Installing Wireshark On Linux for OpenFlow Packet Captures

Installing Wireshark On Linux for OpenFlow Packet Captures

Posted Feb 3 2013 by Brent Salisbury in  with 18 Comments

Wireshark

Installing Wireshark On Linux for OpenFlow Packet Captures
Update March 16, 2014:
Fedora 20 has native Wireshark OpenFlow support.
e.g:
yum install wireshark
  • Update: the OpenFlow dissector appears natively included in the nightly Ubuntu dev builds and even better, native in Fedora 19:
  • ### Fedora 19 Wireshark Installation ###
    1) sudo yum install wireshark
    2) Nothing! Its that easy w/ native OpenFlow support +1
    For an X session on Fedora over SSH perform the following.
    1) Install the following:
    sudo yum install xorg-x11-xauth
    sudo yum install xorg-x11-fonts-*
    sudo yum install xorg-x11-utils
    ======================
    2) Enable the following in the sshd_config file:
    =============================
    Change X11Forwarding to yes and uncomment:
    X11Forwarding yes
    ====== sshd_config ==========
    #AllowAgentForwarding yes
    #AllowTcpForwarding yes
    #GatewayPorts no
    #X11Forwarding no
    X11Forwarding yes <=== change this #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes =============== $ export (should contain) declare -x DISPLAY="localhost:10.0" ========================= Now you can "ssh -X 192.168.1.100" to your host and run an X Wireshark session using "sudo wireshark".

### Mac Installation ###
Wireshark 1.11.0-SVN-52202
http://www.wireshark.org/download/automated/

  • For a Mac just install quartz and this build and run as su.
  • sudo /Applications/Wireshark.app/Contents/MacOS/Wireshark

### Installing on Ubuntu using the PPA repo try the following ###

  • sudo apt-get install python-software-properties
  • sudo add-apt-repository ppa:mighost/ppa
  • sudo apt-get update
  • ### The following was pulled from 1.12.0~201309171613-1ppa1~precise in a dpkg –list. You likely don’t need to mess with repo preferences.###
  • sudo apt-get install wireshark-common libwireshark3 libwireshark-data libwireshark3 libwiretap3
  • sudo wireshark
  • ### To run remotely you can connect using X over ssh with ‘ssh -XY

Link to the PPA Repo

OpenFlow from Package PPA

This tutorial is for those who are learning, troubleshooting and developing using the OpenFlow wire protocol. Packet captures are vital to troubleshooting issues that occur between the switch and OpenFlow controller. The instructions are for installing Wireshark from package or compiling and installing from source. It also walks through installing the OpenFlow v1.0 dissector plugin for Wireshark. Once the plugin is installed you will be able to view OpenFlow messaging in the Wireshark packet captures.

Installing Wireshark From Repositories
  • Ubuntu Wireshark installation from Repository

  • RedHat (CentOS/RHEL) Wireshark installation from Repository

Download and Installing The OpenFlow Wireshark Dissector Option #1

This dissector is maintained by Nick Bastin. I am wedging it in here as I missed this one when I initially wrote this post. The other Stanford version is older but works fine for OpenFlow v1.0 but this is much more up to date. The video below is for the original version covered in option #2 below. Start with this one.

Download and Installing The OpenFlow Wireshark Dissector Option #2

Before you go on you need to edit packet-openflow.c to fix a problem from a change in the Wireshark API.

Open the following C file in a text editor:

Add the following constant somewhere in the file with the other definitions. Look for “#define” and just add wedge it in there.

Next change find the function:
Change from:

To:

openflow.so

Figure 1. The void proto_reg_handoff_openflow() function after edit.

Copy the dynamic library or shared object (so file) packet-openflow.so into the Wireshark plugins directory.

Running Wireshark with the OpenFlow Dissector

If you get the following error, verify you edited acket-openflow.c properly and recompile the dissector again to create another packet-openflow.so object file.

