SPDY Wireshark Plugin

[Hasan Khalil]

I've take the spdyshark code from the chromium tree, updated it for use with SPDY 2 and recent versions of Wireshark, and made the results available at http://code.google.com/p/spdyshark -- for those interested, please file tickets there for any problems you encounter.

For those less familiar with how to use Wireshark, I'll post some basic usage instructions soon.

[Hasan Khalil]

Now updated with SPDY 3 support!

[Stephen Donnelly]

On Apr 12, 11:48 am, Hasan Khalil <hkha...@google.com> wrote:
> I've take the spdyshark code from the chromium tree, updated it for use
> with SPDY 2 and recent versions of Wireshark, and made the results

> available athttp://code.google.com/p/spdyshark-- for those interested,

> please file tickets there for any problems you encounter.

Have you considered submitting your plugin to the Wireshark projec
directlyt? Or is it not considered stable yet?

The maintainers generally welcome new dissectors (preferred over
plugins), and if you get it in this month you should make the
Wireshark 1.8 stable release. There does not appear to be a SPDY
dissector in the Wireshark trunk currently.

Regards,
Stephen.

[Hasan Khalil]

I would love to submit it for inclusion in Wireshark proper and am working to make this happen.

    -Hasan

[Hark Lee]

so greate
2012. 5. 4. 오전 5:28에 "Hasan Khalil" <hkh...@google.com>님이 작성:

[Marcelo Fernandez]

2012/5/3 Hasan Khalil <hkh...@google.com>:

Great!

I've found the plugin appears in Edit->Preferences->Protocols-SPDY
only if Wireshark is running as a normal user, and it isn't if
Wireshark is running as root; is this ok?

I'm using Ubuntu 12.04 x86_64, Wireshark 1.7.1 compiled from sources.

Regards
--
Marcelo F. Fernández
Buenos Aires, Argentina
Lic. en Sistemas de Información

E-Mail: ferna...@gmail.com
Web Site: http://www.marcelofernandez.info
Twitter: @fidelfernandez

[Hark Lee]

does wireshark for windows support SPDY protocol?

2012/5/16 Marcelo Fernandez <ferna...@gmail.com>

[William Chan (陈智昌)]

I think it hasn't been tested with Windows, so it probably doesn't work, but would not be difficult to port.

[Hasan Khalil]

This depends on where and how the plugin was installed; I cannot reproduce this issue.

[Marcelo Fernandez]

2012/5/16 Hasan Khalil <hkh...@google.com>:

> This depends on where and how the plugin was installed; I cannot reproduce
> this issue.
>
>
> On Wed May 16 00:07:08 GMT-400 2012, Marcelo Fernandez
> <ferna...@gmail.com> wrote:
>>
>> 2012/5/3 Hasan Khalil <hkh...@google.com>:
>> > Now updated with SPDY 3 support!
>> >
>> >
>> > On Wed Apr 11 19:48:44 GMT-400 2012, Hasan Khalil <hkh...@google.com>
>> > wrote:
>> >>
>> >> I've take the spdyshark code from the chromium tree, updated it for use
>> >> with SPDY 2 and recent versions of Wireshark, and made the results
>> >> available
>> >> at http://code.google.com/p/spdyshark -- for those interested, please
>> >> file
>> >> tickets there for any problems you encounter.
>> >>
>> >> For those less familiar with how to use Wireshark, I'll post some basic
>> >> usage instructions soon.
>>
>> Great!
>>
>> I've found the plugin appears in Edit->Preferences->Protocols-SPDY
>> only if Wireshark is running as a normal user, and it isn't if
>> Wireshark is running as root; is this ok?
>>
>> I'm using Ubuntu 12.04 x86_64, Wireshark 1.7.1 compiled from sources.
>>

Ok, anyway I used setcap to give the dumpcap binary CAP_NET_RAW and
CAP_NET_ADMIN permissions [1]. This way I can use Wireshark as a user
and capture packets in promiscuous mode.

[1] sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap

Thank you

[Hasan Khalil]

As an aside, this is a much better way of doing things anyway...

[s1mp]

I've tried SPDYShark two times but never got a result...
I compiled Wireshark with the SPDY plugin and started it successfully but never got a SPDY Packet with it and i am sure my server and the client talk spdy...
do u have any results?

[Marcelo Fernandez]

2012/5/22 s1mp <e.goe...@googlemail.com>:

> I've tried SPDYShark two times but never got a result...
> I compiled Wireshark with the SPDY plugin and started it successfully but
> never got a SPDY Packet with it and i am sure my server and the client talk
> spdy...
> do u have any results?

If you are using SPDY over SSL (usually required by Chrome/Firefox),
you must decrypt the SSL session first. See:

http://japhr.blogspot.com.ar/2011/05/ssl-that-can-be-sniffed-by-wireshark.html

However, I've found a bug (don't know if the main developer saw it yet):

http://code.google.com/p/spdyshark/issues/detail?id=1

Regards

[Hasan Khalil]

Thanks for pointing me at said bug. Apparently Google Code doesn't automatically notify the project creator with new issues on said project -- it's opt-in only. Well, I've opted in now.

Please file an issue via http://code.google.com/p/spdyshark/issues if you find any other issues. Thanks!

[Marcelo Fernandez]

2012/5/22 Hasan Khalil <hkh...@google.com>:

> Thanks for pointing me at said bug. Apparently Google Code doesn't
> automatically notify the project creator with new issues on said project --
> it's opt-in only. Well, I've opted in now.

Great, I thought you were on vacations or something like that :-P

> Please file an issue via http://code.google.com/p/spdyshark/issues if you
> find any other issues. Thanks!

Ok, I've uploaded the key and the pcap example for you can reproduce
this problem.

Thank you

[Hasan Khalil]

Perfect, thanks!