ring0 » blog

Writing Wireshark Plugins in C

tags: n900, n900, n900, wireshark, wireshark, wireshark, phonet, phonet, phonet, isi, isi, isi, c, c, c2010-10-05 04:38 by lwi

After some time writing the phonet dissector for wireshark in lua I noticed the disadvantages:

So I tried the C interface. I found the basic structure for plugins pretty fast in their documentation and thought about some design changes in the plugin:

A word and a blow. The new plugin is available in this isi-wireshark-plugin repository.

GPS Resource

I took some deeper looks on these packets and found the time and date information from the GPS data packets. Then I found out, that some guy from the Maemo community reverse engineered quite some stuff about it already and added all that to the plugin. The dissection of a GPS packet now looks as follows:

So the basic features of GPS are available (position,date/time,movement). Missing though are status fields, satellite information and AGPS stuff. Screenshot

Update (17.10.2010 17:21:00 +0200):

The guy from the Maemo community, Luke Dashjr, who reverse engineered the GPS data packet contacted me the other day and told me he found out about the missing bits, so I'm pleased to announce, that the wireshark plugin does know about satellite info now. The only missing bit is A-GPS!

Writing Wireshark Plugins

tags: n900, n900, n900, debian, debian, debian, wireshark, wireshark, wireshark, lua, lua, lua, phonet, phonet, phonet, isi, isi, isi2010-08-26 03:10 by lwi

In the last days I finally got some bits out of the Nokia N900's modem on Debian without any properitary tools. For now it's just the following information: manufacturer: "Nokia" model: "Nokia N900" revision: "V ICPR82_10w08 25-02-10 RX-51 (c) Nokia" But the most difficult part is probably done. My next plan was to get the modem connect to a mobile network, which requires an unlocked SIM card. Unfortunately ofono does not yet support SIM cards with PINs. Thus I had to find another way to get out how to perform this task. I started reverse engineering the properitary sscd, but got annoyed of it pretty fast (it's lots of work for just a little bit of information). I thought it might be easier to analyze the network traffic, since I know the basic format of these messages anyway. So I installed tcpdump in maemo and added the following event.d rule as /etc/event.d/tcpdump: description "tcpdump on phonet0" author "Sebastian Reichel" start on started dbus stop on stopping dbus service respawn respawn limit 10 1 console output exec tcpdump -i phonet0 -w /root/phonet.log This worked at one go and I had a log file with ~300 packages in it (this is the amount of packages generated during maemo's boot phase). The packages were detected as SLL packages by wireshark. This means there was just one blob of data, thus I deceided to write a plugin for Phonet. After some searching I deceided to use the lua interface, since it looked quite easy. I got hit by one problem while coding the (still very basic) plugin, which needs patching of wireshark (Debian Bug #594390). Now check the IMHO amazing result:

Note, that the plugin covers only some commands and is far from being complete. It will append all data, which has not been analyzed in an extra field.

Update (12.09.2010 04:21:00 +0200):

As of Revision 34101 Wireshark does support ssl.ltype dissectors, so the patch is not needed with it anymore.

Update (05.10.2010 03:35:00 +0200):

You must add the parameter "-s 0" to the tcpdump call or it will limit the packet size.