Wireshark Has a New Home

By now you may have seen the press release and announcement about the purchase of CACE Technologies (my as-of-three-and-a-half-seconds-ago former employer) by Riverbed Technology (my new employer). In the announcement to the wireshark-users and wireshark-dev mailing lists I mentioned Riverbed’s commitment to the Wireshark community. I’d like to expand on that a bit.

Wireshark is more than a protocol analyzer. It is the foundation for relationships between several groups of people: the user community, the developer community, Wireshark University (driven by Laura Chappell), and CACE Technologies. Each one is an important part of Wireshark as a whole. We often referred to it as “the ecosystem” at CACE. It is an honor to be a part of it.

The important, wonderful, and rare thing about the ecosystem is that it benefits everyone involved. You can see this in action on Wireshark’s mailing lists, Laura’s seminars, and at SHARKFEST. It’s something that we worked hard to foster at CACE. What’s even better is that with Riverbed this commitment doesn’t change. Everyone I’ve talked to at Riverbed, from the CEO and CTO on down is committed to Wireshark and to its community. They realize we have a good thing going and they want to keep it that way.

On a personal level this has been an incredible journey so far. Every day I get to work with the amazing people on the Wireshark development team and at CACE. I also get to interact with the amazing people who make up the Wireshark community. For that I am grateful and I look forward to helping the ecosystem grow and evolve in the coming years.

Announcing ask.wireshark.org

There have been requests over the years for an online forum for Wireshark. I’m not too crazy about traditional forums, particularly for support. You often end up digging through a lot of not-so-useful content to get to the information you’re looking for.

(If you can see where this is going and are impatient, you can go straight to the new support Q&A site now. Otherwise read on.)

Last year Jeff Atwood and Joel Spolsky started Stack Exchange, a collection of question & answer sites including Stack Overflow, Server Fault, and Super User. SE fixes everything that’s wrong with traditional form software. Useful answers can be voted up by the community, and “hot” questions are listed first.

Stack Exchange is wonderful but they require you to host your content on their servers. This is goes against my control freak sensibilities, so I had to look elsewhere for a solution. I found OSQA. The software is still beta, but it’s quite functional and becoming quite popular.

Here are some of the things you can do with OSQA:

Vote questions and answers up and down

This means that the good stuff floats to the top. Additionally the person who posted the question can select one answer as the best.

Comment on questions and answers

This lets you have a traditional forum-style linear discussion when you need it.

Tag questions

Tags let you categorize questions. For instance the python tag on Stack Overflow will give you all of the Python programming questions.

Earn karma

As you ask questions and provide helpful answers you gain karma points. This lets you do things like…

Edit content

Power users can correct, clarify, or otherwise make helpful changes to things others have posted.

Q&A sites aren’t for everyone. They tend to work best when you have a bunch of helpful, active, and knowledgeable people willing to exchange ideas in a particular field. As luck would have it this describes the Wireshark community to a tee.

Go try it for yourself at http://ask.wireshark.org.

Antivirus Outbreak

Wednesday, August 4, 8:00 AM

We receive a phone call from someone complaining about “Wireshark Antivirus”. I take the call. The person on the other end isn’t able to provide many details other than that a program named “Wireshark Antivirus” is displaying some a shield and directing him to the cacetech.com web site.

This is new. We’ve been on the receiving end of a few false positives in the past but this is new. Some jackass is using our name do do harm.

This will not end well. Continue reading

Sharkfest ’10 Recap

Sharkfest ’10 ended a week ago today and I’m still reeling. The conference started with a keynote from Van Jacobson and ended with one from Harry Saal, two monumental figures in our industry and very nice people to boot. Attendees traveled from all over the globe, from large companies to single-person operations. The presentations were packed with information and it was great to see how experts tackle packet-level network monitoring and troubleshooting. If you missed out we’re getting the presentations online as fast as we can.

Continue reading

T-Mobile: Clever or Insane?

I recently got an Android phone. After downloading the Android SDK I noticed that my cellular provider (T-Mobile) was doing something odd. According to the netcfg command they’re using 25.0.0.0/8 on their GPRS/EDGE network:

$ netcfg
lo       UP    127.0.0.1       255.0.0.0       0x00000049
dummy0   DOWN  0.0.0.0         0.0.0.0         0x00000082
rmnet0   UP    25.130.205.212  255.255.255.252 0x00001043
rmnet1   DOWN  0.0.0.0         0.0.0.0         0x00001002
rmnet2   DOWN  0.0.0.0         0.0.0.0         0x00001002
sit0     DOWN  0.0.0.0         0.0.0.0         0x00000080
ip6tnl0  DOWN  0.0.0.0         0.0.0.0         0x00000080

T-Mobile doesn’t own that netblock. The UK Ministry of Defence does. Why would they do such a thing? After all, RFC 1918 gives you three whole blocks (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) to do with as you please. Straying from those on your private will damn you to an eternity of network flakiness and give your twisted pair cabling scurvy, right?

Why this is clever

According to several BGP looking glasses and figure 5 of Geoff Huston’s IPv4 Address Report the Ministry of Defence doesn’t advertise any routes for 25.0.0.0/8. That means that none of the 25.x.x.x addresses are being used on the public Internet. If you’re on a private network they’re effectively free for the taking. But still, why aren’t they using the officially-sanctioned RFC 1918 address?

My phone also has an 802.11 interface. Let’s take a look at netcfg’s output when I’m connected to T-Mobile’s network and my home network:

$ netcfg     
lo       UP    127.0.0.1       255.0.0.0       0x00000049
dummy0   DOWN  0.0.0.0         0.0.0.0         0x00000082
rmnet0   DOWN  25.130.205.212  255.255.255.252 0x00001002
rmnet1   DOWN  0.0.0.0         0.0.0.0         0x00001002
rmnet2   DOWN  0.0.0.0         0.0.0.0         0x00001002
sit0     DOWN  0.0.0.0         0.0.0.0         0x00000080
ip6tnl0  DOWN  0.0.0.0         0.0.0.0         0x00000080
eth0     UP    192.168.25.4    255.255.255.0   0x00001043

See the 192.168.25.4? That could just as easily be 10.0.0.4, 172.18.34.4, or any other RFC 1918 address. On many networks (particularly universities) it could even be a public address. T-Mobile has no way of predicting or controlling what happens on that interface. The 25.0.0.0/8 netblock has the following advantages:

  • It doesn’t overlap with any other network, public or private. Therefore you won’t get any routing confusion when the phone is connected on GPRS/EDGE and WiFi at the same time.
  • It’s not in public use. The next Facebook or Lolcats isn’t going to show up with a 25.x.x.x address, thereby causing routing confusion for your users.
  • Even if the UK MoD is handing out 25.x.x.x address over 802.11 they’re way over in the UK. It’s unlikely that my phone will be connected to the MoD and T-Mobile networks at the same time.

Why this is insane

IPv4 addresses are getting scarce. Who says the MoD won’t turn the 25.0.0.0/8 netblock over to RIPE or IANA next week? Even then my phone has to go through a proxy server on T-Mobile’s network so it’s probably not a huge deal.

Update

Just before publishing this I ran netcfg and my phone was using 14.64.186.160. The 14.0.0.0/8 netblock used to be reserved for public data networks but was allocated to APNIC earlier this month. I wonder what other questionable netblocks they’re using.

Sharkfest ’10 Is Going To Be Awesome

We just finalized the schedule for Sharkfest ’10. This year’s agenda includes:

  • Van Jacobson and Harry Saal, who formed protocol analysis with their bare hands
  • Two three wireless security experts including Mike Kershaw and Thomas D’Otreppe, the creators of Kismet and Aircrack-ng
  • Network security experts including nmap creator Gordon “Fyodor” Lyon
  • Five six many amazing protocol analysis instructors, including Laura Chappell, Betty DuBois, Sean Walberg, and Joe Bardwell
  • Several members of Wireshark’s development team
  • Protocol, network, and application performance experts from Citi, Google, and Intel
  • Lots of other great presenters. See for yourself.

The attendees are amazing and knowledgeable as well.

Tell your boss I said you should go.

The History of Wireshark in 3 minutes

Few days ago, I learned about a cool visualization program called Codeswarm which, surprisingly, is made by a guy that lives in Davis California like me. Codeswarm can be fed with the logs from a source code repository and produces an animated history of that source code. Soon enough, my weekend project became the creation a video that would condense the 11+ years of the Wiresahrk source code in 3 minutes. The result can be seen here: http://www.vimeo.com/9329501.

This entry was posted in Video.

Running Wireshark as You

Running Wireshark on Linux involves an interesting challenge1: Capturing packets requires root access, but Wireshark is big program and we strongly recommend against running it with elevated privileges. On Linux it’s common to see Wireshark running as root, but this is nearly unheard for similarly-sized applications like Firefox and GIMP. How can we avoid running Wireshark as root? Continue reading

Shark Appliance Preview

Things have been pretty busy at CACE Technologies over the last few months. As a result, we have a nice pipeline of cool products that will hit the market over the course of the next year or so.

A product that we are going to announce very soon is the Shark Appliance. Think about a rack-mountable system that can do long term 24/7 recording of multiple Gigabit links without dropping packets. Now add:

– An extremely slick user interface, based on Pilot, which allows you to remotely navigate across terabytes of data and pinpoint issues in a few mouse clicks.
– Full integration with Wireshark. Not as in “we can save in .pcap so Wireshark can read it”, but as in “highlight a conversation IN THE REMOTE BOX and instantly see the relevant packets in Wireshark ON YOUR LAPTOP”.
– Remote control on multiple appliances from a single console.
– The possibility to buy the product as a Kit: card + OS + software. I find this quite revolutionary, because it will make it possible to configure the hardware (disk type and size, CPU…) for your specific needs, and at the same time save money.

Give a look at http://www.cacetech.com/media/appl_intro/ for some UI nuggets (apologies for the soundtrack, but I like that song). And stay tuned if you want more information.

This entry was posted in Tools.