search

mobile-shell / mosh

Mobile Shell
https://mosh.org
GNU General Public License v3.0
12.43k stars 727 forks source link

Wireshark dissector #778

Open cgull opened 7 years ago

cgull commented 7 years ago

A simple Wireshark dissector would be nice for evaluating Mosh network-level issues. I'm just thinking of something simple that handles the non-encrypted headers-- a full decrypting dissector would be neat but a fair bit of work to implement (quite a bit less than a full Mosh implementation though).

thejh commented 3 years ago

Today I hacked together a dissector with support for decryption and decompression (but not defragmentation), including some simple analysis of whether the sequence numbers are going up in steps of 1 as they should (so that you can notice packet loss/reordering/...), a really shoddy RTT estimator, and support for handing the first layer of protobuf over to Wireshark's protobuf decoder (but the second layer of nested protobuf inside the diff field is not handled automatically). It hasn't been merged yet, but you can have a look: https://gitlab.com/wireshark/wireshark/-/merge_requests/970

thejh commented 3 years ago

mosh_wireshark

manfred-kaiser commented 1 year ago

@thejh Thanks for the Wireshark dissector :+1:

Currently I'm working on SSH-MITM, which is an audit tool for SSH and MOSH and this Wireshark dissector helped me a lot :smile:

My workflow to decrypt MOSH sessions: To get the encryption key from the ssh session, ssh-mitm is started and all SSH and MOSH connections are intercepted. If the user authenticates with a password or if agent forwarding is used, it's possible to do a full man in the middle. The encryption key is intercepted and can be used to decrypt the captured data with Wireshark.

image

At the moment I have some problems to understand the state synchronisation protocol :disappointed: There are some information in the research papers and your dissector can be used to find the packets and fields in the payload, but I don't understand how to get the user input or the data, which is printed to the terminal.

@thejh Can you give me some information how to get the user input from the fields, which are decoded with your wireshark dissector?

thejh commented 1 year ago

Sorry, I haven't looked that deep into the protocol - when I wrote the dissector, I was mainly interested in using it to diagnose latency issues.

manfred-kaiser commented 1 year ago

Sorry, I haven't looked that deep into the protocol - when I wrote the dissector, I was mainly interested in using it to diagnose latency issues.

Thanks again for the dissector, it was still very usefull :smile: :+1: