Wireshark Udpdump

See udpdump(1) for more introduction.

Protocol

Data structure: exported_pdu_tlvs

Dissector Code: exported_pdu

Wireshark GUI

Steps to capture:

  • Select UDP Listener remote capture line in wireshark main GUI.

  • Click setting button at the beginning of that line.

  • Set payload type to exported_pdu.

  • Set listen port to whatever you want, and click save.

  • Double click the UDP Listener remote capture line to start the capture.

Tshark CLI

Doc: extcap-preference.

Example:

tshark -i udpdump -o extcap.udpdump.payload:exported_pdu -o extcap.udpdump.port:5555 <...>

Packet Layout

You will see three exported_pdu frame for each packet in the saved capture file.

The first frame is added by udpdump, it will contain:

  • UDP Socket Address of g3proxy

    The src ip may be in tag EXP_PDU_TAG_IPV4_SRC or EXP_PDU_TAG_IPV6_SRC. The src port will be in tag EXP_PDU_TAG_SRC_PORT.

  • UDP Socket Address of udpdump

    The dst ip may be in tag EXP_PDU_TAG_IPV4_DST or EXP_PDU_TAG_IPV6_DST. The dst port will be in tag EXP_PDU_TAG_DST_PORT.

The second frame is generated by g3proxy, it will contain:

  • Socket Address

    The address used here will include:

    • client socket address for the client connection

    • server socket address for the client connection

    The src ip may be in tag EXP_PDU_TAG_IPV4_SRC or EXP_PDU_TAG_IPV6_SRC. The src port will be in tag EXP_PDU_TAG_SRC_PORT. The dst ip may be in tag EXP_PDU_TAG_IPV4_DST or EXP_PDU_TAG_IPV6_DST. The dst port will be in tag EXP_PDU_TAG_DST_PORT.

The third frame is generated by g3proxy, it will contain:

  • Socket Address

    The address used here will include:

    • client socket address for the remote connection

    • server socket address for the remote connection

    The src ip may be in tag EXP_PDU_TAG_IPV4_SRC or EXP_PDU_TAG_IPV6_SRC. The src port will be in tag EXP_PDU_TAG_SRC_PORT. The dst ip may be in tag EXP_PDU_TAG_IPV4_DST or EXP_PDU_TAG_IPV6_DST. The dst port will be in tag EXP_PDU_TAG_DST_PORT.

  • Port Type

    It will be in tag EXP_PDU_TAG_PORT_TYPE, and the value will be EXP_PDU_PT_TCP for stream based connections.

To identify an unique stream, you need to use all of the following values:

  • src ip + src port in the first frame

  • src ip + src port + dst ip + dst port + port type in the second frame