Verifying OpenFlow Dissector and Wireshark Installation

In Wireshark go to Help->About->Plugins tab. You should see the OpenFlow plugin in the list.

OpenFlow Wireshark Dissector

Figure 2. The OpenFlow Wireshark plugin

You can now view the OpenFlow header and packet type from your Wireshark captures. More information on generating OpenFlow packets can be found in these tutorials.

OpenFlow Wireshark Plugin

Figure 3. Viewing OpenFlow messages in Wireshark.

Video of Installing and Operating Wireshark with OpenFlow Captures

Video 1. Screemcast of the Wireshark and OpenFlow plugin installation.

Compiling and Installing Wireshark from Source on Ubuntu and RHEL/CentOS
  • Ubuntu

  • RedHat (CentOS/RHEL) I didn’t verify the dependencies, but those should cover everything.

Download the source code from http://wireshark.org

Additional Reseources
  • OpenFlow Wireshark Dissector v1.0 – The dissector used in this tutorial.
  • OpenFlow v1.1+ Wireshark Nick Bastin put together a dissector supporting OpenFlow v1.1+. This doesn’t support v1.0. So before you pull out your hair wondering why you see the protocol recognized but not dissected, be sure to use a dissector that is supporting your OF version. E.g. learn from my mistakes :*(
  • My buddy Murphy McCauley has instructions for installing the dissector on a Mac over at Noxrepo.org.
  • I would be remiss while on the topic of sharks, if I didn’t take the chance to link to a petition against shark hunting, being used as live bait and the horrible practice of “finning” The Petition Site.

Thanks for stopping by.

Tags: , , Categories: 

About the Author

Brent SalisburyI have over 20 years of experience wearing various hats from, network engineer, architect, ops and software engineer. More at Brent's LinkedInView all posts by Brent Salisbury →

  1. www.techplanet7.comwww.techplanet7.com04-08-2013


    My coder is trying to convince me to move to .
    net from PHP. I have always disliked the idea because
    of the expenses. But he’s tryiong none the less. I’ve been
    using Movable-type on several websites for about a
    year and am anxious about switching to another platform.

    I have heard very good things about blogengine.net. Is there a way I can transfer all my wordpress posts into it?
    Any help would be greatly appreciated!

  2. ViajViaj04-23-2013


    In my view, if all people in IT and bloggers made
    good content as you did, the community will be much more useful than ever
    before. The Wireshark installation worked. Do you have one for a Mac?

  3. Brent SalisburyBrent Salisbury04-28-2013


    Thanks Viaj, appreciate the feedback. I have the steps for a Mac installation which was quite a pain in the a**. I will get them posted in the next couple of weeks.

    Cheers,
    -Brent

  4. Jason ParragaJason Parraga06-19-2013


    Brent Salisbury’s tutorials coming in the clutch again…

  5. Brent SalisburyBrent Salisbury06-20-2013


    Ha, Im embarrassed to say how long it took me to get the right combination of dependencies, Wireshark build and dissector to get it on a Mac. GTK+ and Wireshark are balls at the moment.

    Good news is I think we are close to getting the dissector pushed into Wireshark hopefully if all goes well.

    Later pal,
    -Brent

  6. Matthew IrelandMatthew Ireland07-19-2013


    Just in case anybody experiences the same problem (packet-openflow.c: fatal error: cannot find config.h, cannot find epan/emem.h etc), I had to git clone git://gitosis.stanford.edu/openflow.git and then export WIRESHARK=openflow/utilities/wireshark_dissectors/wireshark-1.0.0-includes before using method 1 as described here.

    I’m using Ubuntu 12.04, with wireshark installed from the repositories.

  7. Sumit AroraSumit Arora08-26-2013


    Dear Brent ,

    For Wireshark’s OF Plugin, I did exactly what defined above : but it throws following error :

    Couldn’t load module /usr/lib/wireshark/libwireshark2/plugins/packet-openflow.so: /usr/lib/wireshark/libwireshark2/plugins/packet-openflow.so: undefined symbol: dissector_add

    Couldn’t load module /usr/lib/wireshark/libwireshark2/plugins/openflow.so: /usr/lib/wireshark/libwireshark2/plugins/openflow.so: undefined symbol: try_val_to_str

    Lua: Error during loading:
    [string “/usr/share/wireshark/init.lua”]:45: dofile has been disabled

    /Sumit

    • marcomarco09-05-2013


      Hi Sumit,

      I am having the same issue, have you find a solution?

      Thank you in advance
      Regards,
      Marco

      • Sumit AroraSumit Arora09-05-2013


        Marco,

        You can try if this helps:
        https://mailman.stanford.edu/pipermail/openflow-discuss/2012-April/003165.html

        (It worked for me )

        /Sumit

        • marcomarco09-05-2013


          Thank you Sumit,
          Yes, it worked for me and I should have tried Option 2 in Brent article because it describes the same process.

          Thank you Brent for the great site

          • Brent SalisburyBrent Salisbury09-08-2013


            Thanks Marco, very kind to say. Sumit thanks buddy! I still haven’t gotten back to debug the dissector on my MAC+latest Wireshark ver. I’ve just been using Mininet primarily for dev w/ the included shark install anyways. Argh, we need to code OF pushed upstream into Wireshark soon.

  8. GopalGopal10-22-2013


    Followed instructions based on your update portion first. However, there is no packet-openflow.so or openflow.so in the plugins folder (even though ‘openflow’ appears in the filter list). Then tried option#1 (scons install). Gave error about no config.h file. Saw README which says I need to have wireshark source code and do at least a ./configure to get headers. But where do I place the dissector code in relation to the wireshark source code? Then tried option#2 and even followed instructions in link by sumit. While it fixed the dissector_add error, it gave a new error about check_col not defined. Read somewhere that it was to be deprecated. So currently, I have not been able to get openflow dissector working through any of the install methods.

    What finally worked for me — downloaded the mininet ova VM. It has a built in wireshark with working dissector. Cloned the VM and can use that with floodlight or any other controller (I wanted mininet and controller in separate VMs).

    Thanks for the great site. Learning quite a bit (albeit very very slowly).

  9. Morgan YangMorgan Yang01-11-2014


    Hi Brent:

    I was wondering if you have come across “malform packets” with using the ofdissect plugin with certain OF1.3 flow modification messages. I’m aslo curious if you have (since the time of this post) come across any OF1.3 tcpdump plugins. Thanks!

    • Brent SalisburyBrent Salisbury01-19-2014


      For sure, it is likely either something incomplete in the dissector or unsupported like a vendor extension and so on. It could also be a bug with a malformed OF message.
      Cheers
      Brent

  10. PasqualePasquale03-01-2014


    I followed your tutorial and the plugin is running.
    Anyway, excluding simple hello messages, every message is not decoded.
    On most of packets I get a DISSECTOR_ASSERT_NOT_REACHED on the file proto.c. Those are tcp, icmp and the 90% of packets I scan.

    My wireshark version is an 1.8.2 which comes from the default repositories of ubuntu 12.04.

  11. Brent SalisburyBrent Salisbury03-16-2014


    Hi Pasquale, for Ubuntu check the following wiki entry on the OpenDaylight site:

    https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:OF1.3_Enabled_Wireshark

    I would avoid dissectors now as not necessary unless looking to do Wireshark development work upstream since everything is now mostly natively supported from packages.

    Cheers,
    -Brent

  12. amhaamha04-12-2014


    when installing ‘scons install’, then appear
    gcc -o packet-openflow.os -c -fPIC -I. -I/usr/include/wireshark -I/usr/include/glib-2.0 -I/usr/lib/i386-linux-gnu/glib-2.0/include packet-openflow.c
    packet-openflow.c:17:20: fatal error: config.h: No such file or directory
    compilation terminated.
    scons: *** [packet-openflow.os] Error 1
    scons: building terminated because of errors.

    what should i do?