[Wireshark-bugs] [Bug 14381] cannot find any Mongo Wire Protocol (MONGO) package

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14381

--- Comment #10 from Peter Wu  ---
Derick has attached captures and key log files in bug 14275 by the way.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 14381] cannot find any Mongo Wire Protocol (MONGO) package

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14381

--- Comment #9 from Peter Wu  ---
(In reply to Alexis La Goutte from comment #8)
> on the other bug, there is a no a pcap with TLS ?

There is none, but perhaps that reporter could provide one. I'll ask for it.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 14381] cannot find any Mongo Wire Protocol (MONGO) package

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14381

--- Comment #8 from Alexis La Goutte  ---
(In reply to Peter Wu from comment #7)
> (In reply to Alexis La Goutte from comment #6)
> > (In reply to Peter Wu from comment #5)
> > > Use ssl_dissector_add(0, mongo_handle) to avoid interpreting the port as 
> > > TLS
> > > by default.
> > > 
> > > In order to recognize TLS again and be able to dissect decrypted TLS data,
> > > change dissect_mongo to recognize TLS. If TLS is detected, set the appdata
> > > dissector to mongodb and call the TLS dissector with ssl_starttls_ack(...,
> > > mongo_handle) + call_dissector(tls_handle, ...).
> >
> > i prefer solution 1 :)
> 
> To validate that a mongodb TLS capture needs to be created with decryption
> secrets. At the moment I don't have time to try that though.
> 
> Disabling TLS as was done in comment 2 should not be necessary, but there is
> a bug in the Decode As dialog. Steps to reproduce:
> 1. Select packet 6, Decode As.
> 2. Observe Field "TLS Port", Value 27017, Default "MONGO", Current "MONGO".
> 3. Change "Field" to "TCP Port".
> 4. Press OK.
> 
> Expected behavior:
> Traffic is decoded as Mongo.
> 
> Actual behavior:
> Traffic is still decoded as TLS. When opening the Decode As dialog again,
> the entry is gone again. Changing "Field" should probably change the other
> columns as well. If you select "Ether type" or "IP Protocol" for example, it
> will still say "TLS".
> 
> What did work was Decode As on packet 2 which shows:
> Field "TCP Port", Value 27017, Default "TLS", Current "TLS"
> and then change Current "TLS" -> "MONGO".

on the other bug, there is a no a pcap with TLS ?

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 14381] cannot find any Mongo Wire Protocol (MONGO) package

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14381

--- Comment #7 from Peter Wu  ---
(In reply to Alexis La Goutte from comment #6)
> (In reply to Peter Wu from comment #5)
> > Use ssl_dissector_add(0, mongo_handle) to avoid interpreting the port as TLS
> > by default.
> > 
> > In order to recognize TLS again and be able to dissect decrypted TLS data,
> > change dissect_mongo to recognize TLS. If TLS is detected, set the appdata
> > dissector to mongodb and call the TLS dissector with ssl_starttls_ack(...,
> > mongo_handle) + call_dissector(tls_handle, ...).
>
> i prefer solution 1 :)

To validate that a mongodb TLS capture needs to be created with decryption
secrets. At the moment I don't have time to try that though.

Disabling TLS as was done in comment 2 should not be necessary, but there is a
bug in the Decode As dialog. Steps to reproduce:
1. Select packet 6, Decode As.
2. Observe Field "TLS Port", Value 27017, Default "MONGO", Current "MONGO".
3. Change "Field" to "TCP Port".
4. Press OK.

Expected behavior:
Traffic is decoded as Mongo.

Actual behavior:
Traffic is still decoded as TLS. When opening the Decode As dialog again, the
entry is gone again. Changing "Field" should probably change the other columns
as well. If you select "Ether type" or "IP Protocol" for example, it will still
say "TLS".

What did work was Decode As on packet 2 which shows:
Field "TCP Port", Value 27017, Default "TLS", Current "TLS"
and then change Current "TLS" -> "MONGO".

