http://code.google.com/p/spdyshark/
In short , spdyshark is a plugin for wireshark which enables you to decrypt SPDY session.
The following is installation log including trial and error.
[ install spdyshark on Ubuntu 12.04 ]
| # tail -1 /etc/lsb-release DISTRIB_DESCRIPTION="Ubuntu 12.04.1 LTS" # uname -ri 3.5.0-030500-generic x86_64 |
This Ubuntu is JeOS running on KVM which I built with vmbuilder.
install required packages to build wireshark.
To use spdyshark , you need to build wireshark from source.
get wireshark source. (wireshark-1.8.2.tar.bz2 )
| # tar jxvf wireshark-1.8.2.tar.bz2 |
get spdyshark.
| # apt-get install git # git clone https://code.google.com/p/spdyshark/ |
copy spdyshark subdirectory into wireshark-1.8.2/plugins directory.
| # cp -r spdyshark/spdyshark wireshark-1.8.2/plugins/ |
nnn , error
| # patch -p1 < ../spdyshark/spdyshark_build.patch patching file CMakeLists.txt Hunk #1 succeeded at 417 (offset -1 lines). patching file configure.in Hunk #1 succeeded at 2104 (offset 20 lines). patching file epan/Makefile.am patching file epan/Makefile.in Hunk #1 succeeded at 916 (offset 6 lines). patching file Makefile.am Hunk #1 succeeded at 281 (offset -34 lines). patching file Makefile.in Hunk #1 succeeded at 138 (offset -4 lines). Hunk #2 succeeded at 807 (offset -40 lines). patching file packaging/nsis/Makefile.nmake Hunk #1 succeeded at 54 (offset -3 lines). patching file packaging/nsis/wireshark.nsi Hunk #1 FAILED at 928. 1 out of 1 hunk FAILED -- saving rejects to file packaging/nsis/wireshark.nsi.rej patching file plugins/Makefile.am Hunk #1 succeeded at 32 (offset -1 lines). patching file plugins/Makefile.in Hunk #1 succeeded at 372 (offset 3 lines). patching file plugins/Makefile.nmake Hunk #1 succeeded at 16 (offset -1 lines). Hunk #2 succeeded at 74 (offset -1 lines). # echo $? 1 |
Try this with wireshark 1.7.1 as described in http://code.google.com/p/spdyshark/
Seen from the patch file , this patch is apparently for wireshark 1.7.1
| # head -5 spdyshark/spdyshark_build.patch diff -aur wireshark-1.7.1/CMakeLists.txt wireshark-1.7.1-patched/CMakeLists.txt --- wireshark-1.7.1/CMakeLists.txt 2012-04-06 14:42:14.000000000 -0400 +++ wireshark-1.7.1-patched/CMakeLists.txt 2012-04-11 18:37:44.302998000 -0400 @@ -418,6 +418,7 @@ plugins/mate |
download wireshark 1.7.1 from http://sourceforge.jp/projects/sfnet_wireshark/downloads/src/all-versions/wireshark-1.7.1.tar.bz2/
| # tar jxvf wireshark-1.7.1.tar.bz2 # cp -r spdyshark/spdyshark wireshark-1.7.1/plugins/ |
apply the patch
| # cd wireshark-1.7.1 # patch -p1 < ../spdyshark/spdyshark_build.patch patching file CMakeLists.txt patching file configure.in patching file epan/Makefile.am patching file epan/Makefile.in patching file Makefile.am patching file Makefile.in patching file packaging/nsis/Makefile.nmake patching file packaging/nsis/wireshark.nsi patching file plugins/Makefile.am patching file plugins/Makefile.in patching file plugins/Makefile.nmake # echo $? 0 |
| # ./autogen.sh |
error
| # ./configure --with-ssl aries... yes checking dynamic linker characteristics... (cached) GNU/Linux ld.so checking how to hardcode library paths into programs... immediate checking for perl... /usr/bin/perl checking for bison... no checking for byacc... no checking for yacc... no configure: error: I couldn't find yacc (or bison or ...); make sure it's installed and in your path |
| # apt-get install bison –y |
try again
| # ./configure --with-ssl checking for flex... no checking for lex... no checking for flex... no configure: error: I couldn't find flex; make sure it's installed and in your path |
| # apt-get install flex -y |
| # ./configure --with-ssl checking if profile builds must be generated... no checking for pkg-config... /usr/bin/pkg-config checking for GTK+ - version >= 2.12.0 and < 3.0... no *** Could not run GTK+ test program, checking why... *** The test program failed to compile or link. See the file config.log for the *** exact error that occured. This usually means GTK+ is incorrectly installed. configure: error: Neither Qt nor GTK+ 2.12 or later are available, so Wireshark can't be compiled |
I have not installed GTK.
Okay , I’ll skip installing wireshark and use tshark.
| # ./configure --with-ssl --disable-wireshark checking if profile builds must be generated... no checking for pkg-config... /usr/bin/pkg-config checking for GLIB - version >= 2.14.0... no *** Could not run GLIB test program, checking why... *** The test program failed to compile or link. See the file config.log for the *** exact error that occured. This usually means GLIB is incorrectly installed. configure: error: GLib 2.14 or later distribution not found. |
| # apt-get install -y libglib2.0-0 libglib2.0-dev |
| # ./configure --with-ssl --disable-wireshark checking for pcap-config... no checking for extraneous pcap header directories... not found checking pcap.h usability... no checking pcap.h presence... no checking for pcap.h... no configure: error: Header file pcap.h not found; if you installed libpcap from source, did you also do "make install-incl", and if you installed a binary package of libpcap, is there also a developer's package of libpcap, and did you also install that package? |
| # apt-get install -y libpcap0.8-dev libpcap0.8 |
| # ./configure --with-ssl --disable-wireshark The Wireshark package has been configured with the following options. Build wireshark : no Build tshark : yes Build capinfos : yes Build editcap : yes Build dumpcap : yes Build mergecap : yes Build text2pcap : yes Build randpkt : yes Build dftest : yes Build rawshark : yes Save files as pcap-ng by default : yes Install dumpcap with capabilities : no Install dumpcap setuid : no Use dumpcap group : (none) Use plugins : yes Use Lua library : no Use Python binding : no Build rtp_player : no Build profile binaries : no Use pcap library : yes Use zlib library : yes Use kerberos library : no Use c-ares library : no Use GNU ADNS library : no Use SMI MIB library : no Use GNU crypto library : yes Use SSL crypto library : yes Use IPv6 name resolution : yes Use gnutls library : yes Use POSIX capabilities library : no Use GeoIP library : no |
nnn , error
| # make packet-parlay.c:82298:13: warning: 'decode_org_csapi_fw_TpLoadPolicy_st' defined but not used [-Wunused-function] packet-parlay.c:82364:13: warning: 'decode_org_csapi_fw_TpLoadInitVal_st' defined but not used [-Wunused-function] packet-parlay.c:83515:13: warning: 'decode_org_csapi_ui_TpUIEventInfo_st' defined but not used [-Wunused-function] gcc: internal compiler error: Killed (program cc1) Please submit a full bug report, with preprocessed source if appropriate. See <file:///usr/share/doc/gcc-4.6/README.Bugs> for instructions. make[3]: *** [packet-parlay.lo] Error 1 make[3]: Leaving directory `/home/hattori/wireshark-1.7.1/plugins/giop' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/home/hattori/wireshark-1.7.1/plugins' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/hattori/wireshark-1.7.1' make: *** [all] Error 2 |
gcc version is
| # gcc --version gcc (Ubuntu/Linaro 4.6.3-1ubuntu5) 4.6.3 Copyright (C) 2011 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
how about building wireshark with gcc-4.4 ??
install gcc-4.4
| # apt-get install gcc-4.4 |
delete a symbolic link file ( /usr/bin/gcc ) pointing to /usr/bin/gcc-4.6 and then make a symbolic link file pointing ( /usr/bin/gcc ) to /usr/bin/gcc-4.4
| # ls -l /usr/bin/gcc lrwxrwxrwx 1 root root 7 Mar 13 20:05 /usr/bin/gcc -> gcc-4.6 # rm /usr/bin/gcc rm: remove symbolic link `/usr/bin/gcc'? y # ln -s /usr/bin/gcc-4.4 /usr/bin/gcc # ls -l /usr/bin/gcc lrwxrwxrwx 1 root root 16 Sep 1 02:18 /usr/bin/gcc -> /usr/bin/gcc-4.4 |
build wireshark 1.7.1 with gcc-4.4
| # gcc –version gcc (Ubuntu/Linaro 4.4.7-1ubuntu2) 4.4.7 Copyright (C) 2010 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
| 471 rm -rf wireshark-1.7.1 472 tar jxvf wireshark-1.7.1.tar.bz2 473 cp -r spdyshark/spdyshark wireshark-1.7.1/plugins/ 474 cd wireshark-1.7.1 475 patch -p1 < ../spdyshark/spdyshark_build.patch 476 ./autogen.sh 477 make 478 ./configure --with-ssl --disable-wireshark 479 make 481 make install |
nnn , error
| # /usr/local/bin/tshark --version /usr/local/bin/tshark: error while loading shared libraries: libwiretap.so.0: cannot open shared object file: No such file or directory |
libwiretap.so.0 is in /usr/local/lib directory
| # ls /usr/local/lib/libwiretap.* /usr/local/lib/libwiretap.la /usr/local/lib/libwiretap.so.0 /usr/local/lib/libwiretap.so /usr/local/lib/libwiretap.so.0.0.1 |
run ldconfig
| # ldconfig # /usr/local/bin/tshark -v TShark 1.7.1 (SVN Rev Unknown from unknown) Copyright 1998-2012 Gerald Combs <gerald@wireshark.org> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (64-bit) with GLib 2.32.3, with libpcap, with libz 1.2.3.4, without POSIX capabilities, without SMI, without c-ares, without ADNS, without Lua, without Python, without GnuTLS, without Gcrypt, without Kerberos, without GeoIP. Running on Linux 3.5.0-030500-generic, with locale C, with libpcap version 1.1.1, with libz 1.2.3.4. Built using gcc 4.4.7. |
change the symbolic link file by default setting
| # rm /usr/bin/gcc # ln -s /usr/bin/gcc-4.6 /usr/bin/gcc # ls -l /usr/bin/gcc lrwxrwxrwx 1 root root 16 Sep 1 04:04 /usr/bin/gcc -> /usr/bin/gcc-4.6 |
After building wireshark , I did know that “apt-get dep-build <package name>” command installs required packages to build the package.
add the following lines in /etc/apt/sources.list ( deb-src )
| # egrep -i ^deb-src /etc/apt/sources.list deb-src http://jp.archive.ubuntu.com/ubuntu/ precise main restricted deb-src http://jp.archive.ubuntu.com/ubuntu/ precise-updates main restricted deb-src http://jp.archive.ubuntu.com/ubuntu/ precise universe deb-src http://jp.archive.ubuntu.com/ubuntu/ precise-updates universe deb-src http://jp.archive.ubuntu.com/ubuntu/ precise multiverse deb-src http://jp.archive.ubuntu.com/ubuntu/ precise-updates multiverse deb-src http://security.ubuntu.com/ubuntu precise-security main restricted deb-src http://security.ubuntu.com/ubuntu precise-security universe deb-src http://security.ubuntu.com/ubuntu precise-security multiverse |
then
| # apt-get update # apt-get build-dep wireshark |
[ decode SPDY sessions with spdyhark ]
I’ll use spdycat as a SPDY client and spdyd as a SPDY server.
