Interlude: Finding bugs in Wireshark

There are many different areas of expertise in cyber security, each area is quite important and distinct. Some people write security policies or handle communications during an incident. Others examine a hard drive and recover lost, hidden or deleted files. Others examine a suspicious binary program and can reverse engineer that program, revealing its function, algorithms and communication protocols.

My particular expertise is the examination of the recordings of traffic traveling on or through a network. Practically all activities online (e-mail, web browsing, social media and voice-over-IP, to name just a few) involve one device communicating with another device, and this traffic can be recorded and analyzed. One of the most common open source software tools to analyze recorded network traffic is Wireshark, and its command line counterpart, TShark.

TShark is very powerful because, like Wireshark, it can parse protocols such as web and e-mail and display this information. In addition, TShark’s output can be easily saved to a file. This output can then be read and processed by additional programs or scripts.

This simplified example uses TShark to read a file called “traffic”, and instructs TShark to output information about any web, e-mail or proxy activity captured.

tshark -r traffic -T fields -e frame.number -e frame.time -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e socks.dst -e socks.remote_name -e socks.port -e http.request.full_uri -e ssl.handshake.extensions_server_name -e imf.from -e imf.to -e imf.subject

Wireshark and TShark are critical tools for this research, so it was frustrating when TShark routinely crashed. Wireshark understands hundreds of protocols and formats used on the Internet, but doing this is not simple, and software bugs are inevitable. Still, I was very frustrated. I could try to work around the crashes, but the situation was definitely not ideal.

Wireshark is open source software, which means any volunteer can modify and fix sourcecode. But first I had to report the bug. I examined the network traffic files that crashed Wireshark, and tried to look for commonalities. I wanted to tell the Wireshark team why I thought the program crashed. Being unsuccessful, I then constructed the smallest file I could that still crashed the program, and reported the bug to the Wireshark developers.

I was convinced the crashes were due to a bug in the interpretation of the network traffic. But instead, the bug was in something more fundamental. I had discovered a bug in the part of Wireshark that managed system memory. The bug was diagnosed and fixed on the same day, and the Wireshark team issued a security advisory for this memory management bug.

I later reported a more mundane bug that was caused by misinterpretation of Internet traffic. As a result of these fixes, I have to ensure all of my computers run Wireshark 1.12.7 or later.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s