This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to convert data in visualization using XOR?

0

Hi,

I am using WireShark a couple of years, but I didn't used it "in the deep". Now I want to do the following:

From my application I send a network package using tcp. The data I send is modified with an xor 15 command. So, WireShark shows the "modified" value which was xor 15. The package I received to my command is xor, too. But with an other value (for example xor 17).

Is there a chance to tell WireShark, that the data of all tcp packages which was send from my PC should be XOR 15 and all packages which I received should be XOR 17 (just in the visualisation).

Do I need to write my own plugin or can I set any parameter in WireShark to do this?

Regards,

Rainer

asked 09 Feb '16, 02:59

Rainer78's gravatar image

Rainer78
6112
accept rate: 0%


One Answer:

0

You'll need to modify the tcp dissector to do this. You may be able to do this with Lua, and definitely in C.

answered 09 Feb '16, 03:17

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thank you for your fast answer.

Do you have any links where I can get some mor information?

Can I modify an existing dissector or do I have to write an new one on my own?

(09 Feb '16, 03:21) Rainer78

Assuming it is not all of the packet data that is encrypted using XOR, but just the data from some layer upwards (e.g. only the tcp payload), you would create a "protocol" called e.g. "myxor" and its dissector; the dissector would first take the tvbuf and xor its bytes with the necessary value, and then invoke the "normal" dissector for that type of payload to process the modified tvbuf. Maybe the "myxor" protocol object would even not be necessary and the dissector alone would be enough, but I am not that deep into the dependencies.

This and this link are your starting points if you decide to go the Lua way.

(09 Feb '16, 03:43) sindy

I'm not aware of anyone requesting this before, so it's unlikely that there will be any info about this anywhere else, although Google might know.

Thinking about this, your XOR'd data is basically another protocol that runs on top of TCP. You should just write a dissector for that protocol that does the XOR'ing for you. There are lots of examples of writing dissectors in the Wireshark source code and the docs, and there have also been some presentations at SharkFest about the same subject, e.g. SharkFest'15, presentation 03.

(09 Feb '16, 03:45) grahamb ♦

Well, reading the whole chain once again - is the tcp payload which you xor

  • some common application protocol, so there is an existing dissector which can handle it and you only need to "insert" the xor part,

  • a "home-made" application protocol and thus you need to dissect also that protocol itself?

(09 Feb '16, 07:31) sindy

Thank you very much for your help.

Only the payload I needed to xor. But I got it working now.

I bound it to the tcp port I needed:

tcp_table = DissectorTable.get("tcp.port") tcp_table:add(4500, my_proto)

But one thing I still don't know. Other network devices uses the same port, but without xor. In my dissector function I can check if the payload is xor or not. If yes, I can use my dissector, if not, I want to use the default tcp dissector.

Can I "undo" or "exit" my dissector so the original one do its work?

Regards, Rainer

(10 Feb '16, 00:03) Rainer78

OK, I'll ask my previous question in another way: is the value of TCP port also xored or not?

Because from the way you do it (tcp_table:add(4500, my_proto)), it seems that the tcp headers are not xored, so you actually do not need to activate a "default tcp dissector" instead of your one, but the default dissector which handles payload of tcp packets to/from port 4500.

This is quite easy to do, and it is what I was suggesting initially: save the result of tcp_table:get(4500) before doing your tcp_table:add.

Your dissector would then look at the tvb and if it has nothing to do, it would just call the saved original dissector and pass its parameters to it (tvb, pinfo,...) unchanged.

(10 Feb '16, 02:16) sindy

The header is not xored. Just the payload. I will try the way with "tcp_table:get(4500)" to optimize my plugin. :-)

@all of you: Thank you very much for your great help !

(10 Feb '16, 22:15) Rainer78
showing 5 of 7 show 2 more comments