client (spdycat , spdyshark ) ---- server ( spdyd )
To install spdylay which includs spdycat and spdyd , please refer to the following URLs.
http://lost-and-found-narihiro.blogspot.jp/2012/09/install-spdylay-c-library-and-spdylay.html
At first , make a self-signed certificate on the server
( just referred to http://www.akadia.com/services/ssh_test_certificate.html )
create a private key
| # openssl genrsa -des -out server.key 1024 Generating RSA private key, 1024 bit long modulus ..++++++ ............................................................................++++++ e is 65537 (0x10001) Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key: |
generate a CSR
| # openssl req -new -key server.key -out server.csr Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]:test Ltd Organizational Unit Name (eg, section) []:test Common Name (e.g. server FQDN or YOUR name) []:www.example.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: |
remove credentials from a private key
| # cp server.key server.key.org # openssl rsa -in server.key.org -out server.key Enter pass phrase for server.key.org: writing RSA key |
make a self-signed certificate
| # openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Signature ok subject=/C=AU/ST=Some-State/O=test Ltd/OU=test/CN=www.example.com Getting Private key |
private key
| # openssl rsa -text -in server.key Private-Key: (1024 bit) modulus: 00:9d:74:ef:61:3a:ba:48:b2:88:cb:46:16:f4:a8: 1f:ad:bd:09:63:18:50:fb:33:a6:f2:77:27:b8:8f: d5:e9:8e:18:0f:79:3d:2d:b6:7b:15:df:d1:0d:15: <snip> |
self-signed certificate
| # openssl x509 -text -in server.crt Certificate: Data: Version: 1 (0x0) Serial Number: 9661473082433802062 (0x861472946d770f4e) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=Some-State, O=test Ltd, OU=test, CN=www.example.com Validity Not Before: Sep 5 04:38:58 2012 GMT Not After : Sep 5 04:38:58 2013 GMT |
run spdyd ( server )
| # mkdir htdocs # touch “hello” > htdocs/index.html # ./spdyd -3v -d /home/hattori/htdocs 443 /home/hattori/server.key /home/hattori/server.crt IPv4: listen on port 443 IPv6: listen on port 443 |
Usage: spdyd [-3DVhv] [-d <PATH>] <PORT> <PRIVATE_KEY> <CERT>
on the client , establish SPDY session with spdycat command
| # ./spdycat -nv https://192.168.10.120/index.html [ 0.001] NPN select next protocol: the remote server offers: * spdy/3 NPN selected the protocol: spdy/3 [ 0.004] send SYN_STREAM frame <version=3, flags=1, length=114> (stream_id=1, assoc_stream_id=0, pri=3) :host: 192.168.10.120 :method: GET :path: /index.html :scheme: https :version: HTTP/1.1 accept: */* user-agent: spdylay/0.3.3 [ 0.006] recv SETTINGS frame <version=3, flags=0, length=12> (niv=1) [4(0):100] [ 0.012] recv SYN_REPLY frame <version=3, flags=0, length=102> (stream_id=1) :status: 200 OK :version: HTTP/1.1 cache-control: max-age=3600 content-length: 0 date: Wed, 01 Sep 2012 04:50:56 GMT last-modified: Wed, 01 Sep 2012 04:46:01 GMT server: spdyd spdylay/0.3.3 [ 0.016] recv DATA frame (stream_id=1, flags=1, length=0) [ 0.017] send GOAWAY frame <version=3, flags=0, length=8> (last_good_stream_id=0) |
| # ./spdyd -3v -d /home/hattori/htdocs 443 /home/hattori/server.key /home/hattori/server.crt IPv4: listen on port 443 IPv6: listen on port 443 The negotiated next protocol: spdy/3 [id=1] [ 2.548] send SETTINGS frame <version=3, flags=0, length=12> (niv=1) [4(0):100] [id=1] [ 2.550] recv SYN_STREAM frame <version=3, flags=1, length=114> (stream_id=1, assoc_stream_id=0, pri=3) :host: 192.168.10.120 :method: GET :path: /index.html :scheme: https :version: HTTP/1.1 accept: */* user-agent: spdylay/0.3.3 [id=1] [ 2.556] send SYN_REPLY frame <version=3, flags=0, length=102> (stream_id=1) :status: 200 OK :version: HTTP/1.1 cache-control: max-age=3600 content-length: 0 date: Wed, 01 Sep 2012 04:50:56 GMT last-modified: Wed, 01 Sep 2012 04:46:01 GMT server: spdyd spdylay/0.3.3 [id=1] [ 2.560] send DATA frame (stream_id=1, flags=1, length=0) [id=1] [ 2.561] stream_id=1 closed [id=1] [ 2.562] recv GOAWAY frame <version=3, flags=0, length=8> (last_good_stream_id=0) [id=1] [ 2.564] closed |
capture SPDY sessions and access to the SPDY server.
