Detecting Heartbleed Traffic
The big news in the tech industry this week is The Heartbleed Bug, a vulnerability that affects a large portion of secure web sites on the Internet. I updated the Wireshark and WinPcap web sites on Monday (along with reissuing and revoking certificates) shortly after OS patches were released.
Our web sites are protected going forward, but what about the past? We have a Shark appliance in our environment but that leads to a challenge. We had about 350 GB of HTTPS on our network on Monday alone. This is just slightly too large to load into Wireshark.
Fortunately one of my coworkers (P.J. Malloy) came up with a BPF filter that matches Heartbleed traffic:
http://www.riverbed.com/blogs/Retroactively-detecting-a-prior-Heartbleed-exploitation-from-stored-packets-using-a-BPF-expression.html
Applying this filter directly on the Shark appliance gave me a much smaller number of packets which I could easily analyze in Wireshark. So far I haven’t found anything suspicious.
We’re switching to Qt.
Categories:
Announcement
Today I released the next development version of Wireshark, 1.11.0. This marks a major change in the direction of the project. We’re switching our user interface library from GTK+ to Qt. Both libraries make it easy for developers write applications that will run on different platforms without having to rewrite a lot of code. GTK+ has had a huge impact on the way Wireshark looks and feels and on its popularity but it doesn’t cover our supported platforms as effectively as it should and the situation is getting worse as time goes on.
Making such a large change wasn’t an easy decision. It means rewriting thousands of lines of code and requires a lot of careful design. We might be the largest standalone application to make this transition (feel free to correct me below). However, I think it’s well worth it and that it’s important to the long-term direction of the project. Ultimately it came down to one thing:
Wireshark’s job is to show you what’s happening on your network. If it can’t run on your system then it’s not doing that job.
Wireshark Tutorial Series #2. Tips and tricks used by insiders and veterans
Categories:
Uncategorized
Yes, I know it’s been a while since tip #1 video (https://blog.wireshark.org/2012/10/wireshark-tutorial-series/?utm_source=rss&utm_medium=rss&utm_campaign=wireshark-tutorial-series) and this one. Judging by the number of views and comments, it is helping. So keep me honest by reminding me to post more often!
In this short video (http://www.youtube.com/watch?v=aIiosBw2YH4), I discuss the dangers of using default values without fully understanding what the consequences are. In Sharkfest 2013, Christian Landström gave an excellent session on the reassembly feature of Wireshark. Unfortunately, it wasn’t recorded and I wanted to convey the message. The PDF of his excellent session can be found here: http://tinyurl.com/lko37zb
Enjoy!
Hansang Bae
Comments 🔗Comment by juanmapalad on 2013-08-24 07:05:30 +0000 🔗hi,
i have some issue on wireshark, you can view it from here:
https://learningnetwork.cisco.com/thread/60209?tstart=0
.. can i ask for a help? thanks
Comment by Gerald Combs on 2013-08-24 09:37:43 +0000 🔗The best places to ask for help about Wireshark are the Q & A site and the wireshark-users mailing list.
Comment by Bolee on 2013-08-28 09:21:21 +0000 🔗Not many take the trouble to take notes of a meeting to upload online for others so thank you firstly Hansang for doing so.