[libvirt-users] unable to dissect libvirt rpc packets using wireshark plugin

Hi, I am trying libvirt plugin in wireshark to dissect RPC payload in TCP, but finding dissector code not really working. My env is Fedora core 21 (x86_64) and installed packages are as follow: wireshark-1.12.6-1.fc21.x86_64 libvirt-wireshark-1.2.9.3-2.fc21.x86_64 Earlier, just after installation, I noticed libvirt.so available only in /usr/lib64/wireshark/plugins/1.12.5/ . Wireshark could not load libvirt plugin. So, I copied above .so into 1.12.6/ under same plugins folder, following it wireshark could list libvirt as supported protocol. tshark -G protocols | grep libvirt Libvirt libvirt libvirt However, on checking with some pcaps which has libvirt RPC calls captured on wire, wireshark does not list libvirt RPC packets, as I search for "libvirt" protocol in pcap. Have anyone experienced this before or if you have any pointer that I could check in my env, that would be very helpful. -- Regards, Gowrishankar M

On 26.10.2015 11:38, gowrishankar wrote:
Hi, I am trying libvirt plugin in wireshark to dissect RPC payload in TCP, but finding dissector code not really working.
My env is Fedora core 21 (x86_64) and installed packages are as follow:
wireshark-1.12.6-1.fc21.x86_64 libvirt-wireshark-1.2.9.3-2.fc21.x86_64
Earlier, just after installation, I noticed libvirt.so available only in /usr/lib64/wireshark/plugins/1.12.5/ . Wireshark could not load libvirt plugin.
Yes, this is inherently broken. See my patch that I've just proposed: https://www.redhat.com/archives/libvir-list/2015-October/msg00852.html
So, I copied above .so into 1.12.6/ under same plugins folder, following it wireshark could list libvirt as supported protocol.
tshark -G protocols | grep libvirt Libvirt libvirt libvirt
However, on checking with some pcaps which has libvirt RPC calls captured on wire, wireshark does not list libvirt RPC packets, as I search for "libvirt" protocol in pcap.
What is the command you're trying? Because if I copy the plugin over to the correct directory it seems to be working for me.
Have anyone experienced this before or if you have any pointer that I could check in my env, that would be very helpful.
Michal

Hi Michal, Thank you for your suggestion. My apologies that I took sometime to get back on further confirmation. Regrettably, my tshark is still unable to find libvirt payload inside packet capture, though it lists libvirt as a possible filter. # rpm -ql libvirt-wireshark-1.2.9.3-2.fc21.x86_64 /usr/lib64/wireshark/plugins/1.12.5/libvirt.so As I used wireshark 1.12.6 version, I created 1.12.6 directory under plugins and copied above .so. /usr/lib64/wireshark/plugins/1.12.6/libvirt.so # tshark -G protocols | grep -i libvirt Libvirt libvirt libvirt # tshark -r libvirt.pcap libvirt # Are there any dependency between libvirt and wireshark dissector mechanism to co-exist and work together (ie. whether the above libvirt-wireshark missing some changes that dissector expecting ??). If you have sample pcap to recheck my wireshark/tshark, could you please share with me ? Regards, Gowrishankar On Thursday 29 October 2015 06:18 PM, Michal Privoznik wrote:
On 26.10.2015 11:38, gowrishankar wrote:
Hi, I am trying libvirt plugin in wireshark to dissect RPC payload in TCP, but finding dissector code not really working.
My env is Fedora core 21 (x86_64) and installed packages are as follow:
wireshark-1.12.6-1.fc21.x86_64 libvirt-wireshark-1.2.9.3-2.fc21.x86_64
Earlier, just after installation, I noticed libvirt.so available only in /usr/lib64/wireshark/plugins/1.12.5/ . Wireshark could not load libvirt plugin. Yes, this is inherently broken. See my patch that I've just proposed:
https://www.redhat.com/archives/libvir-list/2015-October/msg00852.html
So, I copied above .so into 1.12.6/ under same plugins folder, following it wireshark could list libvirt as supported protocol.
tshark -G protocols | grep libvirt Libvirt libvirt libvirt
However, on checking with some pcaps which has libvirt RPC calls captured on wire, wireshark does not list libvirt RPC packets, as I search for "libvirt" protocol in pcap. What is the command you're trying? Because if I copy the plugin over to the correct directory it seems to be working for me.
Have anyone experienced this before or if you have any pointer that I could check in my env, that would be very helpful.
Michal

On 07.01.2016 08:05, gowrishankar wrote:
Hi Michal, Thank you for your suggestion. My apologies that I took sometime to get back on further confirmation. Regrettably, my tshark is still unable to find libvirt payload inside packet capture, though it lists libvirt as a possible filter.
# rpm -ql libvirt-wireshark-1.2.9.3-2.fc21.x86_64 /usr/lib64/wireshark/plugins/1.12.5/libvirt.so
As I used wireshark 1.12.6 version, I created 1.12.6 directory under plugins and copied above .so. /usr/lib64/wireshark/plugins/1.12.6/libvirt.so
# tshark -G protocols | grep -i libvirt Libvirt libvirt libvirt
# tshark -r libvirt.pcap libvirt #
Interesting. This indeed may be that your pcap file does not contain any libvirt packets. Esp. if you tested it locally - if you haven't specified to use TCP stack, UNIX socket is used by default.
Are there any dependency between libvirt and wireshark dissector mechanism to co-exist and work together (ie. whether the above libvirt-wireshark missing some changes that dissector expecting ??). If you have sample pcap to recheck my wireshark/tshark, could you please share with me ?
Sure: https://mprivozn.fedorapeople.org/libvirt.pcap $ tshark -r libvirt.pcap libvirt | tail -n1 89 29.520014062 ::1 -> ::1 Libvirt 114 Prog=REMOTE Proc=CONNECT_CLOSE Type=REPLY Serial=32 Status=OK So I can get 89 libvirt packets from the dump. Michal

