SharkFest 17 Europe. Generating Wireshark Dissectors from XDR Files. Why you don't want to write them by hand. Richard Sharpe.

Similar documents
First Encounters with the ProfiTap-1G

Remote Control of STREAM EXPLORER via OLE Interfacing

Nix Eelco Dolstra. 28 October 2017

No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation.

Linux based 3G Specification. Multimedia Mobile Phone API. Circuit Switched Communication Service. Document: CELF_MPP_CS_FR2b_

VIDEO GRABBER. DisplayPort. User Manual

DigiPoints Volume 2. Student Workbook. Module 5 Headend Digital Video Processing

Remote Application Update for the RCM33xx

CAN, LIN and FlexRay Protocol Triggering and Decode for Infiniium 9000A and 9000 H-Series Oscilloscopes

Ensemble. Multi-Axis Motion Controller Software. Up to 10 axes of coordinated motion

Signal Persistence Checking of Asynchronous System Implementation using SPIN

Sapera LT 8.0 Acquisition Parameters Reference Manual

Digital television The DVB transport stream

ELEC 691X/498X Broadcast Signal Transmission Winter 2018

ENGR 40M Project 3b: Programming the LED cube

[MS-CFB-Diff]: Compound File Binary File Format. Intellectual Property Rights Notice for Open Specifications Documentation

5 Series MSO Serial Triggering and Analysis Applications 5-SRAUDIO, 5-SRAUTO, 5-SRCOMP, and 5-SREMBD Datasheet Serial triggering

An Introduction to PHP. Slide 1 of :31:37 PM]

Quick Reference Manual

Linux-based Mobile Phone Middleware. Application Programming Interface. Circuit-Switched Communication Service. Document: CELF_MPP_CS_D_FR4

Distributed by Pycom Ltd. Copyright 2016 by Pycom Ltd. All rights reserved. No part of this document may be reproduced, distributed, or transmitted

AMD-53-C TWIN MODULATOR / MULTIPLEXER AMD-53-C DVB-C MODULATOR / MULTIPLEXER INSTRUCTION MANUAL

Logic Analysis Basics

Logic Analysis Basics

Spectacular 4K HDR images, ready for business

MANAGERS REFERENCE GUIDE FOR

Using deltas to speed up SquashFS ebuild repository updates

EECS 140 Laboratory Exercise 7 PLD Programming

Introduction to Natural Language Processing Phase 2: Question Answering

Scalable Media Systems using SMPTE John Mailhot November 28, 2018 GV-EXPO

Spider. datasheet V 1.0. Communication and fault injection of embedded chips. rev 1

INTERNATIONAL ORGANISATION FOR STANDARDISATION ORGANISATION INTERNATIONALE DE NORMALISATION ISO/IEC JTC1/SC29/WG11 CODING OF MOVING PICTURES AND AUDIO

Tvheadend - Bug #2171 MP2 radio stations hickups

FWD85X850D 85" 4K display

Tvheadend - Bug #2222 Kodi: Sound but no picture

)454 ( ! &!2 %.$ #!-%2! #/.42/, 02/4/#/, &/2 6)$%/#/.&%2%.#%3 53).' ( 42!.3-)33)/. /&./.4%,%0(/.% 3)'.!,3. )454 Recommendation (

Scrambling and Descrambling SMT-LIB Benchmarks

DRAFT. Sign Language Video Encoding for Digital Cinema

How to Enable Debugging for FLEXSPI NOR Flash

Just a T.A.D. (Traffic Analysis Drone)

Agilent I 2 C Debugging

XJTAG DFT Assistant for

XJTAG DFT Assistant for

RS-232/UART Triggering and Hardware-Based Decode (N5457A) for Agilent InfiniiVision Oscilloscopes

AT660PCI. Digital Video Interfacing Products. DVB-S2/S (QPSK) Satellite Receiver & Recorder & TS Player DVB-ASI & DVB-SPI outputs

