libvirt users - Jan 2016 - Re: unable to dissect libvirt rpc packets using wireshark plugin

Hi Michal,
Thank you for your suggestion. My apologies that I took sometime to get back
on further confirmation. Regrettably, my tshark is still unable to find 
libvirt payload
inside packet capture, though it lists libvirt as a possible filter.

      # rpm -ql libvirt-wireshark-1.2.9.3-2.fc21.x86_64
      /usr/lib64/wireshark/plugins/1.12.5/libvirt.so

      As I used wireshark 1.12.6 version, I created 1.12.6 directory 
under plugins and copied above .so.
      /usr/lib64/wireshark/plugins/1.12.6/libvirt.so

      # tshark -G protocols | grep -i libvirt
      Libvirt    libvirt    libvirt

      # tshark -r libvirt.pcap libvirt
      #

Are there any dependency between libvirt and wireshark dissector 
mechanism to co-exist and
work together (ie. whether the above libvirt-wireshark missing some 
changes that dissector
expecting ??). If you have sample pcap to recheck my wireshark/tshark, 
could you please
share with me ?

Regards,
Gowrishankar

On Thursday 29 October 2015 06:18 PM, Michal Privoznik
wrote:
> On 26.10.2015 11:38, gowrishankar wrote:
>> Hi,
>> I am trying libvirt plugin in wireshark to dissect RPC payload in TCP,
but
>> finding dissector code not really working.
>>
>> My env is Fedora core 21 (x86_64) and installed packages are as follow:
>>
>>      wireshark-1.12.6-1.fc21.x86_64
>>      libvirt-wireshark-1.2.9.3-2.fc21.x86_64
>>
>>
>> Earlier, just after installation, I noticed libvirt.so available only
in
>> /usr/lib64/wireshark/plugins/1.12.5/ . Wireshark could not load libvirt
>> plugin.
> Yes, this is inherently broken. See my patch that I've just proposed:
>
> https://www.redhat.com/archives/libvir-list/2015-October/msg00852.html
>
>> So, I copied above .so into 1.12.6/ under same plugins folder,
following it
>> wireshark could list libvirt as supported protocol.
>>
>>      tshark -G protocols | grep libvirt
>>      Libvirt    libvirt    libvirt
>>
>> However, on checking with some pcaps which has libvirt RPC calls
>> captured on
>> wire, wireshark does not list libvirt RPC packets, as I search for
>> "libvirt"
>> protocol in pcap.
> What is the command you're trying? Because if I copy the plugin over to
> the correct directory it seems to be working for me.
>
>> Have anyone experienced this before or if you have any pointer that I
could
>> check in my env, that would be very helpful.
>>
> Michal
>
>
>

On 07.01.2016 08:05, gowrishankar wrote:
> Hi Michal,
> Thank you for your suggestion. My apologies that I took sometime to get
> back
> on further confirmation. Regrettably, my tshark is still unable to find
> libvirt payload
> inside packet capture, though it lists libvirt as a possible filter.
> 
>      # rpm -ql libvirt-wireshark-1.2.9.3-2.fc21.x86_64
>      /usr/lib64/wireshark/plugins/1.12.5/libvirt.so
> 
>      As I used wireshark 1.12.6 version, I created 1.12.6 directory
> under plugins and copied above .so.
>      /usr/lib64/wireshark/plugins/1.12.6/libvirt.so
> 
>      # tshark -G protocols | grep -i libvirt
>      Libvirt    libvirt    libvirt
> 
>      # tshark -r libvirt.pcap libvirt
>      #
> 
Interesting. This indeed may be that your pcap file does not contain any
libvirt packets. Esp. if you tested it locally - if you haven't
specified to use TCP stack, UNIX socket is used by default.
> Are there any dependency between libvirt and wireshark dissector
> mechanism to co-exist and
> work together (ie. whether the above libvirt-wireshark missing some
> changes that dissector
> expecting ??). If you have sample pcap to recheck my wireshark/tshark,
> could you please
> share with me ?
Sure:

https://mprivozn.fedorapeople.org/libvirt.pcap

$ tshark -r libvirt.pcap libvirt | tail -n1
 89 29.520014062          ::1 -> ::1          Libvirt 114 Prog=REMOTE
Proc=CONNECT_CLOSE Type=REPLY Serial=32 Status=OK

So I can get 89 libvirt packets from the dump.

Michal

Thank you Michal.

With your pcap, I could confirm that, libvirt dissector worked in my 
environment as well.
Yes, it could be that, my pcap do not have libvirt rpc packets correctly 
though I would have
expected. I am checking on it.

Regards,
Gowrishankar

On Thursday 07 January 2016 03:51 PM, Michal Privoznik
wrote:
> On 07.01.2016 08:05, gowrishankar wrote:
>> Hi Michal,
>> Thank you for your suggestion. My apologies that I took sometime to get
>> back
>> on further confirmation. Regrettably, my tshark is still unable to find
>> libvirt payload
>> inside packet capture, though it lists libvirt as a possible filter.
>>
>>       # rpm -ql libvirt-wireshark-1.2.9.3-2.fc21.x86_64
>>       /usr/lib64/wireshark/plugins/1.12.5/libvirt.so
>>
>>       As I used wireshark 1.12.6 version, I created 1.12.6 directory
>> under plugins and copied above .so.
>>       /usr/lib64/wireshark/plugins/1.12.6/libvirt.so
>>
>>       # tshark -G protocols | grep -i libvirt
>>       Libvirt    libvirt    libvirt
>>
>>       # tshark -r libvirt.pcap libvirt
>>       #
>>
> Interesting. This indeed may be that your pcap file does not contain any
> libvirt packets. Esp. if you tested it locally - if you haven't
> specified to use TCP stack, UNIX socket is used by default.
>
>> Are there any dependency between libvirt and wireshark dissector
>> mechanism to co-exist and
>> work together (ie. whether the above libvirt-wireshark missing some
>> changes that dissector
>> expecting ??). If you have sample pcap to recheck my wireshark/tshark,
>> could you please
>> share with me ?
> Sure:
>
> https://mprivozn.fedorapeople.org/libvirt.pcap
>
> $ tshark -r libvirt.pcap libvirt | tail -n1
>   89 29.520014062          ::1 -> ::1          Libvirt 114 Prog=REMOTE
> Proc=CONNECT_CLOSE Type=REPLY Serial=32 Status=OK
>
> So I can get 89 libvirt packets from the dump.
>
> Michal
>
>
>