* Encapsulation
@ 2017-03-02 0:38 James Wilson
2017-03-02 1:09 ` Encapsulation Jason A. Donenfeld
2017-03-02 1:38 ` Encapsulation Daniel Kahn Gillmor
0 siblings, 2 replies; 6+ messages in thread
From: James Wilson @ 2017-03-02 0:38 UTC (permalink / raw)
To: wireguard
[-- Attachment #1: Type: text/plain, Size: 297 bytes --]
Hi,
Just out of curiosity, how does a "wireguard packet' look like on the wire
??
I'm guessing:
Ethernet
IP
UDP
|------------------|
| IP |
| WG payload |
|------------------|
What's in the box is encrypted
Is that right ?? If not, what does it look like?
Thanks,
James
[-- Attachment #2: Type: text/html, Size: 587 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Encapsulation
2017-03-02 0:38 Encapsulation James Wilson
@ 2017-03-02 1:09 ` Jason A. Donenfeld
2017-03-02 1:38 ` Encapsulation Daniel Kahn Gillmor
1 sibling, 0 replies; 6+ messages in thread
From: Jason A. Donenfeld @ 2017-03-02 1:09 UTC (permalink / raw)
To: James Wilson; +Cc: WireGuard mailing list
[-- Attachment #1: Type: text/plain, Size: 95 bytes --]
https://www.wireguard.io/protocol/
https://www.wireguard.io/papers/wireguard.pdf section 5.4
[-- Attachment #2: Type: text/html, Size: 326 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Encapsulation
2017-03-02 0:38 Encapsulation James Wilson
2017-03-02 1:09 ` Encapsulation Jason A. Donenfeld
@ 2017-03-02 1:38 ` Daniel Kahn Gillmor
2017-03-02 13:37 ` Encapsulation James Wilson
2017-03-02 16:58 ` Encapsulation Peter Wu
1 sibling, 2 replies; 6+ messages in thread
From: Daniel Kahn Gillmor @ 2017-03-02 1:38 UTC (permalink / raw)
To: James Wilson, wireguard
On Wed 2017-03-01 16:38:05 -0800, James Wilson wrote:
> Hi,
>
> Just out of curiosity, how does a "wireguard packet' look like on the wire
> ??
>
> I'm guessing:
>
> Ethernet
> IP
> UDP
> |------------------|
> | IP |
> | WG payload |
> |------------------|
>
>
> What's in the box is encrypted
>
> Is that right ?? If not, what does it look like?
I believe the cleartext (after decryption) is an actual IP packet, so
everything from layer3 up the stack.
If anyone wants to document this sort of thing explicitly in a useful
way, you might consider writing a wireshark dissector:
https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html
and you can clone wireshark's source with:
git clone https://code.wireshark.org/review/wireshark
The simplest thing would be to start with a dissector for the ciphertext
itself, for the few pieces of metadata that are outside the encrypted
packet (see e.g. §5.4.2 of
https://www.wireguard.io/papers/wireguard.pdf)
If you want to get more clever, you could add a mechanism to the
wireguard module to extract session keys, and then make a decryptor
plugin to wireshark. But start with just the ciphertext ;)
--dkg
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Encapsulation
2017-03-02 1:38 ` Encapsulation Daniel Kahn Gillmor
@ 2017-03-02 13:37 ` James Wilson
2017-03-02 15:19 ` Encapsulation Jason A. Donenfeld
2017-03-02 16:58 ` Encapsulation Peter Wu
1 sibling, 1 reply; 6+ messages in thread
From: James Wilson @ 2017-03-02 13:37 UTC (permalink / raw)
To: Daniel Kahn Gillmor; +Cc: wireguard
[-- Attachment #1: Type: text/plain, Size: 1659 bytes --]
Thanks Daniel, that's what I was trying to figure out.
If what you're saying is true, if the encrypted blob contains an IP packet
it would mean that it would look like this
Ethernet
IP
UDP
Ethernet
IP
WG payload
James
On Wed, Mar 1, 2017 at 8:38 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
wrote:
> On Wed 2017-03-01 16:38:05 -0800, James Wilson wrote:
> > Hi,
> >
> > Just out of curiosity, how does a "wireguard packet' look like on the
> wire
> > ??
> >
> > I'm guessing:
> >
> > Ethernet
> > IP
> > UDP
> > |------------------|
> > | IP |
> > | WG payload |
> > |------------------|
> >
> >
> > What's in the box is encrypted
> >
> > Is that right ?? If not, what does it look like?
>
> I believe the cleartext (after decryption) is an actual IP packet, so
> everything from layer3 up the stack.
>
>
> If anyone wants to document this sort of thing explicitly in a useful
> way, you might consider writing a wireshark dissector:
>
> https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html
>
> and you can clone wireshark's source with:
>
> git clone https://code.wireshark.org/review/wireshark
>
> The simplest thing would be to start with a dissector for the ciphertext
> itself, for the few pieces of metadata that are outside the encrypted
> packet (see e.g. §5.4.2 of
> https://www.wireguard.io/papers/wireguard.pdf)
>
> If you want to get more clever, you could add a mechanism to the
> wireguard module to extract session keys, and then make a decryptor
> plugin to wireshark. But start with just the ciphertext ;)
>
> --dkg
>
[-- Attachment #2: Type: text/html, Size: 2673 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Encapsulation
2017-03-02 1:38 ` Encapsulation Daniel Kahn Gillmor
2017-03-02 13:37 ` Encapsulation James Wilson
@ 2017-03-02 16:58 ` Peter Wu
1 sibling, 0 replies; 6+ messages in thread
From: Peter Wu @ 2017-03-02 16:58 UTC (permalink / raw)
To: Daniel Kahn Gillmor; +Cc: James Wilson, wireguard
On Wed, Mar 01, 2017 at 05:38:01PM -0800, Daniel Kahn Gillmor wrote:
> On Wed 2017-03-01 16:38:05 -0800, James Wilson wrote:
> > Hi,
> >
> > Just out of curiosity, how does a "wireguard packet' look like on the wire
> > ??
> >
> > I'm guessing:
> >
> > Ethernet
> > IP
> > UDP
> > |------------------|
> > | IP |
> > | WG payload |
> > |------------------|
> >
> >
> > What's in the box is encrypted
> >
> > Is that right ?? If not, what does it look like?
>
> I believe the cleartext (after decryption) is an actual IP packet, so
> everything from layer3 up the stack.
It is more like:
Ethernet
IP (to WireGuard peer)
UDP (UDP payload is as follows:)
WireGuard header (type, counter)
Packet (encrypted, decrypted contents are as follows:)
IP (original)
(IP payload like ICMP, TCP, etc.)
If it helps, see this picture of the packet dissection for an ICMP
packet tunneled over WireGuard: https://i.imgur.com/MzubvX3.png
> If anyone wants to document this sort of thing explicitly in a useful
> way, you might consider writing a wireshark dissector:
As you can see above I have already been working on one and will publish
it soon after adding some documentation. :-)
--
Kind regards,
Peter Wu
https://lekensteyn.nl
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-03-02 16:56 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-02 0:38 Encapsulation James Wilson
2017-03-02 1:09 ` Encapsulation Jason A. Donenfeld
2017-03-02 1:38 ` Encapsulation Daniel Kahn Gillmor
2017-03-02 13:37 ` Encapsulation James Wilson
2017-03-02 15:19 ` Encapsulation Jason A. Donenfeld
2017-03-02 16:58 ` Encapsulation Peter Wu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).