search

good-tools / wiregasm

Packet Analyzer powered by Wireshark compiled for WebAssembly
GNU General Public License v2.0
59 stars 4 forks source link

Doc or Feature Request: How to pass additional flags like decode as configuration #4

Closed albertaouad closed 6 months ago

albertaouad commented 7 months ago

Hello folks,

First I want to thank you for the work you have done on wiregasm, it's quite interesting to be able to run Wireshark like capabilities in the browser as web assembly.

I am looking to understand how I can pass decode as configuration or some extra flags to the api so that my network trace is decoded correctly. For example in tshark I can pass -d "tcp.port=8001,http2" which allows tshark to select the correct dissector and decode the given traffic transported on tcp port 8001 as http2.

We noticed that sharkd implements a setconf request type, that allows us to set preferences. Following the implementation of sharkd, we found the C implementation here: https://github.com/wireshark/wireshark/blob/593ea4b16ff02d447f4fc5cbe47ee889f8360dca/sharkd_session.c#L5216

Given we lack some expertise in C, we would appreciate if you can add that method to wiregasm as it enables a multitude of additional use cases to benefit from your open source porting of Wireshark.

dehydr8 commented 7 months ago

Hi @albertaouad

Thanks for your interest in the project.

I briefly looked at the tshark source and -d sets the "Decode As" rule for the matching dissector. Preferences refer to the different configuration options that can be set in Wireshark.

This is where it gets set in the dissector table: https://github.com/wireshark/wireshark/blob/4464c7f245eb4509ca56bab2f29b15077f99505f/ui/decode_as_utils.c#L170

I'll take a look at how this can be implemented in Wiregasm.

EDIT: I believe these can also be set from preferences, e.g. the http2.tcp.port pref is of type "Range (for Decode As)"

dehydr8 commented 7 months ago

I've started the work in PR https://github.com/good-tools/wiregasm/pull/5, you can try pulling those changes to see if your use-case works. If you can, please attach a sample pcap so that we can add it to the tests.

Thanks

albertaouad commented 6 months ago

@dehydr8 , Thank you for being super responsive 🙌🏼 You are right that decode as dissectors can be set from different places, either as preferences directly or using the -d flag. We will try to test the PR and get back to you.

Once again, we appreciate your responsiveness and promptness 🤗

alygueye commented 6 months ago

Hi @dehydr8, thank you for this new feature and for this awesome tool.

I tested the PR #5 and the preferences settings seems working fine. Thanks

dehydr8 commented 6 months ago

The PR has been merged and the release version is 1.5.0 :rocket: