This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Netscreen firewall Snoop detail captured for tunnel interface

0

Hi team,

I am a Netscreen Firewall user, I tried doing a snoop detail on tunnel interface, however couldn't open it in wireshark.

2530000.0: tunnel.50(it) vpn=AU-4350-vpn type=ipsec proto=0x0800
              10.10.10.1 -> 224.0.0.5/89
              vhl=45, tos=c0, id=520, frag=0000, ttl=1 tlen=228
              ospf:ver=2, type=1, len=208
              45 c0 00 e4 da 0c 00 00 01 59 77 c8 0a a6 7b 81     E........Yw...{.
              e0 00 00 05 02 01 00 d0 0a a6 91 c1 00 00 00 00     ................
              a4 16 00 00 00 00 00 00 00 00 00 00 ff ff ff 80     ................
              00 0a 02 01 00 00 00 28 00 00 00 00 00 00 00 00     .......(........
              0a a6 7b be 0a a6 7b 9b 0a a6 7b b1 cb d0 41 03     ..{...{...{...A.
              0a a6 7b 8c 0a a6 7b 82 c0 a8 19 fe 0a a6 7b 8f     ..{...{.......{.
              ac 2b 05 01 0a a6 7b 8a 0a a6 7b a2 0a a6 7b a0     .+....{...{...{.
              cb 2d af 8d 0a a6 7b 9e 0a a6 7b 83 0a a6 7b 8e     .-....{...{...{.
              0a a6 7b 98 cb 2d cd 8d 0a a6 7b b7 0a a6 7b a9     ..{..-....{...{.
              0a a6 7b 90 0a a6 7b 91 cb d9 12 94 cb de 49 1e     ..{...{.......I.
              0a a6 7b 8d 0a a6 7b 95 0a a6 7b b5 0a a6 7b 87     ..{...{...{...{.
              0a a6 7b 8b c0 a8 16 fe 0a a6 7b 95 0a a6 7b ac     ..{.......{...{.
              0a a6 7b 94 c0 a8 17 fe c0 a8 1b fe cb c1 dc 37     ..{............7
              0a a6 7b a5 ac 10 04 fd 0a a6 7b a8 0a a6 7b a6     ..{.......{...{.
              0a a6 7b ae                                         ..{.

Though the snoop on ethernet interface opens pretty fine.

Could you please look into it and see if any slight code change is required to incorporate this as well.

Thanks in advance

Regards Srb

asked 13 Sep '12, 22:45

Sarab's gravatar image

Sarab
1111
accept rate: 0%

edited 16 Sep '12, 14:02

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118

2 Answers:

0

Unfortunately it is not real easy to add support for snoop output for a tunnel. First of all, the function that checks whether a valid packet header is found needs to find the packet length. It scans one line at the moment, so for this output it needs to start parsing multiple lines to find the packet length.

But the biggest difference between this output and output of other interface types is that there is no link layer, it is only the IP header and IP payload. Currently there is no linklayer type for just raw IP (as far as I know off). At least it is not supported in the "Frame" dissector.

This means that either:

  1. A new link-layer type needs to be defined and code to support it needs to be written to the "Frame" dissector -or-
  2. A dummy link layer needs to be added to the packet

Option 2 is easier to implement, but more of a dirty hack in my opinion, as you show a link layer in Wireshark that is not really in the packet.

answered 14 Sep '12, 00:35

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Currently there is no linklayer type for just raw IP (as far as I know off).

WTAP_ENCAP_RAW_IP in Wiretap; that's what, for example, the pcap link-layer header type LINKTYPE_RAW, as per the link-layer header types list at tcpdump.org, maps to.

(15 Sep '12, 02:22) Guy Harris ♦♦
1

OK, I should have done my research first :-)

Looking a bit more thorough through the code, there is already support for WTAP_ENCAP_RAW_IP in epan/dissectors/packet-raw.c.

So actually adding support for netscreen snoop output for tunnel interfaces would involve changing wiretap/netscreen.c to:

  • handle packet headers that do not contain a packet length
  • add interpretation of raw ip packets and give them type WTAP_ENCAP_RAW_IP

That should not be too hard, but unfortunately my time is limited at the moment. I'll see if I can find some time the coming weeks.

(15 Sep '12, 04:48) SYN-bit ♦♦

Thanks everyone ....

@ Syn-bit : Please do update this thread once this is done and later I can update the Juniper forum so that everyone is aware that the support for tunnel interface snoop is there on wireshark :)

(15 Sep '12, 22:18) Sarab

Hi Syn-Bit, Did you get chance to update the code regarding this issue ?

Thanks Sarab

(28 Sep '12, 03:47) Sarab

0

Since you have the raw packet bytes here (from IP up) you could edit those into a format that text2pcap and File|Import... can take. Without having a go at it, it only needs to get an offset at the start of each line.

answered 16 Sep '12, 04:15

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Hi Jaap,

I tried using text2pcap using raw data, that converts it to pcap however the file doesn't show the details then. e.g in the data paart it doesnt show OSPF details.

(16 Sep '12, 18:58) Sarab