LED Driver Compact fixed output

Tvheadend - Bug #2470 CPU usage slowly increasing to 100% while watching

Engineering Bulletin. General Description. Provided Files. AN2297/D Rev. 0.1, 6/2002. Implementing an MGT5100 Ethernet Driver

TV4U QUAD DVB-S2 to DVB-C TRANSMODULATOR

ISSN (PRINT): , (ONLINE): , VOLUME-5, ISSUE-4,

ADV7513 Low-Power HDMI 1.4A Compatible Transmitter

ACUSCREEN NDT Joaquín González -

How to Guide. Closed Caption Monitoring. WFM6120/7020/7120 & WVR6020/7020/7120 Version Software

4. Formal Equivalence Checking

ET-REMOTE DISTANCE. Manual of ET-REMOTE DISTANCE

This document last edited May 2015 for version Some commands may not be available in previous versions of firmware.

Raspberry Pi, SenseHat and Weather Service

A. To tell the time of the day 1. To build a mod-19 counter the number of. B. To tell how much time has elapsed flip-flops required is

i-pro Management Software WV-ASM200 Explanation of new functions for Ver. 2.0 October 2013

Watchman. Introduction: Door Lock Mobile MAX

for File Format for Digital Moving- Picture Exchange (DPX)

Keysight Technologies RS-232/UART Triggering and Hardware-Based Decode (N5457A) for InfiniiVision Oscilloscopes

XJTAG DFT Assistant for

SpikePac User s Guide

DisplayPort and HDMI Protocol Analysis and Compliance Testing

5620 SERVICE AWARE MANAGER. NTP Driver Version Guide

P1: OTA/XYZ P2: ABC c01 JWBK457-Richardson March 22, :45 Printer Name: Yet to Come

CAN/LIN Measurements (Option AMS) for Agilent s InfiniiVision Series Oscilloscopes

Using the Book Expert in Scholastic Achievement Manager

Intelligent Monitoring Software IMZ-RS300. Series IMZ-RS301 IMZ-RS304 IMZ-RS309 IMZ-RS316 IMZ-RS332 IMZ-RS300C

MULTIPLE TPS REHOST FROM GENRAD 2235 TO S9100

LAZER s Sing with Stone Sour Contest

Introduction. Packet Loss Recovery for Streaming Video. Introduction (2) Outline. Problem Description. Model (Outline)

LCD-420SI. TimeIPS LCD Display w/speaker and Biometric Fingerprint Reader. Installation Guide

Research & Development. White Paper WHP 318. Live subtitles re-timing. proof of concept BRITISH BROADCASTING CORPORATION.

FW-75XD " BRAVIA Professional 4K Colour LED Display. Overview

ZyCAMP 2010 in Czech Republic

GUIDE TO GETTING STARTED

ILDA Image Data Transfer Format

Ordinary Clock (OC) Application Service Interface

Low-speed serial buses are used in wide variety of electronics products. Various low-speed buses exist in different

Roku express remote instructions

FW-85XD " BRAVIA Professional 4K Colour LED Display. Overview

Use xtimecomposer and xscope to trace data in real-time

ASSEMBLY AND CALIBRATION

What s New in Visual FoxPro 7.0

The ADAPTS function has been enhanced to support the new scan table mode as well as supporting the existing super stimulus mode.

Laboratory Exercise 4

OMA Device Management Notification Initiated Session

Communication Protocol V-B 1.8

SuperSign TV Sales Kit

UVM Testbench Structure and Coverage Improvement in a Mixed Signal Verification Environment by Mihajlo Katona, Head of Functional Verification, Frobas

1 Scope. 2 Introduction. 3 References MISB STD STANDARD. 9 June Inserting Time Stamps and Metadata in High Definition Uncompressed Video

Self-Playing Xylophone

VRT Radio Transport for SDR Architectures

VAD Mobile Wireless. OBD-II User's Manual Version 1.0

In-System Programmability Guidelines

Digital StoreFront JDF with non-efi JDF-Enabled Devices

TBS8030 HDMI Encoder User Guide

FORMAL METHODS INTRODUCTION

Transcription:

