Installing Wireshark On Linux for OpenFlow Packet Captures

[fancy_header3 variation=”orange”]Installing Wireshark On Linux for OpenFlow Packet Captures[/fancy_header3]

[warning_box]Update March 16, 2014:
Fedora 20 has native Wireshark OpenFlow support.
e.g:
yum install wireshark
[/warning_box]

[note_box]

  • Update: the OpenFlow dissector appears natively included in the nightly Ubuntu dev builds and even better, native in Fedora 19:
  • ### Fedora 19 Wireshark Installation ###
    1) sudo yum install wireshark
    2) Nothing! Its that easy w/ native OpenFlow support +1
    For an X session on Fedora over SSH perform the following.
    1) Install the following:
    sudo yum install xorg-x11-xauth
    sudo yum install xorg-x11-fonts-*
    sudo yum install xorg-x11-utils
    ======================
    2) Enable the following in the sshd_config file:
    =============================
    Change X11Forwarding to yes and uncomment:
    X11Forwarding yes
    ====== sshd_config ==========
    #AllowAgentForwarding yes
    #AllowTcpForwarding yes
    #GatewayPorts no
    #X11Forwarding no
    X11Forwarding yes <=== change this #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes =============== $ export (should contain) declare -x DISPLAY="localhost:10.0" ========================= Now you can "ssh -X 192.168.1.100" to your host and run an X Wireshark session using "sudo wireshark".

### Mac Installation ###
Wireshark 1.11.0-SVN-52202
http://www.wireshark.org/download/automated/

  • For a Mac just install quartz and this build and run as su.
  • sudo /Applications/Wireshark.app/Contents/MacOS/Wireshark

### Installing on Ubuntu using the PPA repo try the following ###

  • sudo apt-get install python-software-properties
  • sudo add-apt-repository ppa:mighost/ppa
  • sudo apt-get update
  • ### The following was pulled from 1.12.0~201309171613-1ppa1~precise in a dpkg –list. You likely don’t need to mess with repo preferences.###
  • sudo apt-get install wireshark-common libwireshark3 libwireshark-data libwireshark3 libwiretap3
  • sudo wireshark
  • ### To run remotely you can connect using X over ssh with ‘ssh -XY

Link to the PPA Repo
[/note_box]

[image_frame style=”framed_shadow” align=”center” alt=”OpenFlow from Package PPA” width=”520″]http://networkstatic.net/wp-content/uploads/2013/10/Wireshark-OpenFlow.jpeg[/image_frame]

This tutorial is for those who are learning, troubleshooting and developing using the OpenFlow wire protocol. Packet captures are vital to troubleshooting issues that occur between the switch and OpenFlow controller. The instructions are for installing Wireshark from package or compiling and installing from source. It also walks through installing the OpenFlow v1.0 dissector plugin for Wireshark. Once the plugin is installed you will be able to view OpenFlow messaging in the Wireshark packet captures.

[fancy_header3 variation=”orange”]Installing Wireshark From Repositories[/fancy_header3]

[fancy_list style=”circle_arrow” variation=”orange”]

  • Ubuntu Wireshark installation from Repository

[/fancy_list]

[fancy_list style=”circle_arrow” variation=”orange”]

  • RedHat (CentOS/RHEL) Wireshark installation from Repository

[/fancy_list]

[fancy_header3 variation=”orange”]Download and Installing The OpenFlow Wireshark Dissector Option #1 [/fancy_header3]

This dissector is maintained by Nick Bastin. I am wedging it in here as I missed this one when I initially wrote this post. The other Stanford version is older but works fine for OpenFlow v1.0 but this is much more up to date. The video below is for the original version covered in option #2 below. Start with this one.

[fancy_list style=”circle_arrow” variation=”orange”]

[/fancy_list]

[fancy_header3 variation=”orange”]Download and Installing The OpenFlow Wireshark Dissector Option #2[/fancy_header3]

Before you go on you need to edit packet-openflow.c to fix a problem from a change in the Wireshark API.

Open the following C file in a text editor:

Add the following constant somewhere in the file with the other definitions. Look for “#define” and just add wedge it in there.

Next change find the function:
Change from:

To:

[image_frame style=”framed_shadow” align=”center” alt=”openflow.so” height=”64″ width=”455″]http://networkstatic.net/wp-content/uploads/2013/02/openflow.so_.jpg[/image_frame]
Figure 1. The void proto_reg_handoff_openflow() function after edit.

Copy the dynamic library or shared object (so file) packet-openflow.so into the Wireshark plugins directory.

[fancy_header3 variation=”orange”]Running Wireshark with the OpenFlow Dissector[/fancy_header3]

If you get the following error, verify you edited acket-openflow.c properly and recompile the dissector again to create another packet-openflow.so object file.

[fancy_header3 variation=”orange”]Verifying OpenFlow Dissector and Wireshark Installation[/fancy_header3]

In Wireshark go to Help->About->Plugins tab. You should see the OpenFlow plugin in the list.

[image_frame style=”framed_shadow” align=”center” alt=”OpenFlow Wireshark Dissector” height=”468″ width=”498″]http://networkstatic.net/wp-content/uploads/2013/02/about-plugin.jpg[/image_frame]

Figure 2. The OpenFlow Wireshark plugin

You can now view the OpenFlow header and packet type from your Wireshark captures. More information on generating OpenFlow packets can be found in these tutorials.

[image_frame style=”framed_shadow” align=”center” alt=”OpenFlow Wireshark Plugin” height=”500″ width=”555″]http://networkstatic.net/wp-content/uploads/2013/02/wireshark-openflow.jpg[/image_frame]

Figure 3. Viewing OpenFlow messages in Wireshark.

[fancy_header3 variation=”orange”]Video of Installing and Operating Wireshark with OpenFlow Captures[/fancy_header3]

[youtube url=”http://youtu.be/Uo1TN3nAxCg” width=”640″ height=”360″ hd=”1″]
Video 1. Screemcast of the Wireshark and OpenFlow plugin installation.

[fancy_header3 variation=”orange”]Compiling and Installing Wireshark from Source on Ubuntu and RHEL/CentOS[/fancy_header3]

[fancy_list style=”circle_arrow” variation=”orange”]

  • Ubuntu

[/fancy_list]

[fancy_list style=”circle_arrow” variation=”orange”]

  • RedHat (CentOS/RHEL) I didn’t verify the dependencies, but those should cover everything.

[/fancy_list]

Download the source code from http://wireshark.org

[fancy_header3 variation=”orange”]Additional Reseources[/fancy_header3]

[fancy_list style=”circle_arrow” variation=”orange”]

  • OpenFlow Wireshark Dissector v1.0 – The dissector used in this tutorial.
  • OpenFlow v1.1+ Wireshark Nick Bastin put together a dissector supporting OpenFlow v1.1+. This doesn’t support v1.0. So before you pull out your hair wondering why you see the protocol recognized but not dissected, be sure to use a dissector that is supporting your OF version. E.g. learn from my mistakes :*(
  • My buddy Murphy McCauley has instructions for installing the dissector on a Mac over at Noxrepo.org.
  • I would be remiss while on the topic of sharks, if I didn’t take the chance to link to a petition against shark hunting, being used as live bait and the horrible practice of “finning” The Petition Site.

[/fancy_list]

Thanks for stopping by.

By Brent Salisbury

I have over 20 years of experience wearing various hats from, network engineer, architect, ops and software engineer. More at Brent's LinkedIn

18 comments


  1. My coder is trying to convince me to move to .
    net from PHP. I have always disliked the idea because
    of the expenses. But he’s tryiong none the less. I’ve been
    using Movable-type on several websites for about a
    year and am anxious about switching to another platform.

    I have heard very good things about blogengine.net. Is there a way I can transfer all my wordpress posts into it?
    Any help would be greatly appreciated!


  2. In my view, if all people in IT and bloggers made
    good content as you did, the community will be much more useful than ever
    before. The Wireshark installation worked. Do you have one for a Mac?


  3. Thanks Viaj, appreciate the feedback. I have the steps for a Mac installation which was quite a pain in the a**. I will get them posted in the next couple of weeks.

    Cheers,
    -Brent


  5. Ha, Im embarrassed to say how long it took me to get the right combination of dependencies, Wireshark build and dissector to get it on a Mac. GTK+ and Wireshark are balls at the moment.

    Good news is I think we are close to getting the dissector pushed into Wireshark hopefully if all goes well.

    Later pal,
    -Brent


  6. Just in case anybody experiences the same problem (packet-openflow.c: fatal error: cannot find config.h, cannot find epan/emem.h etc), I had to git clone git://gitosis.stanford.edu/openflow.git and then export WIRESHARK=openflow/utilities/wireshark_dissectors/wireshark-1.0.0-includes before using method 1 as described here.

    I’m using Ubuntu 12.04, with wireshark installed from the repositories.


  7. Dear Brent ,

    For Wireshark’s OF Plugin, I did exactly what defined above : but it throws following error :

    Couldn’t load module /usr/lib/wireshark/libwireshark2/plugins/packet-openflow.so: /usr/lib/wireshark/libwireshark2/plugins/packet-openflow.so: undefined symbol: dissector_add

    Couldn’t load module /usr/lib/wireshark/libwireshark2/plugins/openflow.so: /usr/lib/wireshark/libwireshark2/plugins/openflow.so: undefined symbol: try_val_to_str

    Lua: Error during loading:
    [string “/usr/share/wireshark/init.lua”]:45: dofile has been disabled

    /Sumit


    1. Hi Sumit,

      I am having the same issue, have you find a solution?

      Thank you in advance
      Regards,
      Marco


        1. Thank you Sumit,
          Yes, it worked for me and I should have tried Option 2 in Brent article because it describes the same process.

          Thank you Brent for the great site


          1. Thanks Marco, very kind to say. Sumit thanks buddy! I still haven’t gotten back to debug the dissector on my MAC+latest Wireshark ver. I’ve just been using Mininet primarily for dev w/ the included shark install anyways. Argh, we need to code OF pushed upstream into Wireshark soon.


  8. Followed instructions based on your update portion first. However, there is no packet-openflow.so or openflow.so in the plugins folder (even though ‘openflow’ appears in the filter list). Then tried option#1 (scons install). Gave error about no config.h file. Saw README which says I need to have wireshark source code and do at least a ./configure to get headers. But where do I place the dissector code in relation to the wireshark source code? Then tried option#2 and even followed instructions in link by sumit. While it fixed the dissector_add error, it gave a new error about check_col not defined. Read somewhere that it was to be deprecated. So currently, I have not been able to get openflow dissector working through any of the install methods.

    What finally worked for me — downloaded the mininet ova VM. It has a built in wireshark with working dissector. Cloned the VM and can use that with floodlight or any other controller (I wanted mininet and controller in separate VMs).

    Thanks for the great site. Learning quite a bit (albeit very very slowly).


  9. Hi Brent:

    I was wondering if you have come across “malform packets” with using the ofdissect plugin with certain OF1.3 flow modification messages. I’m aslo curious if you have (since the time of this post) come across any OF1.3 tcpdump plugins. Thanks!


    1. For sure, it is likely either something incomplete in the dissector or unsupported like a vendor extension and so on. It could also be a bug with a malformed OF message.
      Cheers
      Brent


  10. I followed your tutorial and the plugin is running.
    Anyway, excluding simple hello messages, every message is not decoded.
    On most of packets I get a DISSECTOR_ASSERT_NOT_REACHED on the file proto.c. Those are tcp, icmp and the 90% of packets I scan.

    My wireshark version is an 1.8.2 which comes from the default repositories of ubuntu 12.04.


  12. when installing ‘scons install’, then appear
    gcc -o packet-openflow.os -c -fPIC -I. -I/usr/include/wireshark -I/usr/include/glib-2.0 -I/usr/lib/i386-linux-gnu/glib-2.0/include packet-openflow.c
    packet-openflow.c:17:20: fatal error: config.h: No such file or directory
    compilation terminated.
    scons: *** [packet-openflow.os] Error 1
    scons: building terminated because of errors.

    what should i do?

Comments are closed.