From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: ehdot795@gmail.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id d71526ae for ; Thu, 2 Mar 2017 13:35:16 +0000 (UTC) Received: from mail-wr0-f177.google.com (mail-wr0-f177.google.com [209.85.128.177]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 8ffa69b0 for ; Thu, 2 Mar 2017 13:35:16 +0000 (UTC) Received: by mail-wr0-f177.google.com with SMTP id u108so52239326wrb.3 for ; Thu, 02 Mar 2017 05:37:13 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <871sugpifa.fsf@alice.fifthhorseman.net> References: <871sugpifa.fsf@alice.fifthhorseman.net> From: James Wilson Date: Thu, 2 Mar 2017 08:37:09 -0500 Message-ID: Subject: Re: Encapsulation To: Daniel Kahn Gillmor Content-Type: multipart/alternative; boundary=001a1139b034a537ad0549bf8632 Cc: wireguard@lists.zx2c4.com List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --001a1139b034a537ad0549bf8632 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Thanks Daniel, that's what I was trying to figure out. If what you're saying is true, if the encrypted blob contains an IP packet it would mean that it would look like this Ethernet IP UDP Ethernet IP WG payload James On Wed, Mar 1, 2017 at 8:38 PM, Daniel Kahn Gillmor wrote: > On Wed 2017-03-01 16:38:05 -0800, James Wilson wrote: > > Hi, > > > > Just out of curiosity, how does a "wireguard packet' look like on the > wire > > ?? > > > > I'm guessing: > > > > Ethernet > > IP > > UDP > > |------------------| > > | IP | > > | WG payload | > > |------------------| > > > > > > What's in the box is encrypted > > > > Is that right ?? If not, what does it look like? > > I believe the cleartext (after decryption) is an actual IP packet, so > everything from layer3 up the stack. > > > If anyone wants to document this sort of thing explicitly in a useful > way, you might consider writing a wireshark dissector: > > https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html > > and you can clone wireshark's source with: > > git clone https://code.wireshark.org/review/wireshark > > The simplest thing would be to start with a dissector for the ciphertext > itself, for the few pieces of metadata that are outside the encrypted > packet (see e.g. =C2=A75.4.2 of > https://www.wireguard.io/papers/wireguard.pdf) > > If you want to get more clever, you could add a mechanism to the > wireguard module to extract session keys, and then make a decryptor > plugin to wireshark. But start with just the ciphertext ;) > > --dkg > --001a1139b034a537ad0549bf8632 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Thanks Daniel, tha= t's what I was trying to figure out.

If what you're sa= ying is true, if the encrypted blob contains an IP packet it would mean tha= t it would look like this

Ethernet
IP
UDP
Ethernet
IP
WG payload


James
<= div>

On Wed, Mar 1, 2017 at 8:38 PM, Daniel Kahn Gillmor &l= t;dkg@fifthhorse= man.net> wrote:
On Wed 2017-03-01 16:38:05 -0800, James Wilson wrote:
> Hi,
>
> Just out of curiosity, how does a "wireguard packet' look lik= e on the wire
> ??
>
> I'm guessing:
>
>=C2=A0 Ethernet
>=C2=A0 IP
>=C2=A0 UDP
> |------------------|
> | IP=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0|
> | WG payload=C2=A0 =C2=A0 =C2=A0 =C2=A0|
> |------------------|
>
>
> What's in the box is encrypted
>
> Is that right ?? If not, what does it look like?

I believe the cleartext (after decryption) is an actual IP packet, s= o
everything from layer3 up the stack.


If anyone wants to document this sort of thing explicitly in a useful
way, you might consider writing a wireshark dissector:

=C2=A0 https://www.wireshark.org/<= wbr>docs/wsdg_html_chunked/ChDissectAdd.html

and you can clone wireshark's source with:

=C2=A0 =C2=A0git clone https://code.wireshark.org/re= view/wireshark

The simplest thing would be to start with a dissector for the ciphertext itself, for the few pieces of metadata that are outside the encrypted
packet (see e.g. =C2=A75.4.2 of
https://www.wireguard.io/papers/wireguard.pdf)=

If you want to get more clever, you could add a mechanism to the
wireguard module to extract session keys, and then make a decryptor
plugin to wireshark. But start with just the ciphertext ;)

=C2=A0 =C2=A0 =C2=A0 --dkg

--001a1139b034a537ad0549bf8632--