Extending Wireshark Analysis - status

Primary mentor: Guillaume Arcas (FR)
Student: Jakub Zawadzki
Git repository: ssh://git@XXXX/wireshark.git I don't know if I can publish clone address. Anyway this repository don't have public access.
Sources: tarball (6a90328c16e3f7fe9355d6d28b4902edd47d86ab)

Binary packages for i686 and amd64

Debian packages is I think most popular way of distributing binaries, so I've debootstrap Ubuntu Lucid distribution and prepared one for you. It's built for lucid, but it should work with any Debian or Ubuntu distribution (if not please give me a note!)

Add to your apt sources.list:

deb http://darkjames.pl/gsoc2011/lucid-x86 ./
deb http://darkjames.pl/gsoc2011/lucid-amd64 ./

After apt-get update you can install these packages:

wireshark-gsoc - network traffic analyser
wireshark-gsoc-wirebrowse - Wirebrowse plugin
wireshark-gsoc-wireshav - WireshAV plugin
wireshark-gsoc-wireshnork - Wireshnork plugin
wireshark-gsoc-wiresocks - Wiresocks plugin
wireshark-gsoc-wireviz - Wireviz plugin

It's compilated to use /usr/local prefix!
If you have any wireshark installed in /usr/ remember to explicit run /usr/local/bin/wireshark

Compiling wireshark with plugins

If you're (un)lucky and you use not .deb packages or other system architecture, you need to compile your own version of wireshark.
To make your life a little easier I've prepared get-wireshark.sh script (also in git repository) which will help to do this

But before you use get-wireshark.sh you need to install some dependencies.
Building wireshark requires dependencies listed on wiki page: http://wiki.wireshark.org/Development
Dependencies for plugins are listed below

Newer version of get-wireshark.sh support building only specific plugin(s)
Example usages:

  • Compile only wireviz plugin
    ./get-wireshark.sh clean wireviz
  • Compile only plugins created during gsoc:
    ./get-wireshark.sh clean gsoc

Wireshnork

Dependencies: Configured snort (plugin tested with: snort-2.8.6, snort-2.9.0.5)
Functionality: Support to filter snort alerts in Wireshark
Features: you can use new display filters:

  • snort - Filter packets with snort alert
  • snort.sid - SID of rule which generated alert
  • snort.generator - Generator of rule which generated alert
  • snort.rev - Revision of rule which generated alert
  • snort.msg - Alert message
  • snort.class - Alert class
  • snort.priority - Alert priority

Filtering in Wireshnork

Configuration:

  • Configuration Filename - The name of the file containing the snort IDS configuration
    Default: /etc/snort/snort.conf
  • Try to synchronize communication with snort [ms] - This option pass extra -v (verbose) option to snort. It makes snort and WireShnort plugin a little slower. Enabling this option is *REQUIRED* for one pass tshark
    Default: 100

NOTEs:

  1. It works only for frames encapsulated in ethernet when all frames in capture files has the same encapsulation (snort don't support pcap-ng file format).

BUGs:

  1. Capture size is limited to 1'000'000 frames

WireshAV

Dependencies: libclamav, and optionally clamd (Tested with: clamav-0.97)
Functionality: Get files transferred over: mails, HTTP, samba and scan them with antivirus.
Features: you can use new display filters:

  • av - Display all packets scanned by antivirus
  • av.uri - "URI" of scanned file
  • av.sha - SHA-256 of scanned file
  • av.virus - Is virus "Detected" or "Not Detected" in this file
  • av.clamav - Name of virus from ClamAV database

NOTEs:

  1. If you're not using clamd or you've set unix socket at other address than: /var/run/clamav/clamd.sock you might experience much slower wireshark startup ;-)

TODOs:

  1. Add support for files transferred by other protocols, like DCC (irc/xmpp/...), ftp or nfs.
  2. Implement support for other antiviruses Try to use Virus Total API

WireBrowse

Dependencies: none
Functionality: Listen at 127.0.0.1:8080 and allow user to use wireshark functionality remotely.
WARNING: proof-of-concept, use it only with smaller (< 30 MB) capture files!
Features:

  • Packet List: Display list of packets and details of selected one
  • WireBrowse: Filtered Frame list

  • Connection List: It's based on Wireshark Statistics->Conversations, but you can quicker get list of packets
  • WireBrowse: TCP Connection list

BUGs:

  1. Lot of memleaks! It can also leak some file descriptors.
  2. Background of packets is not set if you don't browse to it in GUI (can't be fixed, internal wireshark GUI optimization)

TODOs:

  1. Instead of transmitting large amount of HTML try to use XML or JSON and recreate tables with JavaScript
  2. Make byte view clickable
  3. Wireshark has got IO Graphs, it should be easy to reimplement it with some javascript chart library.
  4. Make it standalone (i.e. without wireshark GUI)

WireSocks

Dependencies: none
Functionality: Setup "proxy server" which imitate HTTP server and serve captured files
Features:

  • Can work as both HTTP and Socks4 proxy

TODOs:

  • Support for Socks5
  • Emulate other services (?), there's already support to capture mails so we can emulate imap and pop3.
  • Like WireBrowse make it work without wireshark GUI

BUGs:

  • It always send 200 status code, that's why 301 redirection doesn't work

WireViz

Dependencies: Graphviz with cairo support (tested with: graphviz-2.26.3)
Functionality: Display connection list as graph, and allow fast nagivating or filtering.
Features:

  • Filter (LMB + click on node or edge)
  • Move (MMB + move)
  • Popup menu with connection list & prepare as filter (RMB + click on node or edge)
  • Zoom in/out (scroll up/down)
  • Connection information (length, tx/rx-bytes) in tooltips

Wireviz screencast (http://www.youtube.com/watch?v=fU8w0jooIwE)
Early alpha version of WireViz

TODOs:

  1. Add ComboBox with elements: [none, ether, ip, ipv6, tcp, udp] which would allow to build connection of given type
  2. Add ComboBox to select graph layout
  3. Nodes which match current display filter can be showed differently
  4. Allow user to set shape, color of nodes based on user display filter(s).
    (Like when tcp.analysis.flags, set shape to rectangle, or when "(snort || av)" set node background to red) :>