Wireshark dissector for the WireGuard tunnel protocol

Wireshark dissector (written in Lua) for dissecting the WireGuard tunneling protocol.

This dissector is obsolete, an improved version is included in Wireshark 2.9.x. See this comment for more further instructions.

Requirements:

• Wireshark 2.0.2 or newer (tested with Wireshark 2.3.x).
• luagcrypt and Libgcrypt 1.7 for (optional) decryption support.

The plan is to eventually rewrite this prototype into a dissector that is included with the main Wireshark sources. An improved version is included with the current development version (git master, 2.9.x).

Installation and usage

Install wg.lua in the Wireshark plugins folder (usually ~/.config/wireshark/plugins/ or ~/.wireshark/plugins/). For decryption support, install luagcrypt in the Lua library path (usually /usr/lib/lua/5.2/luagcrypt.so).

Now try the sample packet capture pcaps/8-trace.pcap and its corresponding keylog file pcaps/8-trace.keys (configure via Protocol Preferences → Keylog file).

As alternative to installing files globally, copy luagcrypt.so to the current working directory and run:

wireshark -Xlua_script:wg.lua -r pcaps/8-trace.pcap -owg.keylog_file:pcaps/8-trace.keys

Since WireGuard does not have a default port number, it is recommended to enable the UDP protocol preference Try heuristic sub-dissectors first (via the menu Edit → Preferences, Protocols → UDP).

Obtaining handshake and traffic secrets through key-probe.sh and key-extract.py

The key-probe.sh script enables tracing WireGuard function calls using kprobes. This raw data must be post-processed with key-extract.py to produce a keylog file with handshake and traffic secrets. A kernel with CONFIG_KPROBE_EVENT=y is required (most distros satisfy this requirement).

To get started, enable the required tracepoints:

sudo ./key-probe.sh

Next, obtain the trace output and extract keys from it. A one-shot approach that can be executed periodically:

sudo cat /sys/kernel/debug/tracing/trace > trace.txt
./key-extract.py < trace.txt > trace.keys

To continuously update the keylog file (useful for live captures, but note that this will erase traces that are read from the file):

sudo cat /sys/kernel/debug/tracing/trace_pipe | ./key-extract.py > trace.keys

To stop logging more keys, disable the tracepoints with:

sudo ./key-noprobe.sh

Obtaining traffic secrets through extract-keys

The extract-keys utility included with WireGuard can extract traffic secrets (for active sessions only) and requires the CONFIG_DEVKMEM=y option (many distros such as Arch Linux Linux, Debian and Ubuntu have it disabled). See contrib/examples/extract-keys in the WireGuard sources for more details.

License

Copyright (C) 2017 Peter Wu ([email protected])

This project is licensed under the GPLv2 (or any later version) license. See LICENSE.txt for more details.