Wireshark-dev: [Wireshark-dev] Google Summer of Code 2013 project

From: Dirk Jagdmann <doj@xxxxxxxxx>
Date: Sun, 17 Feb 2013 18:04:31 -0800
Hello developers,

I'd like to explain a project I have been thinking about doing for a while, but of course it could also be done as a Google project (I could also mentor it). Let me first explain the situation at my work:

We often have to debug network issues and have to follow packets/connections as they progress through the network. So we often create multiple capture files at multiple devices while running a test. To see how the packets are traversing the network we would then like to follow the packets through the multiple capture files. We open multiple instances of Wireshark, load the capture files and then try to add filters to find the packets we're interested in.

The idea is that I can 1) remote control a Wireshark from another process to jump to a specific frame/packet, 2) lookup packets intelligently. I'll explain the two features some more.

1) I'd like to remote control a Wireshark process and for a start initiate a "goto frame". I don't expect the Wireshark processes to be all on the same computer, either because my capture file is large and I need more than one computer to load them, or because I'd like to discuss a capture file with a friend over the phone, each looking at this local Wireshark. Thus a remote control via network. Now I do expect for a first iteration that all those Wireshark hosts are on the same LAN, so I would like to use UDP multicast to send those remote control messages. With a preference setting a user can enable the feature and join a multicast group. This makes it also independent of the operating system Wireshark is running on, I could mix and match different combinations. For a first iteration security would not be mandatory, but the remote control protocol should have a provision to add it later.

The idea is, two Wireshark processes load the same capture file, one they exchange some basic information on the current view. For a start I would like to see a "goto frame" command and a "apply filter" command.

2) Now that I can remote control two Wireshark processes, I'd like to extent that feature for an intelligent matching of network packets, if I load two different capture files. The idea is, that for certain parts of the protocols we calculate a hash sum and store the hash sum with the frame number in a global map. Then I would send a "goto hash" command and the remote Wireshark would check if its hash map contains the same hash to goto the corresponding frame.

Each network packet can create multiple hashes, for example
- TCP payload
- IP src/dst address+TCP src/dst port (same for UDP)
- ethernet src/dst address + payload length
- specific protocol dissectors can create their own hashes, for example DCE/RPC dissector can use protocol type (UUID) + Call ID; HTTP dissector could use header key/value pairs, etc. Via a context menu on the packet I can select which of these hashes to use for the remote control command.

--
---> Dirk Jagdmann ^ doj / cubic
----> http://cubic.org/~doj
-----> http://llg.cubic.org