How to decode the first UDP datagram from UDP over socks5 interaction?

asked 2024-03-01 17:36:31 +0000

Hi! I'm investigating the compatibility of opensource proxy client and one of the servers impelmentation. TCP part deconding works good, I see all neede info. But due to UDP over socks5 semantic in one moment client switch to UDP and send datagram to previously gathered addr. I found definition of this datagram in RFC but wireshark showing it as bytes.

It might be that some body allready has written the decessor and I just don't know how to find and apply it. If not, Am I right that I need to write decessor using lua or C(I never did it before)?

edit retag flag offensive close merge delete


Do you have a capture file you can share?

Chuckc gravatar imageChuckc ( 2024-03-01 17:49:13 +0000 )edit

Here is the pcap file . I don't have enough point to attach content. There is PROXY AUTH data inside, but don't mind I've changed it already.

I want to decode packet #16: UDP ->

greggyNapalm gravatar imagegreggyNapalm ( 2024-03-02 08:41:33 +0000 )edit

Thanks! It gets added as a conversation. Nothing logged when Wireshark started with debug. Will need to dig in to verify whether its a bug or config issue.

Chuckc gravatar imageChuckc ( 2024-03-02 15:25:16 +0000 )edit

It's a bug - the UDP conversation is getting added using the source and destination addresses of frame 14 (which has the reply), but it needs to use the source and destination addresses contained within the command (stored in the hash_info) It also might need to create the conversation with NO_PORT2 since one of the ports given is 0. The processing in socks_udp_dissector also might need to do something special if hash_info->port == 0.

johnthacker gravatar imagejohnthacker ( 2024-03-02 16:58:03 +0000 )edit

So, Am I getting it right that I need to write this socks_udp_dissector myself and there is no available implementation?

greggyNapalm gravatar imagegreggyNapalm ( 2024-03-02 19:41:41 +0000 )edit