyev357c2052015-08-10 21:26:52 -0700[diff] [blame]21## Available dissection features
22
23- When UDP packet is fragmented, the dissection is performed after the full IP reassembly.
24 If the full reassembly is not possible (e.g., a wrong checksum or missing segments),
25 dissection is not performed.
26
27- When multiple NDN packets are part of a single UDP datagram, TCP segment, or WebSocket
28 payload, all NDN packets are dissected.
29
30- When a single NDN packet is scattered across multiple TCP segments or WebSocket
31 payloads, it is dissected after the successful reconstruction of the necessary portion
32 of the TCP stream. If the reconstruction of the necessary portion of the TCP stream is
33 not possible (e.g., missing segments), the dissection is not performed.
34
35- When an NDN packet is not aligned to the segment or payload boundary, the dissector
36 searches for any valid NDN packet within the segment using heuristics defined by the
37 following pseudocode:
38
39 for each offset in range (0, packet length)
40 type <- read TLV VarNumber from (buffer + offset)
41 length <- read TLV VarNumber from (buffer + offset + length of type field)
42
43 if type is either 5 or 6 // Type of NDN Interest of Data packet)
44 and length is less 8800 // Current (soft) limit for NDN packet size
45 then
46 dissect NDN packet from (buffer + offset)
47 end if
48
49Currently, the dissector does not support NDNLPv2 packets.
Alexander Afanasyev6fbb7b42015-08-10 11:53:49 -0700[diff] [blame]50
51## Usage
52
53By default, the dissector script `ndn.lua` is installed into `/usr/local/share/ndn-dissect-wireshark`.
54On some platforms, it may also be installed in `/usr/share/ndn-dissect-wireshark` or
55`/opt/local/share/ndn-dissect-wireshark`. To enable the dissector for Wireshark session,
56use `-X` command line option, specifying the full path to the `ndn.lua` script:
57
Davide Pesaventodb9613e2023-01-20 20:52:21 -0500[diff] [blame]58```shell
59wireshark -X lua_script:/usr/local/share/ndn-dissect-wireshark/ndn.lua
60```
Alexander Afanasyev6fbb7b42015-08-10 11:53:49 -0700[diff] [blame]61
62Similarly, NDN packets dissector can be enabled when using `tshark`:
63
Davide Pesaventodb9613e2023-01-20 20:52:21 -0500[diff] [blame]64```shell
65tshark shark -X lua_script:/usr/local/share/ndn-dissect-wireshark/ndn.lua
66```
Alexander Afanasyev6fbb7b42015-08-10 11:53:49 -0700[diff] [blame]67
68To enable NDN packets dissector for all future Wireshark sessions, you can create/edit
69Wireshark's `init.lua` script, which located in `/usr/share/wireshark`,
70`/usr/local/share/wireshark`, `/Applications/Wireshark.app/Contents/Resources/share/wireshark`,
71or similar location depending on the platform and the way Wireshark is installed. The
72`dofile` command should be added to the end of `init.lua` file:
73
Davide Pesaventodb9613e2023-01-20 20:52:21 -0500[diff] [blame]74```lua
75dofile("/usr/local/share/ndn-dissect-wireshark/ndn.lua")
76```
Alexander Afanasyev6fbb7b42015-08-10 11:53:49 -0700[diff] [blame]77
78For more detailed information about how to use Lua refer to [Lua wiki](https://wiki.wireshark.org/Lua).
79
80## Known issues
81
82Due to security issues, customized lua scripts are not allowed to be loaded when Wireshark
83is started with root privileges. There are two workarounds:
84
Davide Pesaventodb9613e2023-01-20 20:52:21 -0500[diff] [blame]85- Run `dumpcap` or `tcpdump` with root privileges to capture traffic to a file, and later
86 run Wireshark *without* root privileges to analyze the captured traffic.
Alexander Afanasyev6fbb7b42015-08-10 11:53:49 -0700[diff] [blame]87
Davide Pesaventodb9613e2023-01-20 20:52:21 -0500[diff] [blame]88- Allow non-root users to capture packets (beware of potential security implications!)
Alexander Afanasyev6fbb7b42015-08-10 11:53:49 -0700[diff] [blame]89
Davide Pesaventodb9613e2023-01-20 20:52:21 -0500[diff] [blame]90 * On Linux, you can use `setcap`:
Alexander Afanasyev6fbb7b42015-08-10 11:53:49 -0700[diff] [blame]91
Davide Pesaventodb9613e2023-01-20 20:52:21 -0500[diff] [blame]92 sudo setcap cap_net_raw,cap_net_admin=eip /full/path/to/wireshark
Alexander Afanasyev6fbb7b42015-08-10 11:53:49 -0700[diff] [blame]93
Davide Pesaventodb9613e2023-01-20 20:52:21 -0500[diff] [blame]94 You may need to install a package to use `setcap` (e.g., `sudo apt install libcap2-bin` on Ubuntu)
Alexander Afanasyev6fbb7b42015-08-10 11:53:49 -0700[diff] [blame]95
Davide Pesaventodb9613e2023-01-20 20:52:21 -0500[diff] [blame]96 * On Debian/Ubuntu Linux, capturing traffic with Wireshark by a non-root user can be enabled by
97 adding the user to the `wireshark` group.
Alexander Afanasyev6fbb7b42015-08-10 11:53:49 -0700[diff] [blame]98
Davide Pesaventodb9613e2023-01-20 20:52:21 -0500[diff] [blame]99 See Debian's [README file](https://salsa.debian.org/debian/wireshark/-/blob/debian/master/debian/README.Debian)
100 for details.
Alexander Afanasyev6fbb7b42015-08-10 11:53:49 -0700[diff] [blame]101
Davide Pesaventodb9613e2023-01-20 20:52:21 -0500[diff] [blame]102 * On macOS, `/dev/bpf*` devices need to be assigned proper permissions.
Alexander Afanasyev6fbb7b42015-08-10 11:53:49 -0700[diff] [blame]103
Davide Pesaventodb9613e2023-01-20 20:52:21 -0500[diff] [blame]104 Automatically using ChmodBPF app:
Alexander Afanasyev6fbb7b42015-08-10 11:53:49 -0700[diff] [blame]105
106 curl https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3373 -o ChmodBPF.tar.gz
107 tar zxvf ChmodBPF.tar.gz
108 open ChmodBPF/Install\ ChmodBPF.app
109
110 or manually:
111
112 sudo chgrp admin /dev/bpf*
113 sudo chmod g+rw /dev/bpf*