A Wireshark plugin wrapper for golang
Writing plugins for Wireshark in C/C++ can be opaque: the APIs are quite powerfull, but not really obvious to use. If you just want to develop a quick and dirty plugin you will spend more time trying to understand how things work instead of actually writing the core of your plugin.
Another alternative is to use LUA, but first of all you need to know this language. So again, you'll spend more time trying to learn that new language than actually writing this quick and dirty plugin.
Wirego is a plugin for Wireshark, written in C that actually loads a plugin written in Go language.
You basically don't have to touch the Wirego plugin and you will be given a dummy empty golang plugin to start with.
In order to setup Wirego, you will need follow 3 steps:
- Install or build the Wirego plugin for Wireshark
- Develop your own plugin, using the "wirego" Go package
- Start Wireshark and tell Wirego where your plugin is
You may use prebuilt binaries for step 1, those can be downloaded here. If prefer building the plugin (or if prebuilt binaries fails), refer to the following documentation here
For step 2, you will basically just have to import "wirego" and implement the following interface:
// WiregoInterface is implemented by the actual wirego plugin
type WiregoInterface interface {
GetName() string
GetFilter() string
Setup() error
GetFields() []WiresharkField
GetDetectionFilters() []DetectionFilterType
GetDetectionHeuristicsParent() []string
DetectionHeuristic(packetNumber int, src string, dst string, stack string, packet []byte) bool
DissectPacket(packetNumber int, src string, dst string, stack string, packet []byte) *DissectResult
}
Now it's time for step 3: install the Wirego plugin and start Wireshark!
A few plugin examples are available :
- Minimal ; a minimalistic example showing the basic usage of Wirego
- Reolink Credentials light : a lightweight version of a Reolink camera credentials parser
- Reolink Credentials : a advanced version of a Reolink camera credentials parser
That project is still under development, many things needs to be improved. Here's a partial list:
- The fields type list is incomplete
- Support payload split into several packets
When the path to your plugin in Go is modified, you will be required to restart Wireshark, here's why:
- we need to setup everything (plugin name, fields..) during the proto_register_wirego call
- preferences values are only loaded during the proto_reg_handoff_wirego call, which is too late for us