lost and found ( for me ? )

Ubuntu 12:04 : how to build spdyshark and how to use spdycat and spdyd

About spdyshark
http://code.google.com/p/spdyshark/

In short , spdyshark is a plugin for wireshark which enables you to decrypt SPDY session.

The following is installation log including trial and error.

[ install spdyshark on Ubuntu 12.04 ]

# tail -1 /etc/lsb-release
DISTRIB_DESCRIPTION="Ubuntu 12.04.1 LTS"
# uname -ri
3.5.0-030500-generic x86_64


This Ubuntu is JeOS running on KVM which I built with vmbuilder.

install required packages to build wireshark.

To use spdyshark , you need to build wireshark from source.

get wireshark source. (wireshark-1.8.2.tar.bz2 )
# tar jxvf wireshark-1.8.2.tar.bz2


get spdyshark.
# apt-get install git
# git clone https://code.google.com/p/spdyshark/


copy spdyshark subdirectory into wireshark-1.8.2/plugins directory.
# cp -r spdyshark/spdyshark wireshark-1.8.2/plugins/


nnn , error
# patch -p1 < ../spdyshark/spdyshark_build.patch
patching file CMakeLists.txt
Hunk #1 succeeded at 417 (offset -1 lines).
patching file configure.in
Hunk #1 succeeded at 2104 (offset 20 lines).
patching file epan/Makefile.am
patching file epan/Makefile.in
Hunk #1 succeeded at 916 (offset 6 lines).
patching file Makefile.am
Hunk #1 succeeded at 281 (offset -34 lines).
patching file Makefile.in
Hunk #1 succeeded at 138 (offset -4 lines).
Hunk #2 succeeded at 807 (offset -40 lines).
patching file packaging/nsis/Makefile.nmake
Hunk #1 succeeded at 54 (offset -3 lines).
patching file packaging/nsis/wireshark.nsi
Hunk #1 FAILED at 928.
1 out of 1 hunk FAILED -- saving rejects to file packaging/nsis/wireshark.nsi.rej
patching file plugins/Makefile.am
Hunk #1 succeeded at 32 (offset -1 lines).
patching file plugins/Makefile.in
Hunk #1 succeeded at 372 (offset 3 lines).
patching file plugins/Makefile.nmake
Hunk #1 succeeded at 16 (offset -1 lines).
Hunk #2 succeeded at 74 (offset -1 lines).

# echo $?
1


Try this with wireshark 1.7.1 as described in http://code.google.com/p/spdyshark/

Seen from the patch file , this patch is apparently for wireshark 1.7.1
# head -5  spdyshark/spdyshark_build.patch
diff -aur wireshark-1.7.1/CMakeLists.txt wireshark-1.7.1-patched/CMakeLists.txt
--- wireshark-1.7.1/CMakeLists.txt      2012-04-06 14:42:14.000000000 -0400
+++ wireshark-1.7.1-patched/CMakeLists.txt      2012-04-11 18:37:44.302998000 -0400
@@ -418,6 +418,7 @@
               plugins/mate


download wireshark 1.7.1 from http://sourceforge.jp/projects/sfnet_wireshark/downloads/src/all-versions/wireshark-1.7.1.tar.bz2/
# tar jxvf wireshark-1.7.1.tar.bz2
# cp -r spdyshark/spdyshark wireshark-1.7.1/plugins/


apply the patch
# cd wireshark-1.7.1

# patch -p1 < ../spdyshark/spdyshark_build.patch
patching file CMakeLists.txt
patching file configure.in
patching file epan/Makefile.am
patching file epan/Makefile.in
patching file Makefile.am
patching file Makefile.in
patching file packaging/nsis/Makefile.nmake
patching file packaging/nsis/wireshark.nsi
patching file plugins/Makefile.am
patching file plugins/Makefile.in
patching file plugins/Makefile.nmake

# echo $?
0

# ./autogen.sh


error
# ./configure --with-ssl
aries... yes
checking dynamic linker characteristics... (cached) GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking for perl... /usr/bin/perl
checking for bison... no
checking for byacc... no
checking for yacc... no
configure: error: I couldn't find yacc (or bison or ...); make sure it's installed and in your path

