gowrishankar
2015-Oct-26 10:38 UTC
[libvirt-users] unable to dissect libvirt rpc packets using wireshark plugin
Hi, I am trying libvirt plugin in wireshark to dissect RPC payload in TCP, but finding dissector code not really working. My env is Fedora core 21 (x86_64) and installed packages are as follow: wireshark-1.12.6-1.fc21.x86_64 libvirt-wireshark-1.2.9.3-2.fc21.x86_64 Earlier, just after installation, I noticed libvirt.so available only in /usr/lib64/wireshark/plugins/1.12.5/ . Wireshark could not load libvirt plugin. So, I copied above .so into 1.12.6/ under same plugins folder, following it wireshark could list libvirt as supported protocol. tshark -G protocols | grep libvirt Libvirt libvirt libvirt However, on checking with some pcaps which has libvirt RPC calls captured on wire, wireshark does not list libvirt RPC packets, as I search for "libvirt" protocol in pcap. Have anyone experienced this before or if you have any pointer that I could check in my env, that would be very helpful. -- Regards, Gowrishankar M
Michal Privoznik
2015-Oct-29 12:48 UTC
Re: [libvirt-users] unable to dissect libvirt rpc packets using wireshark plugin
On 26.10.2015 11:38, gowrishankar wrote:> > Hi, > I am trying libvirt plugin in wireshark to dissect RPC payload in TCP, but > finding dissector code not really working. > > My env is Fedora core 21 (x86_64) and installed packages are as follow: > > wireshark-1.12.6-1.fc21.x86_64 > libvirt-wireshark-1.2.9.3-2.fc21.x86_64 > > > Earlier, just after installation, I noticed libvirt.so available only in > /usr/lib64/wireshark/plugins/1.12.5/ . Wireshark could not load libvirt > plugin.Yes, this is inherently broken. See my patch that I've just proposed: https://www.redhat.com/archives/libvir-list/2015-October/msg00852.html> So, I copied above .so into 1.12.6/ under same plugins folder, following it > wireshark could list libvirt as supported protocol. > > tshark -G protocols | grep libvirt > Libvirt libvirt libvirt > > However, on checking with some pcaps which has libvirt RPC calls > captured on > wire, wireshark does not list libvirt RPC packets, as I search for > "libvirt" > protocol in pcap.What is the command you're trying? Because if I copy the plugin over to the correct directory it seems to be working for me.> > Have anyone experienced this before or if you have any pointer that I could > check in my env, that would be very helpful. >Michal
gowrishankar
2016-Jan-07 07:05 UTC
Re: [libvirt-users] unable to dissect libvirt rpc packets using wireshark plugin
Hi Michal, Thank you for your suggestion. My apologies that I took sometime to get back on further confirmation. Regrettably, my tshark is still unable to find libvirt payload inside packet capture, though it lists libvirt as a possible filter. # rpm -ql libvirt-wireshark-1.2.9.3-2.fc21.x86_64 /usr/lib64/wireshark/plugins/1.12.5/libvirt.so As I used wireshark 1.12.6 version, I created 1.12.6 directory under plugins and copied above .so. /usr/lib64/wireshark/plugins/1.12.6/libvirt.so # tshark -G protocols | grep -i libvirt Libvirt libvirt libvirt # tshark -r libvirt.pcap libvirt # Are there any dependency between libvirt and wireshark dissector mechanism to co-exist and work together (ie. whether the above libvirt-wireshark missing some changes that dissector expecting ??). If you have sample pcap to recheck my wireshark/tshark, could you please share with me ? Regards, Gowrishankar On Thursday 29 October 2015 06:18 PM, Michal Privoznik wrote:> On 26.10.2015 11:38, gowrishankar wrote: >> Hi, >> I am trying libvirt plugin in wireshark to dissect RPC payload in TCP, but >> finding dissector code not really working. >> >> My env is Fedora core 21 (x86_64) and installed packages are as follow: >> >> wireshark-1.12.6-1.fc21.x86_64 >> libvirt-wireshark-1.2.9.3-2.fc21.x86_64 >> >> >> Earlier, just after installation, I noticed libvirt.so available only in >> /usr/lib64/wireshark/plugins/1.12.5/ . Wireshark could not load libvirt >> plugin. > Yes, this is inherently broken. See my patch that I've just proposed: > > https://www.redhat.com/archives/libvir-list/2015-October/msg00852.html > >> So, I copied above .so into 1.12.6/ under same plugins folder, following it >> wireshark could list libvirt as supported protocol. >> >> tshark -G protocols | grep libvirt >> Libvirt libvirt libvirt >> >> However, on checking with some pcaps which has libvirt RPC calls >> captured on >> wire, wireshark does not list libvirt RPC packets, as I search for >> "libvirt" >> protocol in pcap. > What is the command you're trying? Because if I copy the plugin over to > the correct directory it seems to be working for me. > >> Have anyone experienced this before or if you have any pointer that I could >> check in my env, that would be very helpful. >> > Michal > > >
Apparently Analagous Threads
- Re: unable to dissect libvirt rpc packets using wireshark plugin
- unable to dissect libvirt rpc packets using wireshark plugin
- Re: unable to dissect libvirt rpc packets using wireshark plugin
- Re: unable to dissect libvirt rpc packets using wireshark plugin
- Re: unable to dissect libvirt rpc packets using wireshark plugin