SharkFest 17 Europe Generating Wireshark Dissectors from XDR Files Why you don't want to write them by hand Richard Sharpe 8 november 2017 Primary Data Wireshark Core Team #sf17eu Estoril, Portugal #sf17eu How Estoril, rule Portugal the world 7-10 november by looking 2017 at packets! 1

Agenda Motivation What We Built XDR Files (what they look like) How We Went About It Was It Successful? Next Steps Where Is The Code? #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 2

Motivation Writing dissectors is: Tedious Error prone Requires lots of expertise The last thing to be done in a project Engineers and QA demand them They change from time to time #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 3

What We Built Two versions of the generator Second one in use now Integrated with our build system Generates dissectors from all XDR files in the build Builds wireshark with the extra dissectors Packages it in RPMs Every build (unfortunately increases build time lots) #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 4

XDR Files Describes a protocol Constants Enums Data Structures Typedefs Functions/procedures Arguments and return values rpcgen used to generate client and server stubs #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 5

XDR files, cont No executable statements in XDR %#include "pd/types.h" %#include "pd/pd_dmc_mover_types.h" %#include "pd/nfsv3_xdr.h" struct pddi_teardown_proxy_arg_t { pdx_job_id_t job_id; nfs_fh3 synth_fh; }; const MAX_REQUEST = 10; program PDDI_PROGRAM { version PDDI_RPC_V2 { /* NULL Procedure to test connectivity. */ void PDDI_NULL(void) = 0; pddmc_job_res_t PDDI_DO_COPY(pddi_copy_arg_t a) = 3; } = 2; } = 0x4D100000; #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 6

How We Went About It (HWWAI) Needed a parser for XDR Considered several approaches Write one myself Use Python Other? Started with rpcgen from glibc Switched to the rpcgen code from tirpc Essentially the original rpcgen #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 7

HWWAI-2 With rpcgen's parser No issues around compatibility! Written in C Could simply run through the Abstract Syntax Tree (if you can call it that.) Modified rpcgen a bit Add dissector generator code (~2,000 LoC) Generate code for a dissector #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 8

HWWAI-3 Not as simple as it seems Writing code that generates code The code generator has to compile The generated code must compile The resulting dissector must not crash The resulting dissector must be correct No undissected bytes No incorrectly dissected bytes #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 9

HWWAI-4-1 What experience did I have Wrote a number of dissectors Used a generator to create the original SMB dissector (Perl) Lots of C experience Willingness to push it to completion Had not much Wireshark for a long while Lots had changed #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 10

HWWAI-4-2 How long did it take About 6 months part time for two versions Including some time in Vancouver while on holidays The rewrite was really needed #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 11

HWWAI-6 How many dissectors do we generate? 7-10 protocols ~22,000 LoC in total Generate a new version of Wireshark Stamped with build number and hash #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 12

HWWAI-5 Goal Generate code with no manual intervention Overview of what we are generating Boilerplate Declarations (hf, ett, etc) Dissector code Registration code hf array ett array etc #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 13

Look at a generated dissector Look at the generated code #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 14

A look at some results #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 15

HWWAI-7 Difficult parts of XDR Include files Individual declarations Several different types Unions Recursive types (self relative) #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 16

HWWAI-8 Include files %#include "pd/types.h" %#include "pd/pd_dmc_mover_types.h" They started out as XDR files but are now.h files %#include "pd/nfsv3_xdr.h" Convert name to.x file and search for it Because we need the XDR file Must avoid generating code for definitions not used! Mark included definitions as reachable and unreachable #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 17

Review the data structures Look at the rpcgen data structures What rpcgen uses to describe each XDR element #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 18

HWWAI-9 Individual declarations union shr_client_match switch (some_type scm_type) { case SHR_CLIENT_MATCH_TYPE_IPV4: shr_ipgroup_range_ipv4 scm_range_ipv4; case SHR_CLIENT_MATCH_TYPE_IPV6: shr_ipgroup_range_ipv6 scm_range_ipv6; case SHR_CLIENT_MATCH_TYPE_HOSTNAME: shr_hostname scm_hostname; case SHR_CLIENT_MATCH_TYPE_NETGROUP: shr_netgroup default: void; }; struct share_export7 { shr_security_flavors bool shr_client_match... scm_netgroup; se_flavors<>; se_allow; se_clients<>; #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 19

