Splitshark – split Wireshark setup prototype
165 views
Skip to first unread message
Vít Šesták
Jun 5, 2017, 12:01:06 PM6/5/17
to qubes-users
Wireshark is a great tool. It analyzes all the traffic and parses various formats… And this is also exactly what's wrong with it. The parsers are complex and potentially vulnerable (well, [1] suggests that “potentially” is maybe an understatement) and the attacker can often choose what parser will be used. (Well, it depends on attacker's position.)
In Qubes, I see no ideal place to run Wireshark (sys-net, sys-firewall, ProxyVMs, AppVMs), there are just more wrong places and less wrong places. So, I have decided to split the Wireshark to two halves:
1. Capture – this one captures all traffic from the selected VM.
2. GUI – this part analyzes all the traffic, runs various parsers etc.
The benefit is that the most complex part is isolated in a DVM. (BTW, it seems that similar setup is recommended even on the Wireshark wiki.[2]) Of course, this does not mean attacker can gain nothing by a successful attack. For example, if plain HTTP analyzer is seriously vulnerable, attacker without access to local network can read your local network communication through this vulnerability. Also, attacker can try altering the past communication. Also, she can try various attacks like GUI spoofing and it is up to the user if the attack is detected. And so on. But attacker's capabilities are now pretty limited.
I've decided to capture it via dumpcap and not via tcpdump. The former is used in Wireshark anyway (so it is more clear it is a pure improvement from security PoV) and reportedly tcpdump is more complex and able to perform some analysis, so I expect it to be more likely to be vulnerable.
The Splitshark's code is now pretty trivial, essentially a Bash oneliner:
#!/bin/bash
# safety settings
set -u
set -e
set -o pipefail
# Assumes that both this VM and the target VM have added the default user to "wireshark" (or similar) group, so the user has enough permission to run dumpcap.
dumpcap -P -w - "$@" | qvm-run \$dispvm 'wireshark -k -i -'
Well, when you remove all comments, hashbang and safety settings, it is really oneliner. Since there is just a little original invention, I don't think the line is copyrightable and I am giving this as public domain, without any warranty.
Current drawbacks:
* When you exit the GUI, dumpcap does not exit until it tries to send a packet. I am not sure if this can be fixed in Bash.
* Capture restart does not work.
* User can try to stop the capture and start a new one. This will, however, capture traffic from the DVM (usually almost no traffic).
* When you try to save the capture, it offers you saving to the DVM. Be careful, such data are not much persistent.
* TLS decryption [3] will not work so easily, you'll probably have to pipe if between the two VMs and maybe you'll have to involve dom0 a bit.
* Maybe others, it is rather a draft for those who are aware of inherent limitations.
Logo: Unfortunately, I haven't drawn one. Contribution is welcome, but no live animal (especially shark) must be harmed! Moreover, no shark shall be brought to Croatia.[4]
Regards,
Vít Šesták 'v6ak'
[1] https://www.wireshark.org/security/
[2] https://wiki.wireshark.org/Security
[3] https://wiki.wireshark.org/SSL#Using_the_.28Pre.29-Master-Secret
[4] https://en.wikipedia.org/wiki/Split,_Croatia
In Qubes, I see no ideal place to run Wireshark (sys-net, sys-firewall, ProxyVMs, AppVMs), there are just more wrong places and less wrong places. So, I have decided to split the Wireshark to two halves:
1. Capture – this one captures all traffic from the selected VM.
2. GUI – this part analyzes all the traffic, runs various parsers etc.
The benefit is that the most complex part is isolated in a DVM. (BTW, it seems that similar setup is recommended even on the Wireshark wiki.[2]) Of course, this does not mean attacker can gain nothing by a successful attack. For example, if plain HTTP analyzer is seriously vulnerable, attacker without access to local network can read your local network communication through this vulnerability. Also, attacker can try altering the past communication. Also, she can try various attacks like GUI spoofing and it is up to the user if the attack is detected. And so on. But attacker's capabilities are now pretty limited.
I've decided to capture it via dumpcap and not via tcpdump. The former is used in Wireshark anyway (so it is more clear it is a pure improvement from security PoV) and reportedly tcpdump is more complex and able to perform some analysis, so I expect it to be more likely to be vulnerable.
The Splitshark's code is now pretty trivial, essentially a Bash oneliner:
#!/bin/bash
# safety settings
set -u
set -e
set -o pipefail
# Assumes that both this VM and the target VM have added the default user to "wireshark" (or similar) group, so the user has enough permission to run dumpcap.
dumpcap -P -w - "$@" | qvm-run \$dispvm 'wireshark -k -i -'
Well, when you remove all comments, hashbang and safety settings, it is really oneliner. Since there is just a little original invention, I don't think the line is copyrightable and I am giving this as public domain, without any warranty.
Current drawbacks:
* When you exit the GUI, dumpcap does not exit until it tries to send a packet. I am not sure if this can be fixed in Bash.
* Capture restart does not work.
* User can try to stop the capture and start a new one. This will, however, capture traffic from the DVM (usually almost no traffic).
* When you try to save the capture, it offers you saving to the DVM. Be careful, such data are not much persistent.
* TLS decryption [3] will not work so easily, you'll probably have to pipe if between the two VMs and maybe you'll have to involve dom0 a bit.
* Maybe others, it is rather a draft for those who are aware of inherent limitations.
Logo: Unfortunately, I haven't drawn one. Contribution is welcome, but no live animal (especially shark) must be harmed! Moreover, no shark shall be brought to Croatia.[4]
Regards,
Vít Šesták 'v6ak'
[1] https://www.wireshark.org/security/
[2] https://wiki.wireshark.org/Security
[3] https://wiki.wireshark.org/SSL#Using_the_.28Pre.29-Master-Secret
[4] https://en.wikipedia.org/wiki/Split,_Croatia
Reply all
Reply to author
Forward
0 new messages