Skip to content

Commit ebfafa1

Browse files
corherecorhere
committed
contrib: add Wireshark plugins for NetworkDB
Contribute a Wireshark plugin for decrypting and dissecting hashicorp/memberlist messages. And contribue a plugin for dissecting the NetworkDB messages transported as memberlist User messages. Add a feature to NetworkDB to log the encryption keys to a file for the Wireshark memberlist plugin to consume, configured using an environment variable. Signed-off-by: Cory Snider <[email protected]>
1 parent 3b50d0d commit ebfafa1

5 files changed

Lines changed: 804 additions & 0 deletions

File tree

contrib/wireshark/README.md

Lines changed: 111 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,111 @@
1+
Wireshark Dissectors for NetworkDB
2+
==================================
3+
4+
`memberlist.lua` is a [Wireshark][] plugin
5+
which registers a `memberlist` protocol
6+
that can dissect the [memberlist][] TCP and UDP protocols.
7+
The `memberlist` protocol can be configured to dissect user data
8+
as the protocol named in the `memberlist.userdata_dissector` preference.
9+
10+
`moby-networkdb.lua` is a Wireshark plugin which registers
11+
a protocol named `networkdbgossip`
12+
that dissects NetworkDB gossip messages.
13+
As node-to-node communications for NetworkDB
14+
are transported as memberlist user messages,
15+
the memberlist protocol dissector must be configured
16+
to invoke the networkdbgossip protocol as a sub-dissector.
17+
(Read: set the preference `memberlist.userdata_dissector:networkdbgossip`)
18+
19+
Installation
20+
------------
21+
22+
### Install Wireshark 4.5 or newer.
23+
Wireshark 4.4 has an incomplete msgpack protocol dissector
24+
that is unable to properly decode memberlist messages.
25+
As of 2025-06-30 Wireshark 4.5 has yet to be released.
26+
A [nightly build][ws.dl] may be required.
27+
28+
### Install the plugins
29+
Configure Wireshark/Tshark to load `memberlist.lua` and `moby-networkdb.lua`.
30+
Refer to [the Wireshark Lua manual][ws.lua.intro] for further instruction.
31+
32+
### Configure the ProtoBuf protocol
33+
34+
NetworkDB messages are serialized to protobuf,
35+
which is not self-describing.
36+
The ProtoBuf Wireshark protocol needs to be supplied with
37+
the protobuf IDL definitions of the messages
38+
in order to dissect them.
39+
40+
1. Clone [moby/moby][] for the NetworkDB IDL definitions.
41+
2. Clone [protocolbuffers/protobuf][] for the protobuf "standard library" IDL.
42+
3. Configure the ProtoBuf protocol (Preferences -> Protocols -> ProtoBuf)
43+
as follows:
44+
- ✅ Load .proto files on startup. (`protobuf.reload_protos`)
45+
- ✅ Dissect Protobuf fields as Wireshark fields. (`protobuf.pbf_as_hf`)
46+
- Add entries to the Protobuf Search Paths table (`uat:protobuf.search_paths`):
47+
- path/to/protocolbuffers/protobuf/src
48+
- path/to/moby/moby/vendor
49+
- path/to/moby/moby
50+
- path/to/moby/moby/libnetwork/networkdb (✅ Load all files)
51+
- path/to/moby/moby/libnetwork/drivers/overlay (✅ Load all files)
52+
53+
Note that it is not sufficient to just grab the .proto files from the repos.
54+
The directory structure is necessary for the definitions to load properly.
55+
56+
### Configure the Memberlist protocol
57+
58+
Configure memberlist to dissect user data messages as NetworkDB gossip.
59+
- In Preferences -> Protocols -> MEMBERLIST,
60+
set the User Data Dissector to `networkdbgossip`.
61+
(`memberlist.userdata_dissector`)
62+
- Optional: set Memberlist TCP+UDP port(s) (`memberlist.ports`) as needed.
63+
E.g. a value such as `7946,10000-10999` would be useful
64+
for analyzing packet captures from NetworkDB unit tests.
65+
66+
Usage Notes
67+
-----------
68+
69+
### Encryption
70+
71+
The memberlist protocol dissector supports decryption
72+
of encrypted memberlist messages
73+
when provided with a file containing the encryption keys used.
74+
In Preferences -> Protocols -> MEMBERLIST,
75+
set the Encryption Key Logfile Path
76+
(`memberlist.keylog`)
77+
to a file containing the encryption keys.
78+
79+
The logfile should list the encryption keys
80+
as hexadecimal strings, delimited by newlines.
81+
82+
dockerd may be configured to write the NetworkDB encryption keys to a logfile
83+
by setting the environment variable `NETWORKDBKEYLOGFILE`
84+
to the path where the file should reside.
85+
86+
### Known Issues
87+
88+
The NetworkDB protocol may fail to load with an error when Wireshark is first started:
89+
90+
moby-networkdb.lua:4: bad argument #1 to 'new'
91+
(Field_new: a field with this name must exist)
92+
93+
This is due to [a known issue in Wireshark.](https://gitlab.com/wireshark/wireshark/-/issues/20161)
94+
95+
Workaround: reload Lua plugins after Wireshark has been initialized.
96+
97+
- Menu: Analyze -> Reload Lua Plugins, or
98+
- Keyboard shortcut: Ctrl-Shift-L (Windows/Linux), ⇧⌘L (macOS)
99+
100+
### Limitations
101+
102+
- Only memberlist encryption version 1 (AES-GCM 128, no padding) is supported,
103+
not version 0 (AES-GCM 128 using PKCS#7 padding).
104+
- Labelled messages cannot currently be decrypted.
105+
106+
[memberlist]: https://github.com/hashicorp/memberlist
107+
[Wireshark]: https://wireshark.org
108+
[ws.dl]: https://www.wireshark.org/download/automated/
109+
[ws.lua.intro]: https://www.wireshark.org/docs/wsdg_html_chunked/wsluarm.html#wsluarm_intro
110+
[moby/moby]: https://github.com/moby/moby
111+
[protocolbuffers/protobuf]: https://github.com/protocolbuffers/protobuf

0 commit comments

Comments
 (0)