# apt-get install bison –y


try again
# ./configure --with-ssl
checking for flex... no
checking for lex... no
checking for flex... no
configure: error: I couldn't find flex; make sure it's installed and in your path

# apt-get install flex -y

# ./configure --with-ssl
checking if profile builds must be generated... no
checking for pkg-config... /usr/bin/pkg-config
checking for GTK+ - version >= 2.12.0 and < 3.0... no
*** Could not run GTK+ test program, checking why...
*** The test program failed to compile or link. See the file config.log for the
*** exact error that occured. This usually means GTK+ is incorrectly installed.
configure: error: Neither Qt nor GTK+ 2.12 or later are available, so Wireshark can't be compiled


I have not installed GTK.
Okay , I’ll skip installing wireshark and use tshark.
# ./configure --with-ssl --disable-wireshark
checking if profile builds must be generated... no
checking for pkg-config... /usr/bin/pkg-config
checking for GLIB - version >= 2.14.0... no
*** Could not run GLIB test program, checking why...
*** The test program failed to compile or link. See the file config.log for the
*** exact error that occured. This usually means GLIB is incorrectly installed.
configure: error: GLib 2.14 or later distribution not found.

# apt-get install -y libglib2.0-0 libglib2.0-dev

# ./configure --with-ssl --disable-wireshark
checking for pcap-config... no
checking for extraneous pcap header directories... not found
checking pcap.h usability... no
checking pcap.h presence... no
checking for pcap.h... no
configure: error: Header file pcap.h not found; if you installed libpcap
from source, did you also do "make install-incl", and if you installed a
binary package of libpcap, is there also a developer's package of libpcap,
and did you also install that package?

# apt-get install -y libpcap0.8-dev libpcap0.8

# ./configure --with-ssl --disable-wireshark

The Wireshark package has been configured with the following options.
                   Build wireshark : no
                      Build tshark : yes
                    Build capinfos : yes
                     Build editcap : yes
                     Build dumpcap : yes
                    Build mergecap : yes
                   Build text2pcap : yes
                     Build randpkt : yes
                      Build dftest : yes
                    Build rawshark : yes

  Save files as pcap-ng by default : yes
 Install dumpcap with capabilities : no
            Install dumpcap setuid : no
                 Use dumpcap group : (none)
                       Use plugins : yes
                   Use Lua library : no
                Use Python binding : no
                  Build rtp_player : no
            Build profile binaries : no
                  Use pcap library : yes
                  Use zlib library : yes
              Use kerberos library : no
                Use c-ares library : no
              Use GNU ADNS library : no
               Use SMI MIB library : no
            Use GNU crypto library : yes
            Use SSL crypto library : yes
          Use IPv6 name resolution : yes
                Use gnutls library : yes
    Use POSIX capabilities library : no
                 Use GeoIP library : no


nnn , error
# make
packet-parlay.c:82298:13: warning: 'decode_org_csapi_fw_TpLoadPolicy_st' defined but not used [-Wunused-function]
packet-parlay.c:82364:13: warning: 'decode_org_csapi_fw_TpLoadInitVal_st' defined but not used [-Wunused-function]
packet-parlay.c:83515:13: warning: 'decode_org_csapi_ui_TpUIEventInfo_st' defined but not used [-Wunused-function]
gcc: internal compiler error: Killed (program cc1)
Please submit a full bug report,
with preprocessed source if appropriate.
See <file:///usr/share/doc/gcc-4.6/README.Bugs> for instructions.
make[3]: *** [packet-parlay.lo] Error 1
make[3]: Leaving directory `/home/hattori/wireshark-1.7.1/plugins/giop'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/home/hattori/wireshark-1.7.1/plugins'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/hattori/wireshark-1.7.1'
make: *** [all] Error 2


gcc version is
# gcc --version
gcc (Ubuntu/Linaro 4.6.3-1ubuntu5) 4.6.3
Copyright (C) 2011 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.


