Making the Wireshark moduleSubmitted by mtesauro on Sun, 04/26/2009 - 00:36 |
Get the source for Wireshark
Go to Wireshark site and find your way to the download page. Grab the latest source distribution which is a bzip2 (tar.bz2) file. At the time of this writing that is wireshark-1.0.5.tar.bz2. There are also digest files which are signed. Those are a bit further down the page and it can be found here. The file is named SIGNATURES-1.0.5.txt.
Say no to bad downloads and check both the digests and digital signatures demonstrated below and explained in Checking sources. [PAGE NOT MADE] We are grepping from the SIGNATURES-1.0.5.txt file so