1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
|
#!/usr/bin/X11/mgp -o -g 1028x776-1026-772
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%
%% Copyright, 2000, Richard Sharpe, richard.sharpe@linuxworld.com
%%
%% This presentation is free material; you can redistribute it and/or
%% modify it under the terms of the GNU General Public License
%% as published by the Free Software Foundation; either version 2
%% of the License, or (at your option) any later version.
%%
%% This material is distributed in the hope that it will be useful,
%% but WITHOUT ANY WARRANTY; without even the implied warranty of
%% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
%% GNU General Public License for more details.
%%
%% You should have received a copy of the GNU General Public License
%% along with this material; if not, write to the Free Software
%% Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
%%
%% If you make any changes or improvements, please consider contributing
%% them back to the ethereal team or the author.
%%
%deffont "standard" xfont "comic sans ms-medium-r"
%deffont "thick" xfont "arial black-medium-r"
%deffont "typewriter" xfont "courier new-bold-r"
%%
%% Default settings per each line numbers.
%%
%default 1 leftfill, size 8, fore "yellow", back "black", font "thick"
%default 1 bgrad 0 0 128 0 1 "lightblue" "cyan" "blue" "darkblue" "black"
%default 2 size 7, vgap 10, prefix " "
%default 3 size 2, bar "gray70", vgap 10
%default 4 size 5, fore "white", vgap 30, prefix " ", font "standard"
%%
%% Default settings that are applied to TAB-indented lines.
%%
%tab 1 size 4, vgap 95, prefix " ", icon box "red" 50
%tab 2 size 4, vgap 95, prefix " ", icon arc "yellow" 50
%tab 3 size 3, vgap 95, prefix " ", icon delta3 "white" 40
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%nodefault, bgrad 0 0 128 0 1 "lightblue" "cyan" "blue" "darkblue" "black"
%tfont "comic sans ms-medium-r"
%center, size 4
%image "ethereal-logo-small.png"
%size 7, font "standard"
Developing an Ethereal Dissector
%size 7, font "standard"
A tutorial on Open Source Software
%size 4, font "standard"
by Richard Sharpe
%% You may add the following here, if you like ...
%%size 4, font "standard"
%%Presented by YOUR NAME HERE
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Agenda
My involvement with Ethereal
Overview of Ethereal
Developing a dissector
The AUTH/IDENT dissector
Advanced topics
Resources
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
My involvement with Ethereal
Needed a Linux/Unix packet analysis program
Found Ethereal in late 1998
Very few application protocols at that stage
Developed a number of dissectors in 1999 and 2000
POP, TFTP, FTP, Telnet, SMB, SMTP, BXXP
Helped with various bits of infrastructure and ideas
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Overview of Ethereal
What is Ethereal
Genesis of Ethereal
Protocols it understands
Features
Platforms it runs on
Tools it uses
Uses for Ethereal
Future of Ethereal
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
What is Ethereal
Open source packet capture and analysis program
GPL'd
Based on GTK+
Uses libpcap
Developed by a world-wide team
Being used by standards groups
Supports many protocols
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%%nodefault, bgrad 0 0 128 0 1 "lightblue" "cyan" "blue" "darkblue" "black"
What is Ethereal
%%system "/root/ethereal-latest/ethereal -m 9x15 -n -r /root/captures/w95-logon-off-nt.cap" -1
%%system "xterm -fn 12x24 -e more /root/ethereal-latest/packet-bxxp.c &"
%center
%image "ethereal-shot.png"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Genesis of Ethereal
Started in 1998 by Gerald Combs
Needed a GUI-based packet analysis program
Wrote his own, using GTK+
Quickly gained a following
Guy Harris, Gilbert Ramirez, Laurent Deniel
Jun-ichiro itojun Hagino, Hannes Boehm,
Richard Sharpe, Jeff Foster, ...
Currently, Version 0.8.13?
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Protocols it understands
Any UNIX/Linux network device
IP, IPX, NetBEUI, X.25, HDLC, ...
ICMP, IGMP, TCP, UDP, OSPF, ...
