Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2024-10-23 21:03:43 +0000

Chuckc gravatar image

epan/dissectors/packet-wireguard.c:

proto_reg_handoff_wg(void)
{
    dissector_add_uint_with_preference("udp.port", 0, wg_handle);
    heur_dissector_add("udp", dissect_wg_heur, "WireGuard", "wg", proto_wg, HEURISTIC_ENABLE);
...

The Wireguard dissector can be configured for a specific UDP port but also as a heuristic dissector.
The heuristics looks at the first byte of UDP data and it is in the range below, Wireguard claims the packet.

static const value_string wg_type_names[] = {
    { 0x01, "Handshake Initiation" },
    { 0x02, "Handshake Response" },
    { 0x03, "Cookie Reply" },
    { 0x04, "Transport Data" },
    { 0x00, NULL }
};

It also looks at the length the UDP data.

    switch (message_type) {
    case WG_TYPE_HANDSHAKE_INITIATION:
        return length == 148;
    case WG_TYPE_HANDSHAKE_RESPONSE:
        return length == 92;
    case WG_TYPE_COOKIE_REPLY:
        return length == 64;
    case WG_TYPE_TRANSPORT_DATA:
        return length >= 32;

When the byte is 0x04 the length only has to be >= 32.
For the other values it has to be a specific length none of which are 500 as in your return data.

epan/dissectors/packet-wireguard.c:

proto_reg_handoff_wg(void)
{
    dissector_add_uint_with_preference("udp.port", 0, wg_handle);
    heur_dissector_add("udp", dissect_wg_heur, "WireGuard", "wg", proto_wg, HEURISTIC_ENABLE);
...

The Wireguard dissector can be configured for a specific UDP port but also as a heuristic dissector.
The heuristics heuristic looks at the first byte of UDP data and if it is in the range below, Wireguard claims the packet.

static const value_string wg_type_names[] = {
    { 0x01, "Handshake Initiation" },
    { 0x02, "Handshake Response" },
    { 0x03, "Cookie Reply" },
    { 0x04, "Transport Data" },
    { 0x00, NULL }
};

It also looks at the length the UDP data.

    switch (message_type) {
    case WG_TYPE_HANDSHAKE_INITIATION:
        return length == 148;
    case WG_TYPE_HANDSHAKE_RESPONSE:
        return length == 92;
    case WG_TYPE_COOKIE_REPLY:
        return length == 64;
    case WG_TYPE_TRANSPORT_DATA:
        return length >= 32;

When the byte is 0x04 the length only has to be >= 32.
For the other values it has to be a specific length none of which are 500 as in your return data.