how about building wireshark with gcc-4.4 ??

install gcc-4.4
# apt-get install gcc-4.4


delete a symbolic link file ( /usr/bin/gcc ) pointing to /usr/bin/gcc-4.6 and then make a symbolic link file pointing ( /usr/bin/gcc ) to /usr/bin/gcc-4.4
# ls -l /usr/bin/gcc
lrwxrwxrwx 1 root root 7 Mar 13 20:05 /usr/bin/gcc -> gcc-4.6

# rm /usr/bin/gcc
rm: remove symbolic link `/usr/bin/gcc'? y

# ln -s /usr/bin/gcc-4.4 /usr/bin/gcc

# ls -l /usr/bin/gcc
lrwxrwxrwx 1 root root 16 Sep  1 02:18 /usr/bin/gcc -> /usr/bin/gcc-4.4


build wireshark 1.7.1 with gcc-4.4
# gcc –version
gcc (Ubuntu/Linaro 4.4.7-1ubuntu2) 4.4.7
Copyright (C) 2010 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

 471  rm -rf wireshark-1.7.1
 472  tar jxvf wireshark-1.7.1.tar.bz2
 473  cp -r spdyshark/spdyshark wireshark-1.7.1/plugins/
 474  cd wireshark-1.7.1
 475  patch -p1 < ../spdyshark/spdyshark_build.patch
 476  ./autogen.sh
 477  make
 478  ./configure --with-ssl --disable-wireshark
 479  make
 481  make install


nnn , error
# /usr/local/bin/tshark --version
/usr/local/bin/tshark: error while loading shared libraries: libwiretap.so.0: cannot open shared object file: No such file or directory


libwiretap.so.0 is in /usr/local/lib directory
# ls /usr/local/lib/libwiretap.*
/usr/local/lib/libwiretap.la  /usr/local/lib/libwiretap.so.0
/usr/local/lib/libwiretap.so  /usr/local/lib/libwiretap.so.0.0.1


run ldconfig
# ldconfig

# /usr/local/bin/tshark -v
TShark 1.7.1 (SVN Rev Unknown from unknown)

Copyright 1998-2012 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.32.3, with libpcap, with libz 1.2.3.4, without
POSIX capabilities, without SMI, without c-ares, without ADNS, without Lua,
without Python, without GnuTLS, without Gcrypt, without Kerberos, without GeoIP.

Running on Linux 3.5.0-030500-generic, with locale C, with libpcap version
1.1.1, with libz 1.2.3.4.

Built using gcc 4.4.7.


change the symbolic link file by default setting
# rm /usr/bin/gcc
# ln -s /usr/bin/gcc-4.6 /usr/bin/gcc
# ls -l /usr/bin/gcc
lrwxrwxrwx 1 root root 16 Sep  1 04:04 /usr/bin/gcc -> /usr/bin/gcc-4.6


After building wireshark , I did know that “apt-get dep-build <package name>” command installs required packages to build the package.

add the following lines in /etc/apt/sources.list ( deb-src )
# egrep -i ^deb-src /etc/apt/sources.list
deb-src http://jp.archive.ubuntu.com/ubuntu/ precise main restricted
deb-src http://jp.archive.ubuntu.com/ubuntu/ precise-updates main restricted
deb-src http://jp.archive.ubuntu.com/ubuntu/ precise universe
deb-src http://jp.archive.ubuntu.com/ubuntu/ precise-updates universe
deb-src http://jp.archive.ubuntu.com/ubuntu/ precise multiverse
deb-src http://jp.archive.ubuntu.com/ubuntu/ precise-updates multiverse
deb-src http://security.ubuntu.com/ubuntu precise-security main restricted
deb-src http://security.ubuntu.com/ubuntu precise-security universe
deb-src http://security.ubuntu.com/ubuntu precise-security multiverse


then
# apt-get update
# apt-get build-dep wireshark


[ decode SPDY sessions with spdyhark ]

I’ll use spdycat as a SPDY client and spdyd as a SPDY server.

client (spdycat , spdyshark ) ---- server ( spdyd )

To install spdylay which includs spdycat and spdyd , please refer to the following URLs.
http://lost-and-found-narihiro.blogspot.jp/2012/09/install-spdylay-c-library-and-spdylay.html

At first , make a self-signed certificate on the server
( just referred to http://www.akadia.com/services/ssh_test_certificate.html )

create a private key
# openssl genrsa -des -out server.key 1024
Generating RSA private key, 1024 bit long modulus
..++++++
............................................................................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:


generate a CSR
# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:test Ltd
Organizational Unit Name (eg, section) []:test
Common Name (e.g. server FQDN or YOUR name) []:www.example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


remove credentials from a private key
# cp server.key server.key.org

# openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org:
writing RSA key


make a self-signed certificate
# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=AU/ST=Some-State/O=test Ltd/OU=test/CN=www.example.com
Getting Private key


private key
# openssl rsa -text -in server.key
Private-Key: (1024 bit)
modulus:
   00:9d:74:ef:61:3a:ba:48:b2:88:cb:46:16:f4:a8:
   1f:ad:bd:09:63:18:50:fb:33:a6:f2:77:27:b8:8f:
   d5:e9:8e:18:0f:79:3d:2d:b6:7b:15:df:d1:0d:15:
<snip>


self-signed certificate
# openssl x509 -text -in server.crt
Certificate:
   Data:
       Version: 1 (0x0)
       Serial Number: 9661473082433802062 (0x861472946d770f4e)
   Signature Algorithm: sha1WithRSAEncryption
       Issuer: C=AU, ST=Some-State, O=test Ltd, OU=test, CN=www.example.com
       Validity
           Not Before: Sep  5 04:38:58 2012 GMT
           Not After : Sep  5 04:38:58 2013 GMT


run spdyd ( server )
# mkdir htdocs
# touch “hello” > htdocs/index.html

# ./spdyd -3v -d /home/hattori/htdocs 443 /home/hattori/server.key /home/hattori/server.crt
IPv4: listen on port 443
IPv6: listen on port 443


Usage: spdyd [-3DVhv] [-d <PATH>] <PORT> <PRIVATE_KEY> <CERT>

on the client , establish SPDY session with spdycat command
# ./spdycat -nv https://192.168.10.120/index.html
[  0.001] NPN select next protocol: the remote server offers:
         * spdy/3
         NPN selected the protocol: spdy/3
[  0.004] send SYN_STREAM frame <version=3, flags=1, length=114>
         (stream_id=1, assoc_stream_id=0, pri=3)
         :host: 192.168.10.120
         :method: GET
         :path: /index.html
         :scheme: https
         :version: HTTP/1.1
         accept: */*
         user-agent: spdylay/0.3.3
[  0.006] recv SETTINGS frame <version=3, flags=0, length=12>
         (niv=1)
         [4(0):100]
[  0.012] recv SYN_REPLY frame <version=3, flags=0, length=102>
         (stream_id=1)
         :status: 200 OK
         :version: HTTP/1.1
         cache-control: max-age=3600
         content-length: 0
         date: Wed, 01 Sep 2012 04:50:56 GMT
         last-modified: Wed, 01 Sep 2012 04:46:01 GMT
         server: spdyd spdylay/0.3.3
[  0.016] recv DATA frame (stream_id=1, flags=1, length=0)
[  0.017] send GOAWAY frame <version=3, flags=0, length=8>
         (last_good_stream_id=0)

