I am trying to debug an LWM2M protocol issue. I need to know what messages are transferred between the COAP server and the COAP client. As the traffic is encrypted using DTLS, I need to give the pre-shared key in wireshark to see the payload. Wireshark is successfully decrypting the payload, but I am not able to see the underlying COAP protocol messages. I am seeing just the raw data("Application data"):
But when I try sniffing unencrypted COAP traffic on a dummy setup, I could see the COAP messages properly:
How can I view the COAP protocol traffic using wireshark when it is encrypted?
The problem is that you're using a non-standard port number for COAPS instead of the IANA-registered port of 5684, and the Wireshark COAP dissector's proto_reg_handoff_coap() function only registers to the DTLS dissector with that fixed, non-configurable port (DEFAULT_COAPS_PORT). There are some possible ways to fix this and/or work-around it.
If possible, change your application to use the standard port, 5684.
Modify the Wireshark COAP dissector to also register to the DTLS dissector with your desired port, or better yet to allow the port to be configurable, perhaps even with a port range preference to allow multiple ports to be registered. You can reference the Wireshark Developer's Guide for information about compiling and developing for Wireshark on your particular platform.
Submit a Wireshark Issue, asking for an enhancement to the COAP dissector to allow the DTLS-registered port to be configurable. Again, a range preference would probably be even better, as it would allow more than just 1 port to be registered.
Assuming the first option isn't possible and the other options would take longer and not solve the immediate problem of dissecting the payload as COAP for your existing capture file, you could use a program such as TraceWrangler (or other such Capture file editors and/or anonymizers tools) to rewrite the UDP port value of 57845 to 5684 for all packets. That should allow the payload to be passed to the COAP dissector without requiring any other changes. If you do use TraceWrangler, then the basic steps would be:
Add Files: Choose your file, i.e., file.pcapng.
Taskname: Anonymize Files.
Payload: Deselect "Remove all unknown layers..." as you want to keep everything.
PCAPng: Action=Passthrough, as there's no need to replace original comments here.
Layer 4, UDP: Action=Replace. Select "Replace UDP ports by list", then choose Add. Enter 57845 for the Original port number and 5684 for the Replacement port number, then click Add.
Select Okay.
Select Run.
When the Status indicates, "Task complete", you should be able to open the newly created packet capture file, named file_anon.pcapng, in Wireshark and Wireshark should now recognize the payload as COAP.
DISCLAIMER: I have not tested this myself, but it should work.
Related
I have a language monitor that I am trying to query the printer from.
First let me apologize for the possible confusion since "port" means 2 things in this description. There is the one use that refers to the port that the printer is configured to use, which could be TCP, USB, etc. And then there is the use of port that refers to the port address to send data to when communicating with the printer's IP address.
I need to be able to specify different port addresses to send different custom queries to a printer over the same IP that are specific to it's firmware. I can't find any examples or documentation on what the standard way is to do this communication... I can extract the IP address and open a net socket, but I am not sure if this is the appropriate way to handle this communication. It's not uncommon for printers to send status over one port, and print data over another. If i want to write to the Default port I can use pfnWritePort and pfnReadPort, but these don't allow me to specify the actual port.. it uses whatever the driver is configured as.
Can anyone provide some guidance or examples of how I should do this from my language monitor?
EDIT: As an example for clarification, all commands are sent to the same IP, but depending on the command/query I need to send, the TCP port needs to change. The way I am handling it now is opening up a net socket with the same IP and different port numbers for data and status channels).
You should be required to write an app that would be able to reconfigure driver. Ideology of OS is that EACH real device would corresponds to instance of driver and\or interface. Which might be an elevated action, because it requires to create new printer interface("port" in Windows GUI terms) and change driver settings.
I have a great confusion about tshark.
What is the basic unit of the messages captured by tshark? Ip, tcp, or http?
I see TCP http or ssl and so on in the protocol column in wireshark.
These protocols are in different layer.
In addition, what is the tshark command to capturing the http message with tshark.
See the man page. To quote:
TShark is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file
Packets are usually either TCP or UDP (you can find a list of protocols here), When wireshark states that it is HTTP or SSL, then it is based on introspection of the packet (Probably based on destination port).
I have use SNMP v1 and 2c for network discovery of printers by sending broadcast message with community "public" and it works just fine, but when I send broadcast message with version 3 of the protocol I got timeout error.
Do somebody share example of SNMPv3 device discovery?
Thank you.
Two things:
1) Doing a broadcast SNMPv1/v2c is actually not defined to work in the protocol. Cheap implementations will simply respond, as you've found, to any packet it sees that the kernel accepts to the port and not check the address. However, you'll also find some implementations that will not respond to broadcast packets. So that's actually not a surefire discovery mechanism in the first place. (Let alone, many vendors finally got smart and don't have public be the default community name)
2) SNMPv3, on the other hand, is even less likely to work because of how engineID discovery happens within the SNMPv3 protocol. SNMPv3 won't respond with a normal response PDU anyway, as it should respond with a REPORT PDU saying "this is my engineID" and you'd have to respond back with that engineID and the proper USM credentials to access the device.
In short, SNMPv3 was designed for security and there isn't a "public" equivalent any longer. You'd need to know how to access the device and can't just "guess".
I am looking for a way to detect "port unreachable" errors for outgoing UDP packets in Erlang, so I can eagerly report transport layer errors to the application. I.e, I want to capture ICMP type 3 packets to report to the higher layers that packet have not reached the destination.
Currently I know about two approaches:
Use undocumented gen_udp:connect/3. However, it seems like this requires opening a new socket for every new destination pair address:port. The advantage is that this does not require any privileges.
Use gen_icmp which requires either setuid helper or capabilities to open raw sockets.
Are there any other variants I am missing?
procket might be what you're looking for, but I've never used it myself. It's a binding to the low-level socket API, therefore it allows you to use all the protocols the underlying API supports. I'm just quoting its README, so please take it with a pinch of salt.
I'm writing a dissector for a protocol that I have to work with. This protocol runs atop TCP and is stateful.
In order to dissect the fields correctly, I need to identify which endpoint opened the TCP connection (the client).
Is there a way to get this info from the tcp dissector? Would I have to write a tap? I'm not so clear on how to do this in lua.
Cross posted on the Wireshark stack site here.
To write stateful protocol dissector in Lua you can use closures to store state information.
you can easily decipher which endpoint started conversation if you analyse flags SYN/SYN+ACK for the first packets of given TCP stream # (which is generated by TCP dissector).
To make this work you should install a post dissector and check for 'tcp.stream' field.
You can checkout that technique in sources of my small Lua wireshark dissector to capture HTTP state information