Wireshark-dev: Re: [Wireshark-dev] Clarifications regarding building wireshark

From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Mon, 16 Mar 2020 10:27:54 +0000
On Mon, Mar 16, 2020 at 09:21:11AM +0100, Dario Lombardo wrote:
> On Mon, Mar 16, 2020 at 7:37 AM Ankish Shah <ankishshah998998@xxxxxxxxx>
> wrote:
> 
> > I've downloaded and built wireshark on Ubuntu machine and I was going
> > through the documentation of building new dissectors.
> > I have a couple of doubts.
> > 1. When I write code for a new dissector, do I have to build the entire
> > wireshark once again (it takes around 10-12 mins on my system), or is there
> > any option to compile only the new files and see the results?
> >
> 
> The build system just compiles what changed on disk. You can skip the
> linking phase, if you want to just compile your dissector, by issuing
> make/ninja epan/dissectors/CMakeFiles/dissectors.dir/packet-dns.c.o (to
> compile packet-dns.c, for instance). But this won't give you a fully
> functional wireshark, just serves to see if your dissector compiles.

If you want to test your changes, linking is pretty much mandatory. You
would typically run `ninja` again to ensure everything is built. If you
are just using tshark, it suffices to run `ninja tshark`. Likewise, if
you are testing with the GUI only, you can use `ninja wireshark`.

A trick if you want to run a syntax check only with Clang, configure
CMake to generate a special file:

    cmake -DCMAKE_EXPORT_COMPILE_COMMANDS=1 \
        -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ ...

then you can use this for quick syntax checks for one file:

    clang-check epan/dissectors/packet-dns.c

If you have a separate build dir, then either run from the source dir:

    clang-check -p=/path/to/build epan/dissectors/packet-dns.c

or run it from the build tree:

    clang-check /path/to/wireshark/epan/dissectors/packet-dns.c

> > 2. Once I code new dissectors, how do I test it using wireshark? For
> > example, if you create a dissector to capture packets on port '12345' and
> > the packet includes a flag bit and an ipv4 address, how do you actually
> > create the packet, send it on port 12345 and see the results on wireshark?
> >
> 
> You have bunch of options here. From writing a pcap file manually yourself,
> to write your payload manually and send it through the network with netcat,
> to use high level software such as scapy. It really depends on your
> knowledge of the protocol and on your confidence with the raw hex writing.
> Wireshark doesn't give support for writing sample captures. My suggestion
> is: start from an existing capture (in pcap format, that is easier), modify
> it with hex editors such as ghex2 on ubuntu, and open it from disk with
> wireshark, without involving the network. After all you're working on a
> dissector that works both on captured or saved traffic.

Generally I would recommend generating a simulation using an actual
protocol implementation. That ensures that you do not write a dissector
according to a misunderstanding of a protocol. For example, if I need a
HTTP trace, I could use Firefox or curl.

If you know the protocol well, and want to craft a packet capture
programmatically, a straightforward approach is using Scapy as Dario
suggested. That way you can use Python to script your problem. Here I
was trying to generate a trace to test TCP reassembly:
https://git.lekensteyn.nl/peter/wireshark-notes/tree/crafted-pkt/make-tcp.py

But at minimum you can use something like:

    from scapy.all import *
    pkt = IP()/TCP(sport=54321, dport=12345)/b'your payload here'
    wrpcap('test.pcap', pkt)
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl