Ask Your Question
0

wireshark docker container override preferences

asked 2021-09-27 20:07:55 +0000

Sanprof gravatar image

I created my own docker image and preinstall there Wireshark to use tshark to analyze pcap files in my asp.net core application, here is part of my Dockerfile

FROM mcr.microsoft.com/dotnet/aspnet:5.0-focal AS base

# Install build wireshark, need to run as root
RUN echo "**** install packages ****" && \
    apt-get update && \
    apt-get install -yq software-properties-common && \
    apt-get install -y  wireshark && \
    apt-get install -yq tshark && \
    echo "**** permissions ****" && \
    setcap  'CAP_NET_RAW+eip CAP_NET_ADMIN+eip'     /usr/bin/dumpcap && \
    echo "**** cleanup ****" && \
    apt-get clean && \
    rm -rf  /tmp/*  /var/lib/apt/lists/*    /var/tmp/*

WORKDIR /app

#next part of Dockerfile is related to asp.net stuff

Everything is working well I can get the required info from pcap files using tshark commands inside docker container. I've faced the next issue I can't modify preferences of the default profile at least I can't even find where I can change it there is no GUI and I can use the only terminal. E.g. I need to enable transum protocol and add additional tcp ports to it:

# Add and remove ports numbers separated by commas
# Ranges are supported e.g. 25,80,2000-3000,5432
# A string denoting an positive integer range (e.g., "1-20,30-40")
transum.tcp_port_ranges: 25,80,443,1433,3389,102

# Add and remove ports numbers separated by commas
# Ranges are supported e.g. 123,137-139,520-521,2049
# A string denoting an positive integer range (e.g., "1-20,30-40")
#transum.udp_port_ranges: 137-139

# Set this to discard any packet in the direction client to service,
# with a 1-byte payload of 0x00 and the ACK flag set
# TRUE or FALSE (case-insensitive)
#transum.orphan_ka_discard: FALSE

# RTE data will be added to the first request packet
# TRUE or FALSE (case-insensitive)
transum.rte_on_first_req: TRUE

# RTE data will be added to the last request packet
# TRUE or FALSE (case-insensitive)
#transum.rte_on_last_req: TRUE

# RTE data will be added to the first response packet
# TRUE or FALSE (case-insensitive)
transum.rte_on_first_rsp: TRUE

# RTE data will be added to the last response packet
# TRUE or FALSE (case-insensitive)
transum.rte_on_last_rsp: TRUE

and how I can do it? I have tried to execute inside container tshark -G currentprefs and everything is commented except a couple of parameters, I don't know from where this infos come

and also I have tried cli command tshark -o transum.tcp_port_ranges: 25,80,443,1433,3389,102 - not working and I have got an error

tshark: Invalid -o flag "transum.tcp_port_ranges:"
edit retag flag offensive close merge delete

Comments

Is there a space between "transum.tcp_port_ranges:" and the "25" ?

Chuckc gravatar imageChuckc ( 2021-09-27 20:54:31 +0000 )edit

tshark -G folders should show you the location of the configuration files.

By the way, if the docker image has no GUI then you can remove the apt-get install wireshark line.

André gravatar imageAndré ( 2021-09-27 22:06:19 +0000 )edit

Chuckc, I have tried both ways with space and w/o, and in both case that was not working.

Here is result of tshark -G folders

Temp:                   /tmp
Personal configuration: /root/.config/wireshark
Global configuration:   /usr/share/wireshark
System:                 /etc
Program:                /usr/bin
Personal Plugins:       /root/.local/lib/wireshark/plugins/3.2
Global Plugins:         /usr/lib/x86_64-linux-gnu/wireshark/plugins/3.2
Personal Lua Plugins:   /root/.local/lib/wireshark/plugins
Global Lua Plugins:     /usr/lib/x86_64-linux-gnu/wireshark/plugins
Extcap path:            /usr/lib/x86_64-linux-gnu/wireshark/extcap
MaxMind database path:  /usr/share/GeoIP
MaxMind database path:  /var/lib/GeoIP
MaxMind database path:  /usr/share/GeoIP
MaxMind database path:  /var/lib/GeoIP

The strange thing for me is that I can't find any preferences files in this instance

Sanprof gravatar imageSanprof ( 2021-09-27 22:31:32 +0000 )edit

transum fields came in 2.4.0.
What version (tshark -v) is apt-get pulling in?

Chuckc gravatar imageChuckc ( 2021-09-27 23:51:35 +0000 )edit

tshark -v returns the next:

TShark (Wireshark) 3.2.3 (Git v3.2.3 packaged as 3.2.3-1)

Copyright 1998-2020 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.64.2, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua
5.2.4, with GnuTLS 3.6.13 and PKCS #11 support, with Gcrypt 1.8.5, with MIT
Kerberos, with MaxMind DB resolver, with nghttp2 1.40.0, with brotli, with LZ4,
with Zstandard, with Snappy, with libxml2 2.9.10.
Sanprof gravatar imageSanprof ( 2021-09-28 08:54:49 +0000 )edit
see more comments

2 Answers

Sort by » oldest newest most voted
0

answered 2021-09-28 14:10:10 +0000

Chuckc gravatar image

The transum protocol is disabled by default.

packet-transum.c:

    /* Due to performance concerns of the dissector, it's disabled by default */
    proto_disable_by_default(proto_transum);


In the tshark man page, there is a small section "Disabled (Enabled) Protocols" which describes the disabled_protos file.

