[Wireshark-bugs] [Bug 14381] cannot find any Mongo Wire Protocol (MONGO) package
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14381 --- Comment #10 from Peter Wu --- Derick has attached captures and key log files in bug 14275 by the way. -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14381] cannot find any Mongo Wire Protocol (MONGO) package
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14381 --- Comment #9 from Peter Wu --- (In reply to Alexis La Goutte from comment #8) > on the other bug, there is a no a pcap with TLS ? There is none, but perhaps that reporter could provide one. I'll ask for it. -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14381] cannot find any Mongo Wire Protocol (MONGO) package
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14381 --- Comment #8 from Alexis La Goutte --- (In reply to Peter Wu from comment #7) > (In reply to Alexis La Goutte from comment #6) > > (In reply to Peter Wu from comment #5) > > > Use ssl_dissector_add(0, mongo_handle) to avoid interpreting the port as > > > TLS > > > by default. > > > > > > In order to recognize TLS again and be able to dissect decrypted TLS data, > > > change dissect_mongo to recognize TLS. If TLS is detected, set the appdata > > > dissector to mongodb and call the TLS dissector with ssl_starttls_ack(..., > > > mongo_handle) + call_dissector(tls_handle, ...). > > > > i prefer solution 1 :) > > To validate that a mongodb TLS capture needs to be created with decryption > secrets. At the moment I don't have time to try that though. > > Disabling TLS as was done in comment 2 should not be necessary, but there is > a bug in the Decode As dialog. Steps to reproduce: > 1. Select packet 6, Decode As. > 2. Observe Field "TLS Port", Value 27017, Default "MONGO", Current "MONGO". > 3. Change "Field" to "TCP Port". > 4. Press OK. > > Expected behavior: > Traffic is decoded as Mongo. > > Actual behavior: > Traffic is still decoded as TLS. When opening the Decode As dialog again, > the entry is gone again. Changing "Field" should probably change the other > columns as well. If you select "Ether type" or "IP Protocol" for example, it > will still say "TLS". > > What did work was Decode As on packet 2 which shows: > Field "TCP Port", Value 27017, Default "TLS", Current "TLS" > and then change Current "TLS" -> "MONGO". on the other bug, there is a no a pcap with TLS ? -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14381] cannot find any Mongo Wire Protocol (MONGO) package
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14381 --- Comment #7 from Peter Wu --- (In reply to Alexis La Goutte from comment #6) > (In reply to Peter Wu from comment #5) > > Use ssl_dissector_add(0, mongo_handle) to avoid interpreting the port as TLS > > by default. > > > > In order to recognize TLS again and be able to dissect decrypted TLS data, > > change dissect_mongo to recognize TLS. If TLS is detected, set the appdata > > dissector to mongodb and call the TLS dissector with ssl_starttls_ack(..., > > mongo_handle) + call_dissector(tls_handle, ...). > > i prefer solution 1 :) To validate that a mongodb TLS capture needs to be created with decryption secrets. At the moment I don't have time to try that though. Disabling TLS as was done in comment 2 should not be necessary, but there is a bug in the Decode As dialog. Steps to reproduce: 1. Select packet 6, Decode As. 2. Observe Field "TLS Port", Value 27017, Default "MONGO", Current "MONGO". 3. Change "Field" to "TCP Port". 4. Press OK. Expected behavior: Traffic is decoded as Mongo. Actual behavior: Traffic is still decoded as TLS. When opening the Decode As dialog again, the entry is gone again. Changing "Field" should probably change the other columns as well. If you select "Ether type" or "IP Protocol" for example, it will still say "TLS". What did work was Decode As on packet 2 which shows: Field "TCP Port", Value 27017, Default "TLS", Current "TLS" and then change Current "TLS" -> "MONGO". -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14381] cannot find any Mongo Wire Protocol (MONGO) package