Many application layer protocols
138+
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Features
Read and write many capture file formats
libpcap, NetMon, snoop, NetXRay, ...
Filter packets during capture
Filter packets during display
View all packet details code handles
Follow TCP streams
Print packets, etc ...
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Platforms it runs on
Any version of UNIX with:
GTK+
libpcap
Linux, FreeBSD, ...
Windows 9X, NT, 2000
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Tools it uses
GTK+ 1.2.6+, Glib
libpcap
autogen, automake, bison, flex, GCC
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Uses for Ethereal
Learning about protocols
Network troubleshooting
Developing new implementations
Capturing passwords
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Example ... Why is RADIUS failing
%center
%image "ethereal-radius.png"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Future of Ethereal
Version 1.0 early 2001
Version 2.0 redeveloped
Apply all the lessons we have learned
Separate packet dissecting from display
Provide a library to be use separately
Use SNMP to capture from RMON packet probes
Developer documentation
Improve user documentation
Automatic generation of dissectors?
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Developing a dissector
Obtaining the source code
Other packages you need
Unpack source and prepare to build
Structure of the source code
Your dissector
Summary information vs tree view
When your dissector is called
Routines you will need to use
Using tvb versus the (packet) frame buffer
A walk through a dissector
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Obtaining the source code
Download from www.ethereal.com
Not the latest code
But it will compile
Get access to the CVS tree
Latest, possibly buggy code
May not compile
May be undergoing serious change
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Other packages you need
libpcap
GTK+ 1.2.6+
GLIB 1.2.6+
automake, autoconf
make
gcc
bison/yacc, flex/lex
Perl
Python
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Unpack your source and prepare to build
%size 4, font "typewriter"
tar zxvf ethereal-0.8.x.tar.gz
%size 4, font "typewriter"
cd ethereal-0.8.x
%size 4, font "typewriter"
./configure # may need autogen.sh
%size 4, font "typewriter"
# Fix up any problems
%size 4, font "typewriter"
make
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Structure of the source code
ethereal-0.x.y
All the dissectors, packet-xxx.c
Much of the support code
ethereal-0.x.y/gtk
Contains main.c
Contains the GUI code
ethereal-0.x.y/wiretap
Code to deal with capture file formats
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Structure, cont
ethereal-0.x.y/doc
Documentation and scripts for generating docs
ethereal-0.x.y/plugins
Plugins and support code
ethereal-0.x.y/others...
A few other directories
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Your dissector
Create packet-xxx.c in top level directory
Copy an existing dissector and modify
eg, packet-pop.c
not a good choice if you need to keep state between packets
Must have a dissect_xxx entry point
Use build-dissector.pl to build a TCP/UDP dissector
Can decode as much or as little as you want
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Summary information vs tree view
Must produce two types of information
Summary information in the top pane
Protocol tree information in the middle and lower panes
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Summary vs tree view, cont
One dissector used for both!
If called with a tree argument, must provide protocol tree info
If called without a tree argument, only need to provide summary
Your protocol may require you to decode whole packet in either case!
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
When your dissector is called
Called by the protocol below you
Eg, packet-tcp.c, etc
Once, on first pass, for every packet that is yours
Mainly, summary info wanted this time around
If filter specified, full decode needed
If color filter in effect, full decode needed
Everytime user clicks on one of your packets in the summary pane
If a rescan is needed
Once, again, for every packet that is yours
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Routines you will need to use
Registration routines
Summary info display
Protocol tree display
Packet access routines (macros)
TVB routines
Utility routines
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Registration routines
Registering initialization callbacks
Create a bxxp_init_protocol routine
Registering your dissection routines
Create proto_register_xxx routine
Call dissector_add
Create proto_reg_handoff_xxx
Registering filter information
Registering preference information
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Summary info display
check_col
Checks if a column is needed
col_add_[f]str
Adds a string or a formatted string
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Protocol tree display
proto_item_add_subtree
Adds a new subtree to the protocol tree
proto_tree_add_xxx[_format]
Adds an item to the subtree for display and searching
proto_tree_add_xxx_hidden
Adds an item to the subtree for searching only
proto_item_set_len
Sets the length for an item
proto_tree_add_notext & proto_tree_set_text
Adds an item without text
Later add the text
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Packet access routines (macros)
Accessing information in the frame data
Only needed if you are not using TVB
Extracting information with correct endianness
Big endian
pntohs, pntohl
Little endian
pletohs, pletohl
Avoids unaligned access traps on RISC architectures as well
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
TVB routines
tvb_xxx
Routines to access data from the packet
tvb_length_remaining(tvb, offset)
Find out how many bytes remain in the packet
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Utility routines
format_text
Formats packet data for display in the detail pane
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Using TVB vs the frame buffer
Original dissectors accessed the packet/frame buffer
Too many coders did not check that chars were available
Many crashes due to poor code
Testy Virtializable Buffers introduced
Protect Ethereal from bad coding
However, few dissectors converted to using TVB
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
A walk through a dissector...