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 14381] cannot find any Mongo Wire Protocol (MONGO) package

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14381

--- Comment #6 from Alexis La Goutte  ---
(In reply to Peter Wu from comment #5)
> I considered suggesting changing the port number, but there does not seem to
> be a dedicated port for TLS traffic:
> https://docs.mongodb.com/manual/reference/default-mongodb-port/
> https://docs.mongodb.com/manual/tutorial/configure-ssl-clients/
> https://docs.mongodb.com/manual/tutorial/configure-ssl/
> https://docs.mongodb.com/manual/core/security-transport-encryption/
> 
> Two possibilities:
> 
> Use ssl_dissector_add(0, mongo_handle) to avoid interpreting the port as TLS
> by default.
> 
> In order to recognize TLS again and be able to dissect decrypted TLS data,
> change dissect_mongo to recognize TLS. If TLS is detected, set the appdata
> dissector to mongodb and call the TLS dissector with ssl_starttls_ack(...,
> mongo_handle) + call_dissector(tls_handle, ...).
> 
> or
> 
> change the TLS dissector to reject the data if it does not look like TLS at
> all (like Michael did in the above path). One limitation is that it does not
> help with dissecting the decrypted data as mongo, for that to work the
> previous approach is necessary.
> 
> For a quick fix, I suggest just changing mongo to use ssl_dissector_add(0,
> mongo_handle). This will regress on bug 14275 in the sense that TLS traffic
> is not automatically marked as such, but for decryption more changes were
> needed anyway.

i prefer solution 1 :)

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 14381] cannot find any Mongo Wire Protocol (MONGO) package

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14381

--- Comment #5 from Peter Wu  ---
I considered suggesting changing the port number, but there does not seem to be
a dedicated port for TLS traffic:
https://docs.mongodb.com/manual/reference/default-mongodb-port/
https://docs.mongodb.com/manual/tutorial/configure-ssl-clients/
https://docs.mongodb.com/manual/tutorial/configure-ssl/
https://docs.mongodb.com/manual/core/security-transport-encryption/

Two possibilities:

Use ssl_dissector_add(0, mongo_handle) to avoid interpreting the port as TLS by
default.

In order to recognize TLS again and be able to dissect decrypted TLS data,
change dissect_mongo to recognize TLS. If TLS is detected, set the appdata
dissector to mongodb and call the TLS dissector with ssl_starttls_ack(...,
mongo_handle) + call_dissector(tls_handle, ...).

or

change the TLS dissector to reject the data if it does not look like TLS at all
(like Michael did in the above path). One limitation is that it does not help
with dissecting the decrypted data as mongo, for that to work the previous
approach is necessary.

For a quick fix, I suggest just changing mongo to use ssl_dissector_add(0,
mongo_handle). This will regress on bug 14275 in the sense that TLS traffic is
not automatically marked as such, but for decryption more changes were needed
anyway.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 14381] cannot find any Mongo Wire Protocol (MONGO) package

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14381

--- Comment #4 from Gerrit Code Review  ---
Change 30321 had a related patch set uploaded by Michael Mann:
TLS: "Continuation Data" should not be at the start of a TCP connection.

https://code.wireshark.org/review/30321

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 14381] cannot find any Mongo Wire Protocol (MONGO) package

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14381

Alexis La Goutte  changed:

   What|Removed |Added

 CC||pe...@lekensteyn.nl

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 14381] cannot find any Mongo Wire Protocol (MONGO) package

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14381

--- Comment #3 from Alexis La Goutte  ---
(In reply to Michael Mann from comment #2)
> I believe the issue is that the provided .pcap on the wiki, when you load it
> into Wireshark doesn't show any MONGO traffic.  To show the mongo traffic I
> had to disable the SSL dissector and then use Decode As (for MONGO) on the
> port.  There may be other "preference manipulations" that can be done to
> have the MONGO traffic show up, but it may be considered confusing that it
> doesn't show up by default.
> Maybe SSL is too aggressive?

a second effect of change from Bug 14275
(g4cf7cd3ed20c57dc5977be5be37ced0bd1706d61)

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 14381] cannot find any Mongo Wire Protocol (MONGO) package

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14381

Michael Mann  changed:

   What|Removed |Added

 CC||mman...@netscape.net
 Status|INCOMPLETE  |CONFIRMED

--- Comment #2 from Michael Mann  ---
I believe the issue is that the provided .pcap on the wiki, when you load it
into Wireshark doesn't show any MONGO traffic.  To show the mongo traffic I had
to disable the SSL dissector and then use Decode As (for MONGO) on the port. 
There may be other "preference manipulations" that can be done to have the
MONGO traffic show up, but it may be considered confusing that it doesn't show
up by default.
Maybe SSL is too aggressive?

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 14381] cannot find any Mongo Wire Protocol (MONGO) package

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14381

Alexis La Goutte  changed:

   What|Removed |Added

 Status|UNCONFIRMED |INCOMPLETE
 CC||alexis.lagou...@gmail.com
 Ever confirmed|0   |1

--- Comment #1 from Alexis La Goutte  ---
Hi,

What package do you talk ?

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe