Wireshark 4.0 Issues

[heathdbrown]

Thanks for providing the Wireshark profiles.

I noticed after an upgrade to Wireshark 4.0.8 there are a few minor tweaks that need to be performed to make these work in the new version.

• When specifying a 'range' of ports 80 443 8080 the old style in 3.0 was to just have spaces in 4.0 they changed to ',' comma separated 80, 443, 8080

I am sure there are other minor tweaks. due to these being 'zip' format merging the updates will be difficult vs. plain text.

How do you propose to obtain the new updates or how would you like them given back with updates?

[amwalding]

Hello Heath. This was something I have been meaning to fix. I strictly control the profile(s) content for your, and everyone else's security. Let me know which profiles you find to need updating in case I miss them.

Re: updating, if you take one of these profiles and modify them, then I update, there is no real way to merge (like code) the versions gracefully. I wish there was. If you can think of something let me know.

If you do not modify my profile content, then you just delete and replace the profile with the newer version.

[heathdbrown]

A few items come to mind, because the underlying profiles, dfilters, etc. are all text files we could place all of them in plain text in the Github repository.

We could utilize something like a Github Action workflow to scan or review, there are tools like Prisma, CodeQL, and probably some open source scanner tools, then 'package' them into zip files as a build step with a calculated checksum for validation.

I believe the packaging part can also be done as a release and tag and we could have 'versioned' copies.

[heathdbrown]

Here are the 4.0 ones I ran into with the {80 25} changes, I can start working on making the 4.0 changes and I have started a plaintext and will start on Github Action thoughts here:

https://github.com/heathdbrown/wireshark_profiles/tree/plaintext

Get-ChildItem -Recurse ./ | Select-String -Pattern "{[0-9]{1,}\s+[0-9]{1,}?"

ARP\ARP\dfilters:17:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}
Better Default\Better Default\dfilters:18:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}
Better Default + Packet Diagram\Better Default + Packet Diagram\dfilters:18:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr ==
192.0.2.1 and not tcp.port in {80 25}
Better Default with Redaction\Better Default with Redaction\dfilters:18:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1
and not tcp.port in {80 25}
Better TCP Default\Better TCP Default\dfilters:2:"Display TCP Port 443 or 4430 or 4434" tcp.port in {443 4430..4434}
Better TCP Default\Better TCP Default\dfilter_buttons:16:"TRUE","TCP Reset//Reset Response to SYN","tcp.flags.reset==1 and tcp.seq in {0
1} and tcp.ack in {0 1}","Resets for Syn"
Better TCP Default IPv6\Better TCP Default IPv6\dfilters:3:"Display TCP Port 443 or 4430 or 4434" tcp.port in {443 4430..4434}
Better TCP Default IPv6\Better TCP Default IPv6\dfilter_buttons:16:"TRUE","TCP Reset//Reset Response to SYN","tcp.flags.reset==1 and
tcp.seq in {0 1} and tcp.ack in {0 1}","Resets for Syn"
DHCPv4\DHCPv4\dfilters:28:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}
DNS\DNS\dfilters:17:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}
DNS\DNS\dfilter_buttons:20:"TRUE","DNS Query//Not A or AAAA","dns and not dns.qry.type in {1 28}","Show me any requests other than A
IPv4 or AAAA IPv6"
DNS\DNS\dfilter_buttons:26:"TRUE","DNS Query//Zone//Zone Transfer","dns.qry.type in {251 252} or dns.flags.opcode eq 4","Show me Zone
Transfer - Incremental or All Records"
GQUIC\GQUIC\dfilters:17:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}
GRE Tunnels\GRE Tunnels\dfilters:18:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}
GVSP\GVSP\dfilters:19:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}
HTTP\HTTP\dfilters:17:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}
HTTPS and TLS\HTTPS and TLS\dfilters:16:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}
HTTPS and TLS\HTTPS and TLS\dfilters:24:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}
HTTPS and TLS\HTTPS and TLS\dfilter_buttons:2:"TRUE","Possible Std Web Traffic","tcp.port in {80 8080 8088 443 9333 8443}","Show me the
possible standard Web Traffic"
HTTPS and TLS\HTTPS and TLS\dfilter_buttons:19:"TRUE","TLS//TLS Handshake","tls.record.content_type in {22 20}","Show me the TLS
Handshake messages"
HTTPS and TLS\HTTPS and TLS\dfilter_buttons:20:"TRUE","TLS//TLS < 1.2","tls.handshake.type in {1 2} and tls.handshake.version in {0x0100
0x0200 0x0300 0x0301 0x0302}","Versions SSL 1.0 - 3.0 or TLS 1.0 or 1.1"
HTTPS and TLS\HTTPS and TLS\dfilter_buttons:21:"TRUE","TLS//Client|Server Hello","tls.handshake.type in {1 2}","Show me the
Client/Server Hellos"
IETFQUIC\IETFQUIC\dfilters:17:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}
IPv4 Default\IPv4 Default\dfilters:14:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}
iSCSI\ISCSI\dfilters:18:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}
L2 Ethernet\L2 Ethernet\dfilters:18:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}
L2 RoCE\L2 RoCE\dfilters:18:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}
NetSci SDP\NetSci SDP\dfilters:17:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}
NetSci SIP\NetSci SIP\dfilters:17:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}
NetSci-RTCP\NetSci-RTCP\dfilters:17:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}
NetSci-RTP\NetSci-RTP\dfilters:17:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}
NetSci-VoIP-QoS\NetSci-VoIP-QoS\dfilters:17:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}
NVMe-oF\NVMe-oF\dfilters:18:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}
OpenFlow\OpenFlow\dfilters:17:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}
QUIC\QUIC\dfilters:17:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}
Simple TCP\Simple TCP\dfilters:17:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}
SMB\SMB\dfilters:17:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}
TFTP Packet Diagram\TFTP Packet Diagram\dfilters:35:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in
{80 25}
TLS\TLS\dfilters:3:"Display TCP Port 443 or 4430 or 4434" tcp.port in {443 4430..4434}
TLS\TLS\dfilter_buttons:5:"TRUE","TLS//TLS Handshake","tls.record.content_type in {22 20}","Show me the TLS Handshake messages"
TLS\TLS\dfilter_buttons:6:"TRUE","TLS//TLS < 1.2","tls.handshake.type in {1 2} and tls.handshake.version in {0x0100 0x0200 0x0300 0x0301
0x0302}","Versions SSL 1.0 - 3.0 or TLS 1.0 or 1.1"
TLS\TLS\dfilter_buttons:7:"TRUE","TLS//Client|Server Hello","tls.handshake.type in {1 2}","Show me the Client/Server Hellos"
TLS\TLS\dfilter_buttons:25:"TRUE","Possible Std Web Traffic","tcp.port in {80 8080 8088 443 9333 8443}","Show me the possible standard
Web Traffic"
Video\Video\dfilters:19:"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}

[heathdbrown]

The branch with the 4.0 ranges: https://github.com/heathdbrown/wireshark_profiles/tree/plaintext-4-range-changes

I did notice that when I created the extracted branch it looks like I did not have the LF, CRLF replacement turned on / off so there maybe additional spaces.

[amwalding]

Hi Heath, not ignoring, just have been busy.

Ah I see, you have extracted all the text files. But once corrected, we need to zip them up for ease of use - people can than simply import the profile on their system. Plus, it adds security that the ZIP file is controlled in one place. Just a thought.
Nonetheless, I love the extraction you did, and I will correct the ZIP files I currently have as we work through the flow.

[amwalding]

All the profiles are fixed. Hopefully!

…

On Fri, Sep 8, 2023 at 10:23 PM Heath Brown ***@***.***> wrote: The branch with the 4.0 ranges: https://github.com/heathdbrown/wireshark_profiles/tree/plaintext-4-range-changes I did notice that when I created the extracted branch it looks like I did not have the LF, CRLF replacement turned on / off so there maybe additional spaces. — Reply to this email directly, view it on GitHub <#1 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AJBBJWLDIPVINWFHWH5X4A3XZPOLNANCNFSM6AAAAAA4ITWDBU> . You are receiving this because you commented.Message ID: ***@***.***>

-- Best Regards, Andy Walding (cell: 214-405-3708) CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.

[hvdkooij]

So the issue can be closed?