Primary mentor: Guillaume Arcas (FR)
Student: Jakub Zawadzki
Git repository: ssh://git@XXXX/wireshark.git I don't know if I can publish clone address. Anyway this repository don't have public access.
Sources: tarball (6a90328c16e3f7fe9355d6d28b4902edd47d86ab)
Binary packages for i686 and amd64
Debian packages is I think most popular way of distributing binaries, so I've debootstrap Ubuntu Lucid distribution and prepared one for you. It's built for lucid, but it should work with any Debian or Ubuntu distribution (if not please give me a note!)
Add to your apt sources.list:
deb http://darkjames.pl/gsoc2011/lucid-x86 ./
deb http://darkjames.pl/gsoc2011/lucid-amd64 ./
After apt-get update you can install these packages:
It's compilated to use /usr/local prefix!
wireshark-gsoc - network traffic analyser
wireshark-gsoc-wirebrowse - Wirebrowse plugin
wireshark-gsoc-wireshav - WireshAV plugin
wireshark-gsoc-wireshnork - Wireshnork plugin
wireshark-gsoc-wiresocks - Wiresocks plugin
wireshark-gsoc-wireviz - Wireviz plugin
If you have any wireshark installed in /usr/ remember to explicit run /usr/local/bin/wireshark
Compiling wireshark with plugins
If you're (un)lucky and you use not .deb packages or other system architecture, you need to compile your own version of wireshark.
To make your life a little easier I've prepared get-wireshark.sh script (also in git repository) which will help to do this
But before you use get-wireshark.sh you need to install some dependencies.
Building wireshark requires dependencies listed on wiki page: http://wiki.wireshark.org/Development
Dependencies for plugins are listed below
Newer version of get-wireshark.sh support building only specific plugin(s)
- Compile only wireviz plugin
./get-wireshark.sh clean wireviz
- Compile only plugins created during gsoc:
./get-wireshark.sh clean gsoc
Dependencies: Configured snort (plugin tested with: snort-2.8.6, snort-220.127.116.11)
Functionality: Support to filter snort alerts in Wireshark
Features: you can use new display filters:
- snort - Filter packets with snort alert
- snort.sid - SID of rule which generated alert
- snort.generator - Generator of rule which generated alert
- snort.rev - Revision of rule which generated alert
- snort.msg - Alert message
- snort.class - Alert class
- snort.priority - Alert priority
- Configuration Filename - The name of the file containing the snort IDS configuration
- Try to synchronize communication with snort [ms] - This option pass extra -v (verbose) option to snort. It makes snort and WireShnort plugin a little slower. Enabling this option is *REQUIRED* for one pass tshark
- It works only
for frames encapsulated in ethernet when all frames in capture files has the same encapsulation (snort don't support pcap-ng file format).
- Capture size is limited to 1'000'000 frames
Dependencies: libclamav, and optionally clamd (Tested with: clamav-0.97)
Functionality: Get files transferred over: mails, HTTP, samba and scan them with antivirus.
Features: you can use new display filters:
- av - Display all packets scanned by antivirus
- av.uri - "URI" of scanned file
- av.sha - SHA-256 of scanned file
- av.virus - Is virus "Detected" or "Not Detected" in this file
- av.clamav - Name of virus from ClamAV database
- If you're not using clamd or you've set unix socket at other address than: /var/run/clamav/clamd.sock you might experience much slower wireshark startup ;-)
- Add support for files transferred by other protocols, like DCC (irc/xmpp/...), ftp or nfs.
Implement support for other antiviruses Try to use Virus Total API
Functionality: Listen at 127.0.0.1:8080 and allow user to use wireshark functionality remotely.
WARNING: proof-of-concept, use it only with smaller (< 30 MB) capture files!
- Packet List: Display list of packets and details of selected one
- Connection List: It's based on Wireshark Statistics->Conversations, but you can quicker get list of packets
- Lot of memleaks!
It can also leak some file descriptors.
- Background of packets is not set if you don't browse to it in GUI (can't be fixed, internal wireshark GUI optimization)
- Make byte view clickable
- Make it standalone (i.e. without wireshark GUI)
Functionality: Setup "proxy server" which imitate HTTP server and serve captured files
- Can work as both HTTP and Socks4 proxy
- Support for Socks5
- Emulate other services (?), there's already support to capture mails so we can emulate imap and pop3.
- Like WireBrowse make it work without wireshark GUI
- It always send 200 status code, that's why 301 redirection doesn't work
Dependencies: Graphviz with cairo support (tested with: graphviz-2.26.3)
Functionality: Display connection list as graph, and allow fast nagivating or filtering.
- Filter (LMB + click on node or edge)
- Move (MMB + move)
- Popup menu with connection list & prepare as filter (RMB + click on node or edge)
- Zoom in/out (scroll up/down)
- Connection information (length, tx/rx-bytes) in tooltips
Wireviz screencast (http://www.youtube.com/watch?v=fU8w0jooIwE)
Add ComboBox with elements: [none, ether, ip, ipv6, tcp, udp] which would allow to build connection of given type
Add ComboBox to select graph layout
- Nodes which match current display filter can be showed differently
Allow user to set shape, color of nodes based on user display filter(s).
(Like when tcp.analysis.flags, set shape to rectangle, or when "(snort || av)" set node background to red) :>