{"id":5684,"date":"2014-04-24T09:05:47","date_gmt":"2014-04-24T07:05:47","guid":{"rendered":"http:\/\/daniel.haxx.se\/blog\/?p=5684"},"modified":"2014-04-24T09:09:04","modified_gmt":"2014-04-24T07:09:04","slug":"wireshark-dissector-work","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2014\/04\/24\/wireshark-dissector-work\/","title":{"rendered":"Wireshark dissector work"},"content":{"rendered":"<p><a href=\"http:\/\/www.wireshark.org\/\"><img loading=\"lazy\" decoding=\"async\" class=\"alignright size-full wp-image-5686\" title=\"Wireshark\" src=\"http:\/\/daniel.haxx.se\/blog\/wp-content\/uploads\/2014\/04\/Wireshark.png\" alt=\"Wireshark\" width=\"200\" height=\"200\" srcset=\"https:\/\/daniel.haxx.se\/blog\/wp-content\/uploads\/2014\/04\/Wireshark.png 200w, https:\/\/daniel.haxx.se\/blog\/wp-content\/uploads\/2014\/04\/Wireshark-150x150.png 150w\" sizes=\"auto, (max-width: 200px) 100vw, 200px\" \/><\/a>Recently I cloned the <a href=\"http:\/\/www.wireshark.org\/develop.html\">Wireshark git repository<\/a> and started updating the http2 dissector. That&#8217;s the piece of code that gets called to analyze a stream of data that Wireshark thinks is http2.<\/p>\n<p>The current http2 dissector was left at draft-09 state, while the <a href=\"http:\/\/tools.ietf.org\/html\/draft-ietf-httpbis-http2-11\">current draft at the time was number 11<\/a> and there have been <a href=\"http:\/\/daniel.haxx.se\/blog\/2014\/03\/08\/httpbis-design-team-meeting-london\/\">several changes<\/a> on the binary format since so any reasonably updated client or server would send or receive byte streams that Wireshark couldn&#8217;t properly display.<\/p>\n<p>I never wrote any dissector code before but I must say Wireshark didn&#8217;t disappoint. It was straight forward and mostly downright easy to fix most of the wrong details. I&#8217;m not pretending to be a master at this nor is the dissector code anywhere near &#8220;finished&#8221; yet but I still enjoyed the API and how to write a thing like this.<\/p>\n<p>I&#8217;ve since dissected plain-text http2 streams that I&#8217;ve done with curl+nghttp2 and I&#8217;ve also used the <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/NSS_Key_Log_Format\">SSLKEYLOGFILE trick<\/a> with Firefox to automatically decrypt the TLS session and have the dissector figure out the underlying http2 parts.<\/p>\n<p>If there&#8217;s any little snag to mention, it is the fact that they insist on getting patches submitted <a href=\"http:\/\/www.wireshark.org\/docs\/wsdg_html_chunked\/ChSrcContribute.html#ChSrcSend\">directly to gerrit<\/a> instead of any mailing list or similar. This required me to create a gerrit account, and really figure out how to push my stuff from git to there, instead of the more traditional and simpler approach of just sending my patch to a mailing list or possibly submitting it to a bug\/patch tracker somewhere with my browser.<\/p>\n<p>Call me old-style but in fact the hip way of today with a pull-request github style would also have been much easier. Here&#8217;s what <a href=\"https:\/\/code.wireshark.org\/review\/#\/c\/1295\/\">my gerrit submission<\/a> looks like. But I get it, gerrit does push a little more work over to the submitter and I figure that once a submitter such as myself finally has fixed all the nits in the patch it is very easy for the project to actually merge it. I actually got someone else to help me point out how to even find the link to view the code review after the first one was submitted on the site&#8230; (when I post this, my patch has not yet been accepted or merged into the wireshark git repo)<\/p>\n<p>Here&#8217;s a basic screenshot showing a trace of Firefox requesting <a href=\"https:\/\/nghttp2.org\">https:\/\/nghttp2.org<\/a> using http2. Click it for the full thing.<\/p>\n<p style=\"text-align: center;\"><a href=\"http:\/\/daniel.haxx.se\/blog\/wp-content\/uploads\/2014\/04\/wireshark-screenshot.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-5696  aligncenter\" title=\"wireshark-screenshot\" src=\"http:\/\/daniel.haxx.se\/blog\/wp-content\/uploads\/2014\/04\/wireshark-screenshot-300x270.png\" alt=\"wireshark-screenshot\" width=\"300\" height=\"270\" srcset=\"https:\/\/daniel.haxx.se\/blog\/wp-content\/uploads\/2014\/04\/wireshark-screenshot-300x270.png 300w, https:\/\/daniel.haxx.se\/blog\/wp-content\/uploads\/2014\/04\/wireshark-screenshot-150x135.png 150w, https:\/\/daniel.haxx.se\/blog\/wp-content\/uploads\/2014\/04\/wireshark-screenshot-1024x924.png 1024w, https:\/\/daniel.haxx.se\/blog\/wp-content\/uploads\/2014\/04\/wireshark-screenshot.png 1159w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p style=\"text-align: justify;\">.. and what happens this morning my time? There&#8217;s a brand new <a href=\"http:\/\/tools.ietf.org\/html\/draft-ietf-httpbis-http2-12\">http2 draft-12<\/a> out with more changes on the on-the-wire format! Well to be honest, that really wasn&#8217;t a surprise. I&#8217;ll get the new stuff supported too, but I&#8217;ll do that in a separate patch as I prefer to hold off until I see a live stream by at least one implementation to test against.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recently I cloned the Wireshark git repository and started updating the http2 dissector. That&#8217;s the piece of code that gets called to analyze a stream of data that Wireshark thinks is http2. The current http2 dissector was left at draft-09 state, while the current draft at the time was number 11 and there have been &hellip; <a href=\"https:\/\/daniel.haxx.se\/blog\/2014\/04\/24\/wireshark-dissector-work\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Wireshark dissector work<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[33,86,369,385],"class_list":["post-5684","post","type-post","status-publish","format-standard","hentry","category-floss","tag-curl-and-libcurl","tag-firefox","tag-http2","tag-wireshark"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/5684","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=5684"}],"version-history":[{"count":21,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/5684\/revisions"}],"predecessor-version":[{"id":5706,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/5684\/revisions\/5706"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=5684"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=5684"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=5684"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}