[go: up one dir, main page]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Null/Loopback" protocol captures not supported in "pmercury" or "mercury" #14

Open
IrPgFKS0 opened this issue May 12, 2021 · 2 comments
Open

"Null/Loopback" protocol captures not supported in "pmercury" or "mercury" #14

IrPgFKS0 opened this issue May 12, 2021 · 2 comments

Comments

@IrPgFKS0
Copy link
IrPgFKS0 commented May 12, 2021
edited
Loading

When capturing on a tunnel interface (at least on a MAC), the L2 header information is set to Null (more details below)...

https://wiki.wireshark.org/NullLoopback

See example below...
"null": {
"null.family": "2"
}

% tshark -T json -i utun0
Capturing on 'USB 10/100/1000 LAN: en7'
[
  {
    "_index": "packets-2021-05-12",
    "_type": "doc",
    "_score": null,
    "_source": {
      "layers": {
        "frame": {
          "frame.interface_id": "0",
          "frame.interface_id_tree": {
            "frame.interface_name": "en7",
            "frame.interface_description": "USB 10/100/1000 LAN"
          },
          "frame.encap_type": "1",
          "frame.time": "May 12, 2021 11:54:07.695295000 MST",
          "frame.offset_shift": "0.000000000",
          "frame.time_epoch": "1620845647.695295000",
          "frame.time_delta": "0.000000000",
          "frame.time_delta_displayed": "0.000000000",
          "frame.time_relative": "0.000000000",
          "frame.number": "1",
          "frame.len": "1514",
          "frame.cap_len": "1514",
          "frame.marked": "0",
          "frame.ignored": "0",
          "frame.protocols": "null:ip:tcp:data"
        },
        "null": {
          "null.family": "2"
        },
        "ip": {
          "ip.version": "4",
          "ip.hdr_len": "20",
          "ip.dsfield": "0x00000002",
          "ip.dsfield_tree": {
            "ip.dsfield.dscp": "0",
            "ip.dsfield.ecn": "2"
          },
          "ip.len": "1500",
          "ip.id": "0x00006391",
          "ip.flags": "0x00000040",
          "ip.flags_tree": {
            "ip.flags.rb": "0",
            "ip.flags.df": "1",
            "ip.flags.mf": "0"
          },
          ...
@davidmcgrew
Copy link
Member

Can you please add the mercury invocation that you used here? thx!

@IrPgFKS0
Copy link
Author
IrPgFKS0 commented May 13, 2021
edited
Loading

I should clarify the above output is from tshark only (see command above for reference). Once I captured those packets with this cmd tshark -i utun0 -F pcap -w test_null.pcap, I then attempted to read them with the following commands using "pmercury" and "mercury" respectively with no output (attempting both w/ and w/o piping to jq).

python3.8 pmercury -r test_null.pcap -e -w -a -x | jq --tab

*Running in zsh shell hence redirect "> >(jq --tab .)"

./mercury -r test_null.pcap --dns-json --certs-json --metadata > >(jq --tab .)

Note: I also made another capture with this command tshark -i en10 -F pcap -w test_no_null.pcap and both "pmercury" and "mercury" output to jq as expected; "pmercury" output all the TLS packets and "mercury" output all TLS/HTTP and DNS packets (my test mix for both test_null.pcap and test_no_null.pcap).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@davidmcgrew @IrPgFKS0