I’ve recently turned to WireShark to do some network analysis but found tracking the bits and bytes of xPL not too easy, though still not difficult. But when I read that WireShark can be extended using Lua, I started fiddling around with that to see how I could get xPL support in WireShark. And this post is about the results…
The ‘dissector’ I wrote (download is below) will examine xPL packets, and dissect them into the underlying components. This allows you to use WireSharks filtering capabilities to find just the xPL messages you need. Beyond that it will analyze the structure of the messages received and validate that against the xPL protocol, flagging any malformed messages.
Below a short tutorial how to go about to do some xPL filtering and validation by using WireShark
Obviously you need to install WireShark, using the defaults will do. Download the dissector (link is at the bottom) and get the .lua file from the zip file. The .lua file is the most important file as it contains the dissector itself. Copy the .lua file to the WireShark plugin directory, depending on the OS it might be different, I did it on WinXP at C:\Program Files\Wireshark\plugins\1.4.6\. If you had WireShark started already, you need to restart it. That’s all there is to it.
The tough part in network analysis is the tremendous amount of data going over a network. The challenge is to find the needle in the haystack. For this purpose WireShark uses filtering and it does so at 2 levels; capture and display.
Filtering at capture simply means that it will only record, or store, the data that passes the filter. Any data that is not captured because it didn’t pass the filter is lost forever (from the analysis at least that is).
Filtering at display allows you to further zoom in into the data collected, without losing data. By broadening the display filter you can make packets not shown reappear.
Using WireShark with xPL
Open the capture options dialog and enter “udp port 3865” in the “capture filter” textbox, this will capture only UDP traffic in/out at port 3865 (the xPL port). Make sure the correct network interface is selected and then click Start at the bottom of the dialog.
In the main screen, click the “Expression…” button right of the filter textbox. In the tree open the Field name at XPL, here you’ll find the different xPL message fields that can be used for filtering.
Open the xpl_dissector_testdata.pcap file (included in the downloadable zip file below) with WireShark, it contains test data with numerous xPL messages, mostly faulty messages as it was generated with the (also included) test generator. Select a package in the top part of the window and then expand the tree below where it says “xPL Protocol, Src: …..“. In most cases this line will be red which indicates its a faulty message, browse through the tree to see what kind of feedback the dissector gives on faulty messages. For each of the test messages in the capture file the first key-value pair contains the error (that was on purpose added) in the message.
Because its coded in lua script, the dissector is not as fast as the built-in dissectors. Especially as it does validate every message quite extensively. xPL is not very bandwidth intense, so this should not be an issue, but in sporadic cases it might be. Consider to capture the data first with the dissector disabled and save the data. Then later reopen the saved file with the dissector enabled to perform your analysis.
The download is a single zip file with all the supporting materials included (downloaded 960 times).