Wireshark-dev: Re: [Wireshark-dev] Packet sample repository/library?

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Mon, 19 Dec 2016 22:21:54 +0100
Hi Jirka,

On Mon, Dec 19, 2016 at 10:57:08AM +0100, Jirka Novak wrote:
> Hello,
> 
>   I'm looking for repository/library with packet samples suitable for
> developers. I found a lot of repositories over the Internet, but they
> just contain samples and you are able to find protocols used in sample
> (e.g. RTP).
>   As developer when I change part of code, I should retest it with as
> much samples as possible to verify whether change works fine with my
> sample (why I'm doing a change) and if I didn't break old functionality.

For a basic testing framework, have a look at
https://github.com/wireshark/happy-shark

To-do: populate the test/ directory with lots of specific samples :-)

> Therefore I should be able to select samples which are relevant to my
> change and be able to verify whether it is evaluated as expected.
> 
>   To be able to do so, samples should be commented/documented in two ways:
> 1) What sample contains
> 2) How it should be decoded/shown in Wireshark
> 
> There are a few ideas (I'm working in voice area):
> 
> - Sample contains full regular SIP session, with SDP, with related RTP.
> RTP is dynamic payload described in SDP.
>   - SIP session should be shown
>   - SDP should be decoded
>   - RTP should be decoded as described in SDP
> - Sample contains rejected SIP session because of XXX
>   - SIP session should be shown
>   - SIP calls view should show call as failed
> - Sample contains RTP call with extended header XXX
>   - RTP header should be decoded as ...
>   - Call Flow should show bit XXX in RTP stream
> - Sample contains RTSP session from XXX with RTP media in UDP
>   - sample should be decoded
>   - RTP should be decoded as described in Transport header
> - Sample contains RTP stream with missing packets
>   - sample should be decoded
>   - RTP Stream Analysis should show sequence error
> 
>   In other words, there should be attached specification for Wireshark
> developer, how the sample should be processed. Therefore it can be
> verified later by man or engine (maybe in future :-)).

This is a scenario that is probably worth adding to test/ (in the
Wireshark source tree) if it is not too large.

The SampleCaptures wiki contains some (synthetic/real-world) SIP and RTP
captures, but it is not really in a machine-readable format:
https://wiki.wireshark.org/SampleCaptures#SIP_and_RTP

Feel free to upload your captures there though :-)

>   It is obvious that same sample can be used for multiple purposes -
> e.g. RTSP with RTP sample can be used for testing RTPS and for RTP too.
> Specification can be changed during time. Therefore it should be easy
> editable.
> 
>   Does anyone know about something I'm looking for?

I think that happy-shark (which uses PDML output with a XSL
post-processor) does what you want.

In case a dissector checks for the pinfo->visited flag, you have to run
pcaps through both:

 - tshark -r some.pcap -Tpdml
 - tshark -r some.pcap -Tpdml -2
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl