This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Cisco WIDS parsing

0

The actual decoder for CWIDS displays many fields as unknown. Do you have any information about these fields ? I am specifically interested by fields showing the Power lever. (I have reasons to think it is the last byte of the CWIDS header but whithout any proof). Do you plan to improve the decoder for this protocol ?

Best regards, And thanks for all K

asked 08 May '16, 04:54

ken1234's gravatar image

ken1234
6112
accept rate: 0%

edited 08 May '16, 11:50

grahamb's gravatar image

grahamb ♦
19.8k330206

2 Answers:

0

From the source code (packet-cisco-wids.c):

/* 2do:
 *  - Find out more about the contents of the capture header
 *  - Protect the address fields etc (all columns?)
 *  - Create subelements and put each header and packet into it
 *  - fuzz-test the dissector
 *  - Find some heuristic to detect the packet automagically and
 *    convert dissector into a heuristic dissector
 *  - Is the TRY/CATCH stuff OK?
 */

So nothing planned. Access to a specification document would be nice, along with some sample captures.

answered 08 May '16, 11:49

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 08 May '16, 15:24

0

Do you have any information about these fields ?

If "you" refers to all the people who have contributed to that dissector, the answer is "no, otherwise they would have used that information to add support for those fields to the dissector."

Do you plan to improve the decoder for this protocol ?

If we could get more information about the protocol, we would use it to improve the dissector. Do you have any idea where we could get a complete specification of the protocol?

answered 08 May '16, 11:49

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Hi, Thank you for your answers.

I think I read somewhere that omnipeek could decode the headers, but I am not sure and i do not have it. I searched on cisco site but got nothing. I can provide some capture samples "for further use" within one or two days if that can help.

Thanks again K

(08 May '16, 15:13) ken1234

This is reverse engineering of the protocol; more captures, without any interpretation from some other program, won't necessarily help unless a pattern can be detected from the captures. If you have some good reason to think the last byte is a power level, e.g. if some interpretation of its value matches the power levels that you're expecting to see or that you're seeing from some other source, then we could add code to dissect it as such - but if you need proof, you're only going to get it from Cisco or from a program for which there's a reason to trust it (for example, perhaps Wildpackets^WSavvius got a protocol spec and are using it to capture a stream of Cisco WIDS packets just as it can capture packets from some access points).

(08 May '16, 15:41) Guy Harris ♦♦

Well,

You are perfectly right. I will try to find more information about this header. I will tell you if I find something valuable.

Best regards.

K.

(09 May '16, 14:26) ken1234