search

diamondman / Example_Wireshark_Dissector_Plugin

A barebones wireshark plugin showing how to compile/link/load a plugin.
1 stars 0 forks source link

Plugin fails to load on MacOS High Sierra (10.13.2) Wireshark 2.4.3 #1

Closed diamondman closed 6 years ago

diamondman commented 6 years ago
  1. By following the steps in the README.md, the plugin compiles and installs successfully.
  2. After install, wireshark detects the plugin from the ~/.config/wireshark/plugins directory and tries to load it.
  3. Wireshark fails to load the plugin and displays an error message saying the following:

Couldn't load module /Users/diamondman/.config/wireshark/plugins/kcat.so: dlopen(/Users/diamondman/.config/wireshark/plugins/kcat.so, 2): initializer function 0x10870a200 not in mapped image for /usr/local/opt/libgpg-error/lib/libgpg-error.0.dylib

The hexidecimal address is different every time. The same code works for Wireshark in Linux. The file command shows the plugin so file as example.so: Mach-O 64-bit bundle x86_64. The nm command shows the following exports:

⇒  nm example.so
                 U _col_clear
                 U _col_set_str
                 U _create_dissector_handle
0000000000000ea0 t _dissect_example
                 U _dissector_add_uint
0000000000000e20 T _plugin_reg_handoff
0000000000000e10 T _plugin_register
0000000000001040 d _proto_example
0000000000000e60 T _proto_reg_handoff_example
0000000000001048 b _proto_reg_handoff_example.example_handle
0000000000000e30 T _proto_register_example
                 U _proto_register_protocol
                 U _tvb_captured_length
0000000000000f68 S _version
                 U dyld_stub_binder

I thought it might be that plugin_reg_handoff appears in the symbol table as _plugin_reg_handoff, but this is the same for the built in pluging.

⇒  nm /Applications/Wireshark.app/Contents/PlugIns/wireshark/gryphon.so | grep " T"
0000000000005fd0 T _plugin_reg_handoff
0000000000005fe0 T _plugin_register

Although the functions called by the two entry point functions listed above show up as symbol type 't' instead of 'T', which seems to mean they are not exported. This should not cause an issue, but is a difference I noticed so I thought I would point it out.

0000000000006070 t _proto_reg_handoff_gryphon
0000000000005ff0 t _proto_register_gryphon
diamondman commented 6 years ago

Turns out I had wireshark installed manually and there was a disagreement between the binary and plugins.