Thank you Michal. With your pcap, I could confirm that, libvirt dissector worked in my environment as well. Yes, it could be that, my pcap do not have libvirt rpc packets correctly though I would have expected. I am checking on it. Regards, Gowrishankar On Thursday 07 January 2016 03:51 PM, Michal Privoznik wrote:
On 07.01.2016 08:05, gowrishankar wrote:
Hi Michal, Thank you for your suggestion. My apologies that I took sometime to get back on further confirmation. Regrettably, my tshark is still unable to find libvirt payload inside packet capture, though it lists libvirt as a possible filter.
# rpm -ql libvirt-wireshark-1.2.9.3-2.fc21.x86_64 /usr/lib64/wireshark/plugins/1.12.5/libvirt.so
As I used wireshark 1.12.6 version, I created 1.12.6 directory under plugins and copied above .so. /usr/lib64/wireshark/plugins/1.12.6/libvirt.so
# tshark -G protocols | grep -i libvirt Libvirt libvirt libvirt
# tshark -r libvirt.pcap libvirt #
Interesting. This indeed may be that your pcap file does not contain any libvirt packets. Esp. if you tested it locally - if you haven't specified to use TCP stack, UNIX socket is used by default.
Are there any dependency between libvirt and wireshark dissector mechanism to co-exist and work together (ie. whether the above libvirt-wireshark missing some changes that dissector expecting ??). If you have sample pcap to recheck my wireshark/tshark, could you please share with me ? Sure:
https://mprivozn.fedorapeople.org/libvirt.pcap
$ tshark -r libvirt.pcap libvirt | tail -n1 89 29.520014062 ::1 -> ::1 Libvirt 114 Prog=REMOTE Proc=CONNECT_CLOSE Type=REPLY Serial=32 Status=OK
So I can get 89 libvirt packets from the dump.
Michal

Hi Michal, By the way, I noticed ipv6 loopback IP addresses in your pcap. As I normally try to capture on nic where migration carried out, I thought of checking with you if your wireshark could dissect libvirt RPC in such pcap too (captured on a nic) ?. During migration, I do not see any traffic on loopback and I think it is expected, but thinking how you get those captured ?. Any pointers/suggestions ? Appreciating your help. Regards, Gowrishankar On Thursday 07 January 2016 04:48 PM, gowrishankar wrote:
Thank you Michal.
With your pcap, I could confirm that, libvirt dissector worked in my environment as well. Yes, it could be that, my pcap do not have libvirt rpc packets correctly though I would have expected. I am checking on it.
Regards, Gowrishankar
On Thursday 07 January 2016 03:51 PM, Michal Privoznik wrote:
On 07.01.2016 08:05, gowrishankar wrote:
Hi Michal, Thank you for your suggestion. My apologies that I took sometime to get back on further confirmation. Regrettably, my tshark is still unable to find libvirt payload inside packet capture, though it lists libvirt as a possible filter.
# rpm -ql libvirt-wireshark-1.2.9.3-2.fc21.x86_64 /usr/lib64/wireshark/plugins/1.12.5/libvirt.so
As I used wireshark 1.12.6 version, I created 1.12.6 directory under plugins and copied above .so. /usr/lib64/wireshark/plugins/1.12.6/libvirt.so
# tshark -G protocols | grep -i libvirt Libvirt libvirt libvirt
# tshark -r libvirt.pcap libvirt #
Interesting. This indeed may be that your pcap file does not contain any libvirt packets. Esp. if you tested it locally - if you haven't specified to use TCP stack, UNIX socket is used by default.
Are there any dependency between libvirt and wireshark dissector mechanism to co-exist and work together (ie. whether the above libvirt-wireshark missing some changes that dissector expecting ??). If you have sample pcap to recheck my wireshark/tshark, could you please share with me ? Sure:
https://mprivozn.fedorapeople.org/libvirt.pcap
$ tshark -r libvirt.pcap libvirt | tail -n1 89 29.520014062 ::1 -> ::1 Libvirt 114 Prog=REMOTE Proc=CONNECT_CLOSE Type=REPLY Serial=32 Status=OK
So I can get 89 libvirt packets from the dump.
Michal

On 20.01.2016 09:49, gowrishankar wrote:
Hi Michal, By the way, I noticed ipv6 loopback IP addresses in your pcap. As I normally try to capture on nic where migration carried out, I thought of checking with you if your wireshark could dissect libvirt RPC in such pcap too (captured on a nic) ?.
During migration, I do not see any traffic on loopback and I think it is expected, but thinking how you get those captured ?. Any pointers/suggestions ? Appreciating your help.
Sure. Usually, when you are connecting locally ("qemu:///system" or "qemu:///session") client and server talks on an unix socket. I forced them to talk via loopback where I had wireshark running by: 1) configuring libvirtd to listen on network socket too (listen_tcp in libvirtd.conf, passing --listen argument to the daemon cmdline) 2) connecting to qemu+tcp://localhost/system Michal
participants (2)
-
gowrishankar
-
Michal Privoznik