whitequark / zmtp-wireshark

A Wireshark dissector for ZMTP version 3.0 and later (ZeroMQ 4 and later)
http://rfc.zeromq.org/spec:23
MIT License
86 stars 23 forks source link

Seeking help/advice on considering a builtin C-based dissector for ZMTP #27

Open MartinMathieson opened 8 months ago

MartinMathieson commented 8 months ago

Hi, I am a Wireshark core developer who met this protocol for the first time on a project recently. I have started work on a C-based dissector for ZMTP (it is currently in Draft at https://gitlab.com/wireshark/wireshark/-/merge_requests/14947). One motivation for writing it was to be able to add UAT preferences (as an alternative to the dissector table, which will still get checked if there are no matching UAT entries).

My use-case of ZeroMQ is really just to be clearly able to see/filter short text payloads, where the version will always be 3.1. I have tried to copy the various command types supported by the Lua dissector, but don't have any captures to test with. I guess I could download old source code versions of zeromq and play with sample code, but was hoping you could advise me:

Any help/advice/captures anyone can share would be greatly appreciated (including any downsides of merging my dissector!). Best regards, Martin Mathieson

whitequark commented 8 months ago

Hi Martin! I last worked on this about 10 years ago :D No, I don't think I have any captures, sorry.

  • are the curve and plain methods used much in practice? The only attempt at privacy I've seen is where the ZMTP session was just run over SSH...

I've definitely tried using CURVE. However, there were serious downsides of it, mainly that you can't detect an authentication failure at all. (Yes, really!) For this reason, and unless they fixed it, I think CURVE is basically not usable in user-facing applications as the only way to figure out why auth is failing is a Wireshark dissector. (You can now start seeing why I wrote this...)

There were other similarly frustrating moments with it--I vaguely recall having the same problem with PLAIN. I think I might've used PLAIN instead of CURVE for debugging because then I could use Wireshark? Not sure...

I have next to no memory of using ZeroMQ, except that I found it a frustrating library to use, and some other social factors that aren't relevant here.

whitequark commented 8 months ago

Also, to be clear: I have absolutely no issue with you copying this code, obsoleting it, replacing it, whatever. To the extent I still maintain it (I do merge patches), this is essentially nothing but a burden I take on behalf of the OSS community at large, as I don't expect to ever need it again.

MartinMathieson commented 8 months ago

Also, to be clear: I have absolutely no issue with you copying this code, obsoleting it, replacing it, whatever. To the extent I still maintain it (I do merge patches), this is essentially nothing but a burden I take on behalf of the OSS community at large, as I don't expect to ever need it again.

Thanks for the replies Catherine. We'll see if any current users pipe up. I named the draft protocol 'zmtpx' for now (to allow easy comparison of the decodes) - I'd hate to hide the Lua dissector from users if I don't dissect something as well as the Lua version...

whitequark commented 8 months ago

Sounds good!

MartinMathieson commented 7 months ago

I just merged my change (after changing the protocol from "zmtpx" to "zmtp". I was able to capture the frames during running the tests for libzmq, which gave some better coverage (though it still lacked CURVE over TCP).

Another change I made was to send "PLAIN" username/password to the credentials tap (appears in Tools|Credentials).

Would you like me to create an MR for a change to obsolete this dissector (e.g., change protocol to "zmtp-lua" and put something prominent near the start of README.md) ?

whitequark commented 7 months ago

Would you like me to create an MR for a change to obsolete this dissector (e.g., change protocol to "zmtp-lua" and put something prominent near the start of README.md) ?

Sure, sounds good!