| # /usr/local/bin/tshark -i eth0 port 443 -w spdy.pcap Running as user "root" and group "root". This could be dangerous. Capturing on eth0 23 ^C # |
access to the SPDY server
| # ./spdycat -nv https://192.168.10.120/index.html |
nnn , can’t decrypt.. needs to use weak cipher suites ??
| # /usr/local/bin/tshark -r spdy.pcap -o "ssl.keys_list:192.168.10.120,443,http,server.key" -o ssl.debug_file:"/home/hattori/ssl-debug.log" -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -R "(tcp.port eq 443)" | egrep -i get tshark: Lua: Error during loading: [string "/usr/local/share/wireshark/init.lua"]:45: dofile has been disabled Running as user "root" and group "root". This could be dangerous. # |
try apache mod_spdy…
on the server , install apache and mod_spdy
| # apt-get install apache2 # wget https://dl-ssl.google.com/dl/linux/direct/mod-spdy-beta_current_amd64.deb # dpkg -i mod-spdy-beta_current_amd64.deb # apache2ctl restart # a2enmod default-ssl # a2ensite default-ssl # apache2ctl restart # lsof -ni:443 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME apache2 30246 root 6u IPv6 35793 0t0 TCP *:https (LISTEN) apache2 30557 www-data 6u IPv6 35793 0t0 TCP *:https (LISTEN) apache2 30558 www-data 6u IPv6 35793 0t0 TCP *:https (LISTEN) |
access to the Apache with spdycat. okay
| # ./spdycat -nv https:/ /192.168.10.120 [ 0.009] NPN select next protocol: the remote server offers: * spdy/3 * spdy/2 * http/1.1 * x-mod-spdy/0.9.2.2-350 NPN selected the protocol: spdy/3 [ 0.018] send SYN_STREAM frame <version=3, flags=1, length=106> (stream_id=1, assoc_stream_id=0, pri=3) :host: 192.168.10.120 :method: GET :path: / :scheme: https :version: HTTP/1.1 accept: */* user-agent: spdylay/0.3.3 [ 0.020] recv SETTINGS frame <version=3, flags=0, length=12> (niv=1) [4(0):100] [ 0.020] recv SYN_REPLY frame <version=3, flags=0, length=181> (stream_id=1) :status: 200 :version: HTTP/1.1 accept-ranges: bytes content-encoding: gzip content-length: 146 content-type: text/html date: Wed, 05 Sep 2012 08:02:54 GMT etag: "24405-b1-4c8ef96d32b09" last-modified: Wed, 01 Sep 2012 07:47:40 GMT server: Apache/2.2.22 (Ubuntu) vary: Accept-Encoding x-mod-spdy: 0.9.2.2-350 [ 0.023] recv DATA frame (stream_id=1, flags=1, length=146) [ 0.023] send GOAWAY frame <version=3, flags=0, length=8> (last_good_stream_id=0) |
nnn , I’m little tired ,, try this next time.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.