Create new branch compatible with Wireshark v2.9

[xeen3d]

Hi
first of all very cool Tool.
Second a small issue with Wireshark 2.9 Dev

Lua: Error during loading:
...uzona/.local/lib/wireshark/plugins/web/tor_detection.lua:14: bad argument #1 to 'new' (Field_new: a field with this name must exist)

Hole other Tools working very well only in this script I have the small problem above
maybe Wireshark 2.9 dev or my OS is the Problem or a simple Mistake in script self.

If you have some idea it was Coll otherwise I not use the tor_detection

thanks

Andre

[nishantsharmax]

@xeen3d Thanks for using our tool!
We are looking into it and will post an update here soon.

[nishantsharmax]

@xeen3d We looked into it and found out that multiple field names are changed between v2.6 and v2.9

For example

• ssl is replaced by tls i.e. ssl.handshake.extensions_server_name (for v2.6) is tls.handshake.extensions_server_name (for v2.9).
• bootp is replaced with dhcp

This is causing the issue because in tor_detection and http_website_list, we have used ssl.handshake.extensions_server_name. It will also cause issue for DHCP part. And there can be other such changes which may affect the rest functionality.

Quick fix
You have to replace ssl occurances with tls and so on if you want it to work on v2.9.

Our plan
As the changes will not be compatible with current stable version and we don;t know the quantum of change yet, we won't be making changes to main branch. However, we will create a new branch for v2.9 in a few days.

Hope it helps. Thanks !

[xeen3d]

Hi
many thanks for that fast answer, ist not a main problem missing one or two of the Plugins ;-)
i am not sure when 2.9 shark branch will go more public, I like some of the new features very well
that's why I use that dev edition and for testing too.

If I know that the field names was the Problem is not a real big task do some own work
with search and replace ;-)
Your Tools are a very well enhancement for network forensic tasks in my normal work I do more
computer forensic work but mostly on offline copy of infected or hacked system.
But often I need Information about what would be permitted from a malware or
a dangerous bin file and for such tasks your tools make my live a little bit more easy ;-)

is it maybe possible with Lua script find out what shark version was used and make a block of field
names for the variables ? I am not a good coder if so I can try that self ;-) like if < 2.8 use x

many thanks

Andre

[xeen3d]

Hi
i see too late that other plugins also be affected and more field names was changed so for
now I use a second installation of shark for use it with your tools, I do my hole forensic work in vm´s
it is not a problem running different versions ;-)

best

Andre

[nishantsharmax]

@xeen3d You are welcome man! The team is happy to know that our tool is able to help you with your work.

We will definitely put the version checks in place but it will require significant work and unfortunately, we have our hands full as of now with attackdefense.com. But rest assured, we will roll out next version (with v2.9 compatibility and support for more protocols) in a few days.

[xeen3d]

Hi
thanks again from here,
I take a closer look at the field names that was changed (not all but some) and in my eyes
many of those changes are good changes like bootp to DHCP

Your Plugin set does a great job and is perfect for live investigation from a small foresic USB Stick.
In live Forensic you cannot install something on the target and many commercial network analyst systems like from riverbed packet analyzer need installation.

Wireshark and tcpdump can run from a Stick and on newer Windows are netsh is your friend for capturing without install something. (Unix/Linux is never a problem for capturing without installation)

Nex Week I try my new Portable WS with your Tools ;-)

Don´t misunderstood me I need such tools not every day but some times they are fast and helpful and last better than install a tap and using a second Laptop for sniffing.
Such Stick is more like a multi tool in Pocket than a hole set of special Tools installed on a Laptop.
I put your tools to my watch list too see what you are doing ;-)

best

Andre

[nishantsharmax]

@xeen3d It is always good to hear about real world experience/requirements of a practitioner. I can completely relate to the issues that one can face while working with licensed analysis solutions. Also, most of analysis tools (especially for Linux) are pretty hard to install and take time. And, then there is one's love towards a specific OS (Linux vs Windows vs MacOS). These were the main reasons to take this universally compatible copy-paste plugins approach.

Thanks for the feedback and you will see major code contribution to this repository by end of march 2019. :)

• Nishant

[xeen3d]

Hi
I would give you a short feedback .
I run your Plugin set now with Wireshark stable version, all works well.
If you planning enhancing your Tool it would be very cool if there will be a LDAP
Plugin for extracting hole LDAP traffic in a readable format.
I am not a programmer so I cannot make it self ;-) and If I can I not
need such Tools ;-)
why ldap ? answer is simple most Directory Servers use it and here in Germany most
Companys use Microsoft Software like Active Directory for authentication and in many
of my searches I must take a closer look to that.
The Wireshark follow tcp Stream give a Result but is far away from looking like results from your Tools.

And a second enhancement was also cool , a select the packages Button that the plugin have touched for getting result, then I can export that stream (in pcap) for having a evidence.

If you would ask me the select button was for me self more important than a new plugin ;-)

Many thanks for all your Time you put in such a project

Andre