1 | initial version |
epan/dissectors/packet-wireguard.c:
proto_reg_handoff_wg(void) { dissector_add_uint_with_preference("udp.port", 0, wg_handle); heur_dissector_add("udp", dissect_wg_heur, "WireGuard", "wg", proto_wg, HEURISTIC_ENABLE); ...
The Wireguard dissector can be configured for a specific UDP port but also as a heuristic dissector.
The heuristics looks at the first byte of UDP data and it is in the range below, Wireguard claims the packet.
static const value_string wg_type_names[] = { { 0x01, "Handshake Initiation" }, { 0x02, "Handshake Response" }, { 0x03, "Cookie Reply" }, { 0x04, "Transport Data" }, { 0x00, NULL } };
It also looks at the length the UDP data.
switch (message_type) { case WG_TYPE_HANDSHAKE_INITIATION: return length == 148; case WG_TYPE_HANDSHAKE_RESPONSE: return length == 92; case WG_TYPE_COOKIE_REPLY: return length == 64; case WG_TYPE_TRANSPORT_DATA: return length >= 32;
When the byte is 0x04 the length only has to be >= 32.
For the other values it has to be a specific length none of which are 500 as in your return data.
2 | No.2 Revision |
epan/dissectors/packet-wireguard.c:
proto_reg_handoff_wg(void) { dissector_add_uint_with_preference("udp.port", 0, wg_handle); heur_dissector_add("udp", dissect_wg_heur, "WireGuard", "wg", proto_wg, HEURISTIC_ENABLE); ...
The Wireguard dissector can be configured for a specific UDP port but also as a heuristic dissector.
The heuristics heuristic looks at the first byte of UDP data and if it is in the range below, Wireguard claims the packet.
static const value_string wg_type_names[] = { { 0x01, "Handshake Initiation" }, { 0x02, "Handshake Response" }, { 0x03, "Cookie Reply" }, { 0x04, "Transport Data" }, { 0x00, NULL } };
It also looks at the length the UDP data.
switch (message_type) { case WG_TYPE_HANDSHAKE_INITIATION: return length == 148; case WG_TYPE_HANDSHAKE_RESPONSE: return length == 92; case WG_TYPE_COOKIE_REPLY: return length == 64; case WG_TYPE_TRANSPORT_DATA: return length >= 32;
When the byte is 0x04 the length only has to be >= 32.
For the other values it has to be a specific length none of which are 500 as in your return data.