WiresharkDebug and Performance Testing

Software Setup

1. Install software:

● sudo pacman -S wireshark-qt wireshark-

cli

● sudo pacman -S wireshark-gtk

2. only group “wireshark” can capture traffic:

● sudo usermod -a -G wireshark topdemo

ZMTP protocol Dissector

https://github.com/whitequark/zmtp-wireshark

mkdir -p ~/.wireshark/plugins

git clone git://github.com/whitequark/zmtp-wireshark~/.wireshark/plugins/zmtp-

wireshark

protobuf dissectorhttps://code.google.com/p/protobuf-wireshark/

list installed plugins[luke@rmbp pubsub]$ tshark -G plugins

mate.so 1.0.0a dissector /usr/lib/wireshark/plugins/1.12.3/mate.so

opcua.so 1.1.0 dissector /usr/lib/wireshark/plugins/1.12.3/opcua.so

irda.so 0.0.6 dissector /usr/lib/wireshark/plugins/1.12.3/irda.so

m2m.so 1.1.0 dissector /usr/lib/wireshark/plugins/1.12.3/m2m.so

wimax.so 1.1.0 dissector /usr/lib/wireshark/plugins/1.12.3/wimax.so

ethercat.so 0.1.1 dissector /usr/lib/wireshark/plugins/1.12.3/ethercat.so

docsis.so 0.0.5 dissector /usr/lib/wireshark/plugins/1.12.3/docsis.so

stats_tree.so 0.0.1 tap /usr/lib/wireshark/plugins/1.12.3/stats_tree.so

wimaxmacphy.so 0.0.1 dissector /usr/lib/wireshark/plugins/1.12.3/wimaxmacphy.so

wimaxasncp.so 0.0.1 dissector /usr/lib/wireshark/plugins/1.12.3/wimaxasncp.so

unistim.so 0.0.2 dissector /usr/lib/wireshark/plugins/1.12.3/unistim.so

gryphon.so 0.0.4 dissector /usr/lib/wireshark/plugins/1.12.3/gryphon.so

profinet.so 0.2.4 dissector /usr/lib/wireshark/plugins/1.12.3/profinet.so

zmtp-dissector.lua lua script /home/luke/.wireshark/plugins/zmtp-wireshark/zmtp-dissector.lua

List Network Interface[luke@rmbp wireshark]$ tshark -D1. wlp3s02. vmnet13. vmnet84. any5. lo (Loopback)6. bluetooth07. bluetooth-monitor8. nflog9. nfqueue10. dbus-system11. dbus-session12. usbmon113. usbmon2

ZeroMQ Protocolshttp://rfc.zeromq.org/

● 37/ZMTP - ZeroMQ Message Transport Protocol

http://rfc.zeromq.org/spec:37

ZMTP: Bird Eye View

Greeting

Command

Message

negotiate protocol version;

negotiate security mechanism

protocol (pub/sub,req/rep etc) session

creation

data (a.k.a “Frame”)

pub/sub message flow

Greeting

command: ready sub->pub

command:ready pub->sub

frame1: sub topic sub->pub

frame2: data pub->sub

wireshark structure

NIC

libpcap capture filter capture buffer display filter GUI

capture log file

“host 192.168.0.1”

“tcp dst port 4000”

“ ip.dst eq www.mit.edu

ip.src == 192.168.1.1”

capture filter: performance

man pcap-filter

primitive = qualifiers + id

Qualifier: type/direction/protocol

“tcp dst host 192.168.0.1”

display filter

man wireshark-filter

● feature rich

● low performance

“tcp.port == 80 and ip.src == 192.168.2.1”

a capture session

pub

(localhost:400

0)

sub

(localhost:400

0)

void *ctx = zmq_ctx_new();

void *pub = zmq_socket(ctx,ZMQ_PUB);

zmq_bind(pub,"tcp://*:4000");

while (count<3000000)

{

rc=snprintf(buf,1024,"%s %d","PUB-A:",count);

rc=zmq_send(pub,buf,1024,0);

rc=snprintf(buf,1024,"%s %d","PUB-B:",count);

rc=zmq_send(pub,buf,1024,0);

nanosleep(&tm,NULL);

count++;

}

PUB-A

PUB-B(1K)

PUB-A(1K)

void *ctx = zmq_ctx_new();

void *sub = zmq_socket(ctx,ZMQ_SUB);

zmq_connect(sub,"tcp://127.0.0.1:4000");

char *top1 = "PUB-A:";

opt_len=(size_t)strlen(top1);

zmq_setsockopt(sub,ZMQ_SUBSCRIBE,top1,opt_len);

while (1)

{

rc=zmq_recv(sub,buf1,1024,0);

count++;

}

tshark options: -i -w -a -P

wireshark UI

statistics

[topdemo@king ~]$ tshark -i eno1 -w quote.pcap -a filesize:102400 tcp port 10001[topdemo@king ~]$ wireshark quote.pcap

stats menu

stats summary

stats: packet length

stats: iograph

stats: Round Trip Time

Remote Capture with ssh

Remote enp3s0

tshark -i enp3s0 -F pcap -w -

Local

wireshrk -k -i -

ssh remote

ssh -T remote "tshark -i enp3s0 -F pcap -w - " | wireshark -k -i -

Explanation

1. SSH -T

"-T" : don't not assign pty

Since we use ssh as a pipe and we do not has

any interactive commands during ssh session,

we do not need a pseudo pty

Explanation

2. ssh remote

We need to setup up a public key login with

ssh, so no username/password needed cat ~/.ssh/config

Host remote

HostName xx.xx.xx.xx

Port 22

User xxxx

IdentityFile ~/.ssh/remote.pem

Explanation

3. tshark -i enp3s0 -F pcap -w -

-F: pcap

only "pcap" format is supported via remote

capture, not "pcapng"(the default)

-W - : write capture traffic to stdout

Explanation

4. wireshark -k -i -

-i - : read traffic from stdin

-k : start capture immediately