Open cgull opened 7 years ago
Today I hacked together a dissector with support for decryption and decompression (but not defragmentation), including some simple analysis of whether the sequence numbers are going up in steps of 1 as they should (so that you can notice packet loss/reordering/...), a really shoddy RTT estimator, and support for handing the first layer of protobuf over to Wireshark's protobuf decoder (but the second layer of nested protobuf inside the diff
field is not handled automatically). It hasn't been merged yet, but you can have a look: https://gitlab.com/wireshark/wireshark/-/merge_requests/970
@thejh Thanks for the Wireshark dissector :+1:
Currently I'm working on SSH-MITM, which is an audit tool for SSH and MOSH and this Wireshark dissector helped me a lot :smile:
My workflow to decrypt MOSH sessions: To get the encryption key from the ssh session, ssh-mitm is started and all SSH and MOSH connections are intercepted. If the user authenticates with a password or if agent forwarding is used, it's possible to do a full man in the middle. The encryption key is intercepted and can be used to decrypt the captured data with Wireshark.
At the moment I have some problems to understand the state synchronisation protocol :disappointed: There are some information in the research papers and your dissector can be used to find the packets and fields in the payload, but I don't understand how to get the user input or the data, which is printed to the terminal.
@thejh Can you give me some information how to get the user input from the fields, which are decoded with your wireshark dissector?
Sorry, I haven't looked that deep into the protocol - when I wrote the dissector, I was mainly interested in using it to diagnose latency issues.
Sorry, I haven't looked that deep into the protocol - when I wrote the dissector, I was mainly interested in using it to diagnose latency issues.
Thanks again for the dissector, it was still very usefull :smile: :+1:
A simple Wireshark dissector would be nice for evaluating Mosh network-level issues. I'm just thinking of something simple that handles the non-encrypted headers-- a full decrypting dissector would be neat but a fair bit of work to implement (quite a bit less than a full Mosh implementation though).