Rootconf 2019

On infrastructure security, DevOps and distributed systems.

Participate

Shooting the trouble down to the Wireshark Lua plugin

Submitted by Shakthi Kannan (@shakthimaan) on Wednesday, 27 February 2019

Technical level: Intermediate Section: Workshop

View proposal in schedule

Abstract

Wireshark is a Free (Libre) and Open Source protocol analyzer used for troubleshooting networks, and analysis of communication protocols. The Lua programming language support has been included in Wireshark for scripting, prototyping and packet dissection. At Aerospike, a NoSQL database company, we have implemented a Wireshark Lua plugin to help us solve issues at the wire level. In this workshop, I will be sharing the experiences and knowledge gained in creating a Lua dissector plugin. This includes code structure, layout, snippets, prototyping, testing, use cases and documentation. We will also have a hands-on workshop to get the participants introduced to Wireshark and Wireshark Lua interface to write protocol dissectors.

Outline

  • Motivation
  • Wireshark Lua
  • Usage
  • Examples
  • Literate Programming
  • Markdown Structure
  • lit2lua
  • Protocol Dissection Pattern
  • Dissector Table
  • Wireshark User Interface
  • Hands-on Session
  • Message and Heartbeat Protocol
  • CDT List Operations
  • Reassembly of TCP Segments
  • Hot key Report
  • Tests
  • Debugging and Linting
  • Performance
  • Future Work
  • References

Source Code: https://github.com/aerospike/aerospike-wireshark-plugin

Requirements

You need to have Lua and Wireshark (GUI) installed on your laptop. If you are on any GNU/Linux distribution, you can the package manager to install them. For other operating systems, please install them from the official Wireshark downloads at https://www.wireshark.org/#download.

Familiarity with any programming language is good to get started with Lua.

Speaker bio

Shakthi Kannan is a Free Software enthusiast who plays a Senior DevOps Engineer role at Aerospike, Bengaluru. He has developed the Aerospike Wireshark Lua plugin that is used for troubleshooting and network analysis. He is an avid promoter of Free (Libre) and Open Source Software, and blogs at shakthimaan.com. He holds a Masters degree in Information Technology from Rochester Institute of Technology.

Links

Slides

http://shakthimaan.com/downloads/Shooting-the-trouble-down-to-the-Wireshark-Lua-plugin.pdf

Comments

  • Kushal Das (@kushaldas) 3 months ago

    Hi,

    Can you please also add examples of simpler protocol which everyone uses? Say how to disect DNS packets (queries/answers).

  • Shakthi Kannan (@shakthimaan) Proposer 3 months ago (edited 3 months ago)

    The protocols like DNS are already built into Wireshark and are implemented in C. Please refer https://wiki.wireshark.org/DNS. This talk demontrates how you can go about writing a Wireshark Lua plugin for a custom protocol for troubleshooting and network packet analysis. The Aerospike Wireshark Lua plugin is available as Free Software at https://github.com/aerospike/aerospike-wireshark-plugin. Based on your feedback, I have changed the talk level to intermediate. Thanks!

Login with Twitter or Google to leave a comment