why is my udp protocol showing up as WireGuard protocol

asked 2024-10-23 19:00:09 +0000

Frank
3 ●1 ●1

I am polling one of our units via UDP protocol. I send 60 bytes to the unit and it responds with 500 bytes of data. The unit is programmed to respond to certain messages, for instance the first byte can be 1 through 6. When that byte is 4 the protocol listed in Wireshark says WireGuard. When the first byte is 1, 2, 3, 5, or 6 the protocol is correctly listed as UDP. I would attach a capture but I don't see how to do that.

edit retag flag offensive close merge delete

Comments

It helps if you include the output of wireshark -v or contents of Help -> About Wireshark:Wireshark with the question. This includes version information that helps when looking at the code.
To share a capture file, place it on a public file share (Microsoft, Google, AWS) then update the question with a link to it.

Chuckc ( 2024-10-23 20:52:47 +0000 )edit

Sample capture attached to 16394: Crash in WireGuard dissector

Chuckc ( 2024-10-23 21:12:43 +0000 )edit

add a comment

2 Answers

Sort by » oldest newest most voted

answered 2024-10-23 21:03:43 +0000

Chuckc
3023 ●6 ●608 ●20

updated 2024-10-23 21:04:29 +0000

epan/dissectors/packet-wireguard.c:

proto_reg_handoff_wg(void)
{
    dissector_add_uint_with_preference("udp.port", 0, wg_handle);
    heur_dissector_add("udp", dissect_wg_heur, "WireGuard", "wg", proto_wg, HEURISTIC_ENABLE);
...

The Wireguard dissector can be configured for a specific UDP port but also as a heuristic dissector.
The heuristic looks at the first byte of UDP data and if it is in the range below, Wireguard claims the packet.

static const value_string wg_type_names[] = {
    { 0x01, "Handshake Initiation" },
    { 0x02, "Handshake Response" },
    { 0x03, "Cookie Reply" },
    { 0x04, "Transport Data" },
    { 0x00, NULL }
};

It also looks at the length the UDP data.

    switch (message_type) {
    case WG_TYPE_HANDSHAKE_INITIATION:
        return length == 148;
    case WG_TYPE_HANDSHAKE_RESPONSE:
        return length == 92;
    case WG_TYPE_COOKIE_REPLY:
        return length == 64;
    case WG_TYPE_TRANSPORT_DATA:
        return length >= 32;

When the byte is 0x04 the length only has to be >= 32.
For the other values it has to be a specific length none of which are 500 as in your return data.

edit flag offensive delete link

add a comment

answered 2024-10-24 08:17:43 +0000

grahamb

flag of United Kingdom of Great Britain and Northern Ireland

23835 ●4 ●973 ●227 https://www.wireshark.org

The answer from @Chuckc explains the why of how the packet gets dissected as WireGuard traffic, but not what you can do about it.

If you don't need to see WireGuard traffic then you can disable that dissector, from the menu Analyze -> Enabled Protocols > locate WireGuard and uncheck the item, see here for more info on disabling protocols.

I suggest creating a new profile for this to keep this configuration change isolated, see here for info on profiles.

edit flag offensive delete link

Comments

Thank you Chuckc for the detailed explanation. I'm not looking to change anything I was just wondering why it was showing up like that. Now I know, thanks again!

Frank ( 2024-10-24 12:11:34 +0000 )edit

add a comment