Re: Packet sample repository/library?

[Peter Wu <peter () lekensteyn nl>]

Hi Jirka,

On Mon, Dec 19, 2016 at 10:57:08AM +0100, Jirka Novak wrote:
> Hello,
>
>   I'm looking for repository/library with packet samples suitable for
> developers. I found a lot of repositories over the Internet, but they
> just contain samples and you are able to find protocols used in sample
> (e.g. RTP).
>   As developer when I change part of code, I should retest it with as
> much samples as possible to verify whether change works fine with my
> sample (why I'm doing a change) and if I didn't break old functionality.

For a basic testing framework, have a look at
https://github.com/wireshark/happy-shark

To-do: populate the test/ directory with lots of specific samples :-)

> Therefore I should be able to select samples which are relevant to my
> change and be able to verify whether it is evaluated as expected.
>
>   To be able to do so, samples should be commented/documented in two ways:
> 1) What sample contains
> 2) How it should be decoded/shown in Wireshark
>
> There are a few ideas (I'm working in voice area):
>
> - Sample contains full regular SIP session, with SDP, with related RTP.
> RTP is dynamic payload described in SDP.
>   - SIP session should be shown
>   - SDP should be decoded
>   - RTP should be decoded as described in SDP
> - Sample contains rejected SIP session because of XXX
>   - SIP session should be shown
>   - SIP calls view should show call as failed
> - Sample contains RTP call with extended header XXX
>   - RTP header should be decoded as ...
>   - Call Flow should show bit XXX in RTP stream
> - Sample contains RTSP session from XXX with RTP media in UDP
>   - sample should be decoded
>   - RTP should be decoded as described in Transport header
> - Sample contains RTP stream with missing packets
>   - sample should be decoded
>   - RTP Stream Analysis should show sequence error
>
>   In other words, there should be attached specification for Wireshark
> developer, how the sample should be processed. Therefore it can be
> verified later by man or engine (maybe in future :-)).

This is a scenario that is probably worth adding to test/ (in the
Wireshark source tree) if it is not too large.

The SampleCaptures wiki contains some (synthetic/real-world) SIP and RTP
captures, but it is not really in a machine-readable format:
https://wiki.wireshark.org/SampleCaptures#SIP_and_RTP

Feel free to upload your captures there though :-)

>   It is obvious that same sample can be used for multiple purposes -
> e.g. RTSP with RTP sample can be used for testing RTPS and for RTP too.
> Specification can be changed during time. Therefore it should be easy
> editable.
>
>   Does anyone know about something I'm looking for?

I think that happy-shark (which uses PDML output with a XSL
post-processor) does what you want.

In case a dissector checks for the pinfo->visited flag, you have to run
pcaps through both:

 - tshark -r some.pcap -Tpdml
 - tshark -r some.pcap -Tpdml -2
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe