diff options
Diffstat (limited to 'readme.txt')
-rw-r--r-- | readme.txt | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/readme.txt b/readme.txt new file mode 100644 index 0000000..3924e62 --- /dev/null +++ b/readme.txt @@ -0,0 +1,52 @@ +RDP Wireshark Dissector + +In order to use this wireshark dissector for the RDP protocol, you will need to compile wireshark from the development sources. + +There are two ways to add a dissector to wireshark: plug-in or built-in. Even though you could probably make the current dissector +a plug-in, I do not encourage to do it this way, as there is a major drawback: wireshark plug-ins aren't loaded in wireshark when +it is ran as root, for obvious security reasons. As you need to be root in order to capture packets, you won't be able to capture +and dissect the RDP protocol at the same time if you compile the dissector as a plug-in. Therefore, here are the instructions on how +to add this RDP dissector as built-in to wireshark, so you can use it while running wireshark as root. + +Go to http://www.wireshark.org/develop.html and follow the instructions to get the latest wireshark development sources: +svn co http://anonsvn.wireshark.org/wireshark/trunk/ wireshark + +Once you have the sources, instead a couple of development packages that you'll probably need, such as gtk-dev. Make sure that you have +SSL development libraries (GnuTLS, OpenSSL) installed, as wireshark will built without the SSL dissector if they aren't present when +running the configure script. As we are dependent on the SSL dissector for the RDP dissector, the SSL development libraries are mandatory. + +Copy packet-rdp.c and packet-rdp.h to wireshark/epan/dissectors/ and add new entries in wireshark/epan/dissectors/Makefile.common: + +Add this line right over the "packet-rdt.c" line (they're in alphabetical order): + packet-rdp.c \ + +Similarly add this line right over the "packet-rdt.h" line: + packet-rdp.h \ + +Now in the root of the wireshark folder, run autogen.sh if you haven't already, and run (or re-run) the configure script. +The configure script must be ran after Makefile.common has been modified, otherwise the new dissector won't get built. + +When this is done and you've solved all dependencies the configure script may complain about, simply "make". +It takes a while the first time, but after that you're done :) + +To test it out once it is built, use one of the sample packet captures that I've prepared: +http://www.awakecoding.com/downloads/rdp_sample_packet_capture.zip +http://www.awakecoding.com/downloads/rdp_sample_packet_capture_tls_without_nla.zip + +Both archives contain a packet capture with a readme and the private key required to decrypt the TLS packets. +The dissector does not work with the RDP "legacy" encryption, only with RDP over TLS. + +If you want to use the dissector to analyze your own packets, you will need to configure your server to use a self-signed certificate +with an exportable private key. The amount of effort required to do so varies a lot between versions of Windows Server. Some easy versions +are Windows Server 2003 SP1: http://thelazyadmin.com/blogs/thelazyadmin/archive/2007/01/26/Configure-RDP-over-SSL-with-SelfSSL.aspx +Otherwise you should give Windows Server 2008 _R2_ a try, and I really insist on the "R2" here. Windows Server 2008 (not R2) can create +a self-signed certificate for you, but it will mark the key as non-exportable by default, and there's no way around it. You can try +generating your own self-signed certificate to try to import it, but good luck on finding the almost non-existing information on the subject. +Windows Server 2008 R2 changed the default behavior to give you the option of NOT marking the private key as non-exportable. Once you get +a self-signed certificate with an exportable private key configured with your RDP server, it should be quite easy to figure out how to extract +the private key and convert it from pfx to pem format (OpenSSL can do it, just google it there are tons of websites that explain how). + +Obviously the dissector is still in an early development stage and I put efforts on the packets that I need to take a closer look at. It is +still very useful and will probably save you a lot of time. + + |