.. _protocol_setup_wireshark_udpdump:

=================
Wireshark Udpdump
=================

See `udpdump(1)`_ for more introduction.

.. _udpdump(1): https://www.wireshark.org/docs/man-pages/udpdump.html

Protocol
--------

Data structure: `exported_pdu_tlvs`_

Dissector Code: `exported_pdu`_

.. _exported_pdu_tlvs: https://github.com/wireshark/wireshark/blob/master/wsutil/exported_pdu_tlvs.h
.. _exported_pdu: https://github.com/wireshark/wireshark/blob/master/epan/dissectors/packet-exported_pdu.c


Wireshark GUI
-------------

Steps to capture:

- Select *UDP Listener remote capture* line in wireshark main GUI.
- Click *setting* button at the beginning of that line.
- Set payload type to **exported_pdu**.
- Set listen port to whatever you want, and click *save*.
- Double click the *UDP Listener remote capture* line to start the capture.

Tshark CLI
----------

Doc: `extcap-preference`_.

.. _extcap-preference: https://tshark.dev/capture/sources/extcap_interfaces/#extcap-preferences

Example:

.. code-block:: shell

  tshark -i udpdump -o extcap.udpdump.payload:exported_pdu -o extcap.udpdump.port:5555 <...>

Packet Layout
--------------

You will see three exported_pdu frame for each packet in the saved capture file.

The first frame is added by `udpdump`, it will contain:

- UDP Socket Address of g3proxy

  The src ip may be in tag `EXP_PDU_TAG_IPV4_SRC` or `EXP_PDU_TAG_IPV6_SRC`.
  The src port will be in tag `EXP_PDU_TAG_SRC_PORT`.

- UDP Socket Address of udpdump

  The dst ip may be in tag `EXP_PDU_TAG_IPV4_DST` or `EXP_PDU_TAG_IPV6_DST`.
  The dst port will be in tag `EXP_PDU_TAG_DST_PORT`.

The second frame is generated by `g3proxy`, it will contain:

- Socket Address

  The address used here will include:

    * client socket address for the client connection
    * server socket address for the client connection

  The src ip may be in tag `EXP_PDU_TAG_IPV4_SRC` or `EXP_PDU_TAG_IPV6_SRC`.
  The src port will be in tag `EXP_PDU_TAG_SRC_PORT`.
  The dst ip may be in tag `EXP_PDU_TAG_IPV4_DST` or `EXP_PDU_TAG_IPV6_DST`.
  The dst port will be in tag `EXP_PDU_TAG_DST_PORT`.

The third frame is generated by `g3proxy`, it will contain:

- Socket Address

  The address used here will include:

    * client socket address for the remote connection
    * server socket address for the remote connection

  The src ip may be in tag `EXP_PDU_TAG_IPV4_SRC` or `EXP_PDU_TAG_IPV6_SRC`.
  The src port will be in tag `EXP_PDU_TAG_SRC_PORT`.
  The dst ip may be in tag `EXP_PDU_TAG_IPV4_DST` or `EXP_PDU_TAG_IPV6_DST`.
  The dst port will be in tag `EXP_PDU_TAG_DST_PORT`.

- Port Type

  It will be in tag `EXP_PDU_TAG_PORT_TYPE`,  and the value will be EXP_PDU_PT_TCP for stream based connections.

To identify an unique stream, you need to use all of the following values:

- src ip + src port in the first frame
- src ip + src port + dst ip + dst port + port type in the second frame