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14381 --- Comment #6 from Alexis La Goutte --- (In reply to Peter Wu from comment #5) > I considered suggesting changing the port number, but there does not seem to > be a dedicated port for TLS traffic: > https://docs.mongodb.com/manual/reference/default-mongodb-port/ > https://docs.mongodb.com/manual/tutorial/configure-ssl-clients/ > https://docs.mongodb.com/manual/tutorial/configure-ssl/ > https://docs.mongodb.com/manual/core/security-transport-encryption/ > > Two possibilities: > > Use ssl_dissector_add(0, mongo_handle) to avoid interpreting the port as TLS > by default. > > In order to recognize TLS again and be able to dissect decrypted TLS data, > change dissect_mongo to recognize TLS. If TLS is detected, set the appdata > dissector to mongodb and call the TLS dissector with ssl_starttls_ack(..., > mongo_handle) + call_dissector(tls_handle, ...). > > or > > change the TLS dissector to reject the data if it does not look like TLS at > all (like Michael did in the above path). One limitation is that it does not > help with dissecting the decrypted data as mongo, for that to work the > previous approach is necessary. > > For a quick fix, I suggest just changing mongo to use ssl_dissector_add(0, > mongo_handle). This will regress on bug 14275 in the sense that TLS traffic > is not automatically marked as such, but for decryption more changes were > needed anyway. i prefer solution 1 :) -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14381] cannot find any Mongo Wire Protocol (MONGO) package
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14381 --- Comment #5 from Peter Wu --- I considered suggesting changing the port number, but there does not seem to be a dedicated port for TLS traffic: https://docs.mongodb.com/manual/reference/default-mongodb-port/ https://docs.mongodb.com/manual/tutorial/configure-ssl-clients/ https://docs.mongodb.com/manual/tutorial/configure-ssl/ https://docs.mongodb.com/manual/core/security-transport-encryption/ Two possibilities: Use ssl_dissector_add(0, mongo_handle) to avoid interpreting the port as TLS by default. In order to recognize TLS again and be able to dissect decrypted TLS data, change dissect_mongo to recognize TLS. If TLS is detected, set the appdata dissector to mongodb and call the TLS dissector with ssl_starttls_ack(..., mongo_handle) + call_dissector(tls_handle, ...). or change the TLS dissector to reject the data if it does not look like TLS at all (like Michael did in the above path). One limitation is that it does not help with dissecting the decrypted data as mongo, for that to work the previous approach is necessary. For a quick fix, I suggest just changing mongo to use ssl_dissector_add(0, mongo_handle). This will regress on bug 14275 in the sense that TLS traffic is not automatically marked as such, but for decryption more changes were needed anyway. -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14381] cannot find any Mongo Wire Protocol (MONGO) package
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14381 --- Comment #4 from Gerrit Code Review --- Change 30321 had a related patch set uploaded by Michael Mann: TLS: "Continuation Data" should not be at the start of a TCP connection. https://code.wireshark.org/review/30321 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14381] cannot find any Mongo Wire Protocol (MONGO) package
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14381 Alexis La Goutte changed: What|Removed |Added CC||pe...@lekensteyn.nl -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14381] cannot find any Mongo Wire Protocol (MONGO) package
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14381 --- Comment #3 from Alexis La Goutte --- (In reply to Michael Mann from comment #2) > I believe the issue is that the provided .pcap on the wiki, when you load it > into Wireshark doesn't show any MONGO traffic. To show the mongo traffic I > had to disable the SSL dissector and then use Decode As (for MONGO) on the > port. There may be other "preference manipulations" that can be done to > have the MONGO traffic show up, but it may be considered confusing that it > doesn't show up by default. > Maybe SSL is too aggressive? a second effect of change from Bug 14275 (g4cf7cd3ed20c57dc5977be5be37ced0bd1706d61) -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14381] cannot find any Mongo Wire Protocol (MONGO) package
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14381 Michael Mann changed: What|Removed |Added CC||mman...@netscape.net Status|INCOMPLETE |CONFIRMED --- Comment #2 from Michael Mann --- I believe the issue is that the provided .pcap on the wiki, when you load it into Wireshark doesn't show any MONGO traffic. To show the mongo traffic I had to disable the SSL dissector and then use Decode As (for MONGO) on the port. There may be other "preference manipulations" that can be done to have the MONGO traffic show up, but it may be considered confusing that it doesn't show up by default. Maybe SSL is too aggressive? -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14381] cannot find any Mongo Wire Protocol (MONGO) package
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14381 Alexis La Gouttechanged: What|Removed |Added Status|UNCONFIRMED |INCOMPLETE CC||alexis.lagou...@gmail.com Ever confirmed|0 |1 --- Comment #1 from Alexis La Goutte --- Hi, What package do you talk ? -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe