Decode protobufs over UDP - protocol-buffers

I have a Protobuf serialized data that is being sent over UDP multicast. I read it using socat from bash as follows
socat UDP4-RECVFROM:1277,ip-add-membership=239.195.1.2:192.168.254.5,fork,reuseaddr -
I want to chain this with protoc in order to keep decoding data in every packet. How can I do that ?
When I do
socat UDP4-RECVFROM:1277,ip-add-membership=239.195.1.2:192.168.254.5,fork,reuseaddr - | protoc --decode=proto.Message ./path/to/proto/message.proto
The terminal just hangs. Not sure how to proceed.

The problem turned out to be in socat. remove the fork portion and it works great.
So essentially
socat UDP4-RECVFROM:1277,ip-add-membership=239.195.1.2:192.168.254.5,reuseaddr - | protoc --decode=proto.Message ./path/to/proto/message.proto

Related

Use tshark or wireshark to read large file and output only ICMP packets

I have a 72 GB file that should have a small amount of ICMP packets in it. Wireshark cannot load it. I would like to use tshark or wireshark from the command line to read the file, filter out all the ICMP packets, and write them to a small file that I can then load into Wireshark. How can I do that?
You can use tshark with either of these commands:
tshark -r bigfile.pcap -Y "icmp" -w bigfile_icmp.pcap
tshark -r bigfile.pcap -2R "icmp" -w bigfile_icmp.pcap
The first one uses a Wireshark display filter while the second one uses a Wireshark read filter, but requires 2 passes, although I don't recall why read filters require 2 passes.
In Wireshark, you can also specify a read filter of icmp when opening the file. Do so via "File -> Open -> File name: bigfile.pcap, Read filter: icmp -> Open" This is also documented in the Wireshark User Guide.

Socat - certificate rotation for mTLS connection - reload credential files interval

Use case:
I use socat to stream traffic between some app and external world via Squid (app->socat->Squid). To authenticate in SQUID I use mTLS.
My socat usage:
socat -d -d tcp-listen:3128,reuseaddr,fork \
openssl-connect:<SQUID_IP>:3128,cert=client-cert-key.pem,cafile-squid=squid-ca.crt,openssl-commonname=<SQUID_CN>-prd,keepalive
where
content of the PEM and CERT filles rotate.
Problem: If I put some trash into squid-ca.crt file socat after a couple of seconds catches the change and logs errors:
socat[72] E SSL_connect(): error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
socat[72] N exit(1)
socat[9] N childdied(): handling signal 17
, and when I recover squid-ca.crt file socat ater some time (several to several dozen seconds) fetches the change and starts working again with with the recovered data.
Is there an option to control the time on files probing by socat?
Socat with your command waits for client connections and forks a new sub process for each one. Only in these sub processes the OpenSSL module is initialized and the certificate loaded.
So it is not some timing but just depends on the next TCP connection to arrive.

--up script fails with '/etc/openvpn/update-systemd-resolved': No such file or directory (errno=2)

Since I reinstalled my ArchLinux distro I get an error when I want to use OpenVPN. Here is the full output:
quentin#QuentinDesktop ~/Documents> openvpn --config ulille-vpn.ovpn
2022-01-04 21:52:15 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-01-04 21:52:15 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Options error: --up script fails with '/etc/openvpn/update-systemd-resolved': No such file or directory (errno=2)
Options error: Please correct this error.
Use --help for more information.
Here is the truncated ulille-vpn.ovpn file content (I just truncated the CA certificates):
ignore-unknown-option comp-lzo compress
dev tun
persist-tun
persist-key
cipher AES-256-CBC
tls-client
client
resolv-retry infinite
proto udp
remote vpn-etudiant.univ-lille.fr 443
verify-x509-name "vpn-etudiant.univ-lille.fr" name
auth SHA256
auth-user-pass
comp-lzo
compress lzo
#route-nopull
verb 3
pull-filter ignore "dhcp-option DOMAIN"
dhcp-option DOMAIN univ-lille.fr
dhcp-option DOMAIN univ-lille1.fr
script-security 2
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
up /etc/openvpn/update-systemd-resolved
up-restart
down /etc/openvpn/update-systemd-resolved
down-pre
Note that I didn't write this one myself, it is given by my university to access its local network.
I already tried to install the openvpn-update-systemd-resolved AUR package and enable it on systemd but it changed nothing.
How can I fix it ?
Okay, after a quick looking at the configuration file (what I did not think before asking this question), I commented the last 4 lines of the chunk I posted, and it works !
I am sorry for asking this question, I though the config file my university distributes was valid but it looks like it is Fedora/Debian specific, which is kind of weird because it works perfectly fine without these four lines.
I hope this short lifespan topic can help someone else in a similar case ! :^)
I had the very same problem and it was also the config file trying to run up /etc/openvpn/update-systemd-resolved. Seems to be a distro problem as I'm also running arch.

Simulate Network Latency mac Sierra

I am trying to simulate network latency for all traffic to a certain ip/url. I tried using a proxy through Charles but the traffic is going through HTTP or SOCKS. I found some information online but it does not seem to work for me. Can anyone see what is wrong with my commands?
#enable pf
pfctl -E
#add a temporary extra ruleset (called "anchor") named "deeelay
(cat /etc/pf.conf && echo "dummynet-anchor \"deeelay\"" && echo "anchor
\"deeelay\"") | sudo pfctl -f -
#add a rule to the deeelay set to send any traffic to endpoint through new rule
echo "dummynet out proto tcp from any to myurl.com pipe 1" |
sudo pfctl -a deeelay -f -
#Add a rule to dummynet pipe 1 to delay every packet by 500ms
sudo dnctl pipe 1 config delay 500
I see this warning when I run the commands:
No ALTQ support in kernel
ALTQ related functions disabled
Is that the issue?
The problem was the proto parameter. The application is not using tcp, it is using another protocol. You can either supply all the protocols you want as a list like so:
proto { tcp udp icmp ipv6 tlsp smp }
Or you can just remove the proto parameter altogether and it will do all protocols.

bash - Remove non-UDP related data from pcap file

I have a file called test1.pcap which contains ICMP, ARP, and UDP messages. I want to read test1.pcap and write to test2.pcap with only UDP messages.
I tried the following:
tcpdump -r test1.pcap udp -w test2.pcap
but the non udp messages - ICMP and ARP still show up in test2.pcap. I used wireshark to view the results.
Any suggestions?

Resources