gowrishankar
2016-Jan-07 07:05 UTC
Re: [libvirt-users] unable to dissect libvirt rpc packets using wireshark plugin
Hi Michal, Thank you for your suggestion. My apologies that I took sometime to get back on further confirmation. Regrettably, my tshark is still unable to find libvirt payload inside packet capture, though it lists libvirt as a possible filter. # rpm -ql libvirt-wireshark-1.2.9.3-2.fc21.x86_64 /usr/lib64/wireshark/plugins/1.12.5/libvirt.so As I used wireshark 1.12.6 version, I created 1.12.6 directory under plugins and copied above .so. /usr/lib64/wireshark/plugins/1.12.6/libvirt.so # tshark -G protocols | grep -i libvirt Libvirt libvirt libvirt # tshark -r libvirt.pcap libvirt # Are there any dependency between libvirt and wireshark dissector mechanism to co-exist and work together (ie. whether the above libvirt-wireshark missing some changes that dissector expecting ??). If you have sample pcap to recheck my wireshark/tshark, could you please share with me ? Regards, Gowrishankar On Thursday 29 October 2015 06:18 PM, Michal Privoznik wrote:> On 26.10.2015 11:38, gowrishankar wrote: >> Hi, >> I am trying libvirt plugin in wireshark to dissect RPC payload in TCP, but >> finding dissector code not really working. >> >> My env is Fedora core 21 (x86_64) and installed packages are as follow: >> >> wireshark-1.12.6-1.fc21.x86_64 >> libvirt-wireshark-1.2.9.3-2.fc21.x86_64 >> >> >> Earlier, just after installation, I noticed libvirt.so available only in >> /usr/lib64/wireshark/plugins/1.12.5/ . Wireshark could not load libvirt >> plugin. > Yes, this is inherently broken. See my patch that I've just proposed: > > https://www.redhat.com/archives/libvir-list/2015-October/msg00852.html > >> So, I copied above .so into 1.12.6/ under same plugins folder, following it >> wireshark could list libvirt as supported protocol. >> >> tshark -G protocols | grep libvirt >> Libvirt libvirt libvirt >> >> However, on checking with some pcaps which has libvirt RPC calls >> captured on >> wire, wireshark does not list libvirt RPC packets, as I search for >> "libvirt" >> protocol in pcap. > What is the command you're trying? Because if I copy the plugin over to > the correct directory it seems to be working for me. > >> Have anyone experienced this before or if you have any pointer that I could >> check in my env, that would be very helpful. >> > Michal > > >
Michal Privoznik
2016-Jan-07 10:21 UTC
Re: [libvirt-users] unable to dissect libvirt rpc packets using wireshark plugin
On 07.01.2016 08:05, gowrishankar wrote:> Hi Michal, > Thank you for your suggestion. My apologies that I took sometime to get > back > on further confirmation. Regrettably, my tshark is still unable to find > libvirt payload > inside packet capture, though it lists libvirt as a possible filter. > > # rpm -ql libvirt-wireshark-1.2.9.3-2.fc21.x86_64 > /usr/lib64/wireshark/plugins/1.12.5/libvirt.so > > As I used wireshark 1.12.6 version, I created 1.12.6 directory > under plugins and copied above .so. > /usr/lib64/wireshark/plugins/1.12.6/libvirt.so > > # tshark -G protocols | grep -i libvirt > Libvirt libvirt libvirt > > # tshark -r libvirt.pcap libvirt > # >Interesting. This indeed may be that your pcap file does not contain any libvirt packets. Esp. if you tested it locally - if you haven't specified to use TCP stack, UNIX socket is used by default.> Are there any dependency between libvirt and wireshark dissector > mechanism to co-exist and > work together (ie. whether the above libvirt-wireshark missing some > changes that dissector > expecting ??). If you have sample pcap to recheck my wireshark/tshark, > could you please > share with me ?Sure: https://mprivozn.fedorapeople.org/libvirt.pcap $ tshark -r libvirt.pcap libvirt | tail -n1 89 29.520014062 ::1 -> ::1 Libvirt 114 Prog=REMOTE Proc=CONNECT_CLOSE Type=REPLY Serial=32 Status=OK So I can get 89 libvirt packets from the dump. Michal
gowrishankar
2016-Jan-07 11:18 UTC
Re: [libvirt-users] unable to dissect libvirt rpc packets using wireshark plugin
Thank you Michal. With your pcap, I could confirm that, libvirt dissector worked in my environment as well. Yes, it could be that, my pcap do not have libvirt rpc packets correctly though I would have expected. I am checking on it. Regards, Gowrishankar On Thursday 07 January 2016 03:51 PM, Michal Privoznik wrote:> On 07.01.2016 08:05, gowrishankar wrote: >> Hi Michal, >> Thank you for your suggestion. My apologies that I took sometime to get >> back >> on further confirmation. Regrettably, my tshark is still unable to find >> libvirt payload >> inside packet capture, though it lists libvirt as a possible filter. >> >> # rpm -ql libvirt-wireshark-1.2.9.3-2.fc21.x86_64 >> /usr/lib64/wireshark/plugins/1.12.5/libvirt.so >> >> As I used wireshark 1.12.6 version, I created 1.12.6 directory >> under plugins and copied above .so. >> /usr/lib64/wireshark/plugins/1.12.6/libvirt.so >> >> # tshark -G protocols | grep -i libvirt >> Libvirt libvirt libvirt >> >> # tshark -r libvirt.pcap libvirt >> # >> > Interesting. This indeed may be that your pcap file does not contain any > libvirt packets. Esp. if you tested it locally - if you haven't > specified to use TCP stack, UNIX socket is used by default. > >> Are there any dependency between libvirt and wireshark dissector >> mechanism to co-exist and >> work together (ie. whether the above libvirt-wireshark missing some >> changes that dissector >> expecting ??). If you have sample pcap to recheck my wireshark/tshark, >> could you please >> share with me ? > Sure: > > https://mprivozn.fedorapeople.org/libvirt.pcap > > $ tshark -r libvirt.pcap libvirt | tail -n1 > 89 29.520014062 ::1 -> ::1 Libvirt 114 Prog=REMOTE > Proc=CONNECT_CLOSE Type=REPLY Serial=32 Status=OK > > So I can get 89 libvirt packets from the dump. > > Michal > > >
Reasonably Related Threads
- Re: unable to dissect libvirt rpc packets using wireshark plugin
- Re: unable to dissect libvirt rpc packets using wireshark plugin
- Re: unable to dissect libvirt rpc packets using wireshark plugin
- unable to dissect libvirt rpc packets using wireshark plugin
- Re: unable to dissect libvirt rpc packets using wireshark plugin