Ask Your Question
0

why is my udp protocol showing up as WireGuard protocol

asked 2024-10-23 19:00:09 +0000

Frank gravatar image

I am polling one of our units via UDP protocol. I send 60 bytes to the unit and it responds with 500 bytes of data. The unit is programmed to respond to certain messages, for instance the first byte can be 1 through 6. When that byte is 4 the protocol listed in Wireshark says WireGuard. When the first byte is 1, 2, 3, 5, or 6 the protocol is correctly listed as UDP. I would attach a capture but I don't see how to do that.

edit retag flag offensive close merge delete

Comments

  1. It helps if you include the output of wireshark -v or contents of Help -> About Wireshark:Wireshark with the question. This includes version information that helps when looking at the code.
  2. To share a capture file, place it on a public file share (Microsoft, Google, AWS) then update the question with a link to it.
Chuckc gravatar imageChuckc ( 2024-10-23 20:52:47 +0000 )edit

Sample capture attached to 16394: Crash in WireGuard dissector

Chuckc gravatar imageChuckc ( 2024-10-23 21:12:43 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2024-10-23 21:03:43 +0000

Chuckc gravatar image

updated 2024-10-23 21:04:29 +0000

epan/dissectors/packet-wireguard.c:

proto_reg_handoff_wg(void)
{
    dissector_add_uint_with_preference("udp.port", 0, wg_handle);
    heur_dissector_add("udp", dissect_wg_heur, "WireGuard", "wg", proto_wg, HEURISTIC_ENABLE);
...

The Wireguard dissector can be configured for a specific UDP port but also as a heuristic dissector.
The heuristic looks at the first byte of UDP data and if it is in the range below, Wireguard claims the packet.

static const value_string wg_type_names[] = {
    { 0x01, "Handshake Initiation" },
    { 0x02, "Handshake Response" },
    { 0x03, "Cookie Reply" },
    { 0x04, "Transport Data" },
    { 0x00, NULL }
};

It also looks at the length the UDP data.

    switch (message_type) {
    case WG_TYPE_HANDSHAKE_INITIATION:
        return length == 148;
    case WG_TYPE_HANDSHAKE_RESPONSE:
        return length == 92;
    case WG_TYPE_COOKIE_REPLY:
        return length == 64;
    case WG_TYPE_TRANSPORT_DATA:
        return length >= 32;

When the byte is 0x04 the length only has to be >= 32.
For the other values it has to be a specific length none of which are 500 as in your return data.

edit flag offensive delete link more
0

answered 2024-10-24 08:17:43 +0000

grahamb gravatar image

The answer from @Chuckc explains the why of how the packet gets dissected as WireGuard traffic, but not what you can do about it.

If you don't need to see WireGuard traffic then you can disable that dissector, from the menu Analyze -> Enabled Protocols > locate WireGuard and uncheck the item, see here for more info on disabling protocols.

I suggest creating a new profile for this to keep this configuration change isolated, see here for info on profiles.

edit flag offensive delete link more

Comments

Thank you Chuckc for the detailed explanation. I'm not looking to change anything I was just wondering why it was showing up like that. Now I know, thanks again!

Frank gravatar imageFrank ( 2024-10-24 12:11:34 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-10-23 19:00:09 +0000

Seen: 154 times

Last updated: Oct 24