# ./spdyd -3v -d /home/hattori/htdocs 443 /home/hattori/server.key /home/hattori/server.crt
IPv4: listen on port 443
IPv6: listen on port 443
The negotiated next protocol: spdy/3
[id=1] [  2.548] send SETTINGS frame <version=3, flags=0, length=12>
         (niv=1)
         [4(0):100]
[id=1] [  2.550] recv SYN_STREAM frame <version=3, flags=1, length=114>
         (stream_id=1, assoc_stream_id=0, pri=3)
         :host: 192.168.10.120
         :method: GET
         :path: /index.html
         :scheme: https
         :version: HTTP/1.1
         accept: */*
         user-agent: spdylay/0.3.3
[id=1] [  2.556] send SYN_REPLY frame <version=3, flags=0, length=102>
         (stream_id=1)
         :status: 200 OK
         :version: HTTP/1.1
         cache-control: max-age=3600
         content-length: 0
         date: Wed, 01 Sep 2012 04:50:56 GMT
         last-modified: Wed, 01 Sep 2012 04:46:01 GMT
         server: spdyd spdylay/0.3.3
[id=1] [  2.560] send DATA frame (stream_id=1, flags=1, length=0)
[id=1] [  2.561] stream_id=1 closed
[id=1] [  2.562] recv GOAWAY frame <version=3, flags=0, length=8>
         (last_good_stream_id=0)
[id=1] [  2.564] closed


capture SPDY sessions and access to the SPDY server.
# /usr/local/bin/tshark -i eth0 port 443 -w spdy.pcap
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
23 ^C
#


access to the SPDY server
# ./spdycat -nv https://192.168.10.120/index.html


nnn , can’t decrypt.. needs to use weak cipher suites ??
# /usr/local/bin/tshark -r spdy.pcap -o "ssl.keys_list:192.168.10.120,443,http,server.key" -o ssl.debug_file:"/home/hattori/ssl-debug.log" -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -R "(tcp.port eq 443)"  | egrep -i get
tshark: Lua: Error during loading:
[string "/usr/local/share/wireshark/init.lua"]:45: dofile has been disabled
Running as user "root" and group "root". This could be dangerous.
#


try apache mod_spdy…

on the server , install apache and mod_spdy
# apt-get install apache2
# wget https://dl-ssl.google.com/dl/linux/direct/mod-spdy-beta_current_amd64.deb
# dpkg -i mod-spdy-beta_current_amd64.deb

# apache2ctl restart
# a2enmod default-ssl
# a2ensite default-ssl
# apache2ctl restart

# lsof -ni:443
COMMAND   PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
apache2 30246     root    6u  IPv6  35793      0t0  TCP *:https (LISTEN)
apache2 30557 www-data    6u  IPv6  35793      0t0  TCP *:https (LISTEN)
apache2 30558 www-data    6u  IPv6  35793      0t0  TCP *:https (LISTEN)



access to the Apache with spdycat. okay
# ./spdycat -nv https:/
/192.168.10.120
[  0.009] NPN select next protocol: the remote server offers:
         * spdy/3
         * spdy/2
         * http/1.1
         * x-mod-spdy/0.9.2.2-350
         NPN selected the protocol: spdy/3
[  0.018] send SYN_STREAM frame <version=3, flags=1, length=106>
         (stream_id=1, assoc_stream_id=0, pri=3)
         :host: 192.168.10.120
         :method: GET
         :path: /
         :scheme: https
         :version: HTTP/1.1
         accept: */*
         user-agent: spdylay/0.3.3
[  0.020] recv SETTINGS frame <version=3, flags=0, length=12>
         (niv=1)
         [4(0):100]
[  0.020] recv SYN_REPLY frame <version=3, flags=0, length=181>
         (stream_id=1)
         :status: 200
         :version: HTTP/1.1
         accept-ranges: bytes
         content-encoding: gzip
         content-length: 146
         content-type: text/html
         date: Wed, 05 Sep 2012 08:02:54 GMT
         etag: "24405-b1-4c8ef96d32b09"
         last-modified: Wed, 01 Sep 2012 07:47:40 GMT
         server: Apache/2.2.22 (Ubuntu)
         vary: Accept-Encoding
         x-mod-spdy: 0.9.2.2-350
[  0.023] recv DATA frame (stream_id=1, flags=1, length=146)
[  0.023] send GOAWAY frame <version=3, flags=0, length=8>
         (last_good_stream_id=0)


nnn , I’m little tired ,, try this next time.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.