You could move transum from disabled_protos to enabled_protos or enable on the command line:

C:\>tshark -r ./dcerpc_retrans.pcapng -2 -T fields -e transum.art -Y transum.art

C:\>tshark -r ./dcerpc_retrans.pcapng -2 -T fields -e transum.art -Y transum.art --enable-protocol transum
0.325236000
0.322582000


There is an open issue (17604: tshark -G reports: add to heuristic-decodes, protocols) to add protocol status to tshark -G protocols.

edit flag offensive delete link more

Comments

yes, that is what I need. I created enabled_protos file beside the preferences file and everything is ok now. Thank you very much. André helped me with the preferences file which was also very-very useful info for me.

Sanprof gravatar imageSanprof ( 2021-09-28 19:02:40 +0000 )edit
add a comment
0

answered 2021-09-28 09:52:47 +0000

André gravatar image

Tshark only reads preference files. It does not write or create one (only wireshark does that).
With the command tshark -G folders you can see where tshark looks for the preference files. In your case the preference file is located at $HOME/.config/wireshark/preferences. If that file does not exists (fresh install) then tshark just uses default values.
There are a few options:

Option 1:
If the preference file does not exists you can create one. The preference file needs only to contain the variables you want to change. There is no need to add commented-out ones.

Option 2:
Specify a preference file on the command line: tshark -C my-pref-file

Option 3:
Override values on the command line: tshark -o "transum.tcp_port_ranges:25,80,443,1433,3389,102"

See also: https://www.wireshark.org/docs/wsug_h... https://www.wireshark.org/docs/man-pa...

edit flag offensive delete link more

Comments

Thank you for your answer, I created preferences file inside /usr/share/wireshark - this is a Global configuration folder, then I added needed lines with transum tcp ports, and now when I execute command tshark -G currentprefs I see them uncommented and with values that I put in the preferences file. But I don't know if these preferences are working because when I execute e.g tshark -r /traces/output/00001_20210916183214.pcap -q -2 -z io,stat,0,"AVG(transum.art)transum.art" it returns

======================================
| IO Statistics                      |
|                                    |
| Duration: 165.5 secs               |
| Interval: 165.5 secs               |
|                                    |
| Col 1: AVG(transum.art)transum.art |
|------------------------------------|
|                |1         |        |
| Interval       |    AVG   |        |
|---------------------------|        |
|   0.0 <> 165.5 | 0.000000 |        |
======================================

But on Windows machine for the same file with the same preferences

======================================
| IO Statistics                      |
|                                    |
| Duration: 165.5 secs               |
| Interval: 165.5 secs               |
|                                    |
| Col 1: AVG(transum.art)transum.art |
|------------------------------------|
| Interval       |    AVG    |       |
|----------------------------|       |
|   0.0 <> 165.5 |  2 ...
(more)
Sanprof gravatar imageSanprof ( 2021-09-28 10:49:54 +0000 )edit

I even copied currentprefs from the container and put them to the Wireshark prefs on my Windows machine and the result is the same as with old preferences (transum.art) returns 2.098277

Sanprof gravatar imageSanprof ( 2021-09-28 10:55:15 +0000 )edit

Given that 'tshark -G currentprefs' is returning the expected values I am pretty sure that it is working correctly.
Maybe some other settings are interfering. (The variables are set in the order: default values, overwritten by global file, overwritten by personal file, overwritten by command line options.)
Can you redirect the output of tshark -G currentprefs to file on both and do a 'diff' to see if there are more differences?

Or try tshark -C currentprefs-file-from-windows -r ...

Are the Windows and docker image version of tshark the same?

André gravatar imageAndré ( 2021-09-28 11:57:31 +0000 )edit

Can you redirect the output of tshark -G currentprefs to file on both and do a 'diff' to see if there are more differences?

yes, I did this thing, I redirected the output of this command to file and downloaded it from the container on Windows machine, and then opened in KDiff3 app to compare texts between container's preferences and local preferences (I have 2 Wireshark profiles locally - default and personal, and I compared with both).

I even copied all preferences from the Windows machine to the container and a result the same - not working (transum.art = 0)

So, in the container for command tshark -G currentprefs I see uncommented transum.tcp_port_ranges: 25,80,443,1433,3389,102 but tshark returns transum.art as 0 for pcap files, maybe there should be configured another option that I don't know.

Sanprof gravatar imageSanprof ( 2021-09-28 12:25:11 +0000 )edit

And about the versions, for the container this command apt-get install -yq tshark can install only TShark (Wireshark) 3.2.3 (Git v3.2.3 packaged as 3.2.3-1) but yes, on Windows machine I have another version TShark (Wireshark) 3.4.8 (v3.4.8-0-g3e1ffae201b8)

And 3.2.3 should support transum field TRANSUM RTE Data

Sanprof gravatar imageSanprof ( 2021-09-28 12:27:29 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2021-09-27 20:04:00 +0000

Seen: 1,240 times

Last updated: Sep 28 '21

Related questions

Wireshark 2.4.1 GTK Crash on long run

Why redirection of VoIP calls to voicemail fails?

Capture incoming packets from remote web server

How do I get and display packet data information at a specific byte from the first byte?

Client is waiting for FIN flag from server for 30 sec

wifi disconnects as wireshark starts

How do I add "child item" to an item in the subtree?

What is the syntax for wireshark custom column

Getting error MSB4018 when trying to build wireshark sources

Monitoring UDP data on wireshark shows ARP packet