%%system "...more etc ..."
Walk through packet-pop.c comparing code to what Ethereal displays
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
The AUTH/IDENT dissector
Overview of the AUTH/IDENT dissector
Discussion of the AUTH/IDENT dissector
Other files you need to modify
Building the dissector
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Overview of the AUTH/IDENT dissector
%center, size 4
%image "rfc1413.png"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Discussion of the AUTH/IDENT dissector
Simple dissector needed here
All dissection decisions based on packet content alone
Must check port numbers for client or server side
Small amount of code plus a couple of support routines
Some registration code required
%page
Create the dissector...
Hack away until done...
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Other files you need to modify
Makefile.common
Add your source code module to DISSECTOR_SOURCES
Rerun configure
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Building the dissector
%size 4, font "typewriter"
make: make
%size 4, font "typewriter"
test
%size 4, font "typewriter"
fix
%size 4, font "typewriter"
goto make
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Advanced topics
Preferences
Display filters
Keeping state
Conversations
Per-frame state
Missing frames
Changing the GUI
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Preferences
Allow you to manage preferences
Kept in ~/.ethereal/preferences
You provide a callback routine
proto_reg_handoff_xxx
Register your preferences in proto_register_xxx
Fields
Types
Description
They appear in the preferences panel
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Preferences, cont
%center, image "eth-prefs.png"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Preferences, the code
prefs_register_module
Registers the module and a handoff routine
prefs_register_xxx_preference
Registers a preferences field, its type, name, description, etc
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Display filters
Allow users to search the capture file for interesting items
Supported by registering field items to the protocol tree
proto_register_field_array
Field items can be displayable or hidden
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Keeping state
Sometimes you want to keep state information
You need information from past frames to make sense of the current frame
Two mechanisms that work hand in hand
Conversations
Focussed around TCP connections
Per-frame data
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Conversations
Conversations allow you to keep state information
Source & dest IP and port numbers
Search for the conversation on each frame
Create one if it does not exist
Best used on the first pass through all the packets
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Per-frame state
State can be kept:
Per-frame
Per-protocol
Best used in conjunction with conversations
Accumulate information on first pass
Add it to per-frame data as you go
Always check for per-frame data first
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Missing and or duplicate frames
Your dissector must tolerate missing frames, segments, etc
Can be missing for a variety of reasons
Did not capture enough packets/frames
Multiple paths through the internet
Your dissector must also tolerate duplicate segments
Retransmissions
Capturing on loopback under Linux
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Changing the GUI
All the GUI code is kept in ethereal-x.y.z/gtk
Mostly callbacks from GTK+ objects
Add what you need
Discuss it with the team first
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Resources
The Ethereal web site
www.ethereal.com
The Ethereal user's guide
www.ns.aus.com/ethereal/user-guide/book1.html
The GTK+ web site
www.gtk.org
Ethereal developers documentaion
README.developer in doc directory
README.tvbuff in doc directory
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Mailing lists
ethereal-dev
ethereal-announce
ethereal-users
ethereal-core
Subscribe to them from www.ethereal.com
|