HWWAI-10 First approach Several passes across the list of definitions from RPCGEN One for header field definitions Used both for declarations and registration One for ETT definitions One for forward declarations One for dissecting structures One for the registration routine Etc #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 20

HWWAI-11 First approach, cont Used the linker to handle include files Files without a program section were just a collection of dissection routines Became too hard to debug and keep correct Because knowledge was distributed in many places #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 21

HWWAI-12 Current approach Several passes across the list of definitions from RPCGEN Include file names converted to.x Pulled in directly to the XDR token stream Pass across the definitions to mark reachable vs unreachable Reachable from primary xdr file definitions No code generated for unreachable definitions #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 22

HWWAI-13 Current approach, cont Build lists of structures ETT variables Header field definitions (every thing needed) Dissectors Forward declarations Etc Generate code from the lists in one pass #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 23

Code review Look at some generated code Look at parts of the generator #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 24

HWWAI-14 Integration into our build environment Checks out the generator Builds the generator Very quick Generates the dissectors Very quick #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 25

HWWAI-15 Writes their names to Custom.common Generates a hash of all the XDR files Modifies configure.ac and Makefile.am Edits in extra version info from the hash Standard Wireshark build Takes a long time Haven't bothered to use plugins #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 26

Look at the build script Some parts of the build #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 27

Was It Successful? Engineers scream if generation fails Engineers and QA depend on it Every build gets a new version of Wireshark With the current dissectors Could eliminate this step if no change in XDR files It just works So, yes, it has been successful! #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 28

Next Steps grpc dissector generators Google's RPC language via protobufs Generators for other language-based protocol specifications Dissectors for Wi-Fi protocols etc #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 29

A dissector generator language For Wi-Fi dissectors? Use ANTLR4 Generate a parser from ebnf grammar Add code generation in Java ANTLR written in Java so easier ANTLR makes writing grammars easy Also makes generating code easy #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 30

Example dissector language... typedef byte radio_id[6]; struct channel_preference { radio_id "Radio unique identifier"; uint8 "Operating classes"; channel_pref_detl "Operating class list"["operating classes"]; }; protodetails = { "IEEE 1905.1a", "ieee1905", "ieee1905" }; dissectorentry ieee1905 = ieee1905_cmdu; dissectortable["ethertype"] = ieee1905; #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 31

Example ANTLR grammar grammar WiresharkGenerator; protocol : protodecl+ ; protodecl : dissectortabledecl protodetailsdecl dissectorentrydecl enumdecl strenumdecl ';' structdecl ';' typedef ; dissectortabledecl : 'dissectortable' '[' STRING ']' '=' ID ';' ; protodetailsdecl : 'protodetails' '=' '{' STRING ',' STRING ',' STRING '}' ';' ; structdecl : 'struct' ID '{' ( structeltdecl ';' )+ '}' ; STRING: '"'.*?'"' ; //Embedded quotes? #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 32

A look at the Java code Such as it is #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 33

What else can we do? Generate Expert Info Recover from badly formatted fields Flag incorrect values Generate packet replay for testing scapy Generate driver code as well? #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 34

What else can we do, cont? Wireshark Dissector Specification Generator Packet Generator? #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 35

Conclusions It can be a quick way to generate dissectors Correct code As long as the generator is correct My XDR generator took a while to get correct Had to wait for engineers to use more features #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 36

Conclusions Want more features Automatically add expert info Malformed packets point out malformed fields Invalid values All can be specified in the dissector spec #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 37

Where Is The Code? Gitlab https://gitlab.com/realrichardsharpe/wireshark_rpcgen.git #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 38

Questions? #sf17eu Estoril, Portugal Generating Wireshark Dissectors from XDR files 39

2024 © artsdocbox.com Privacy Policy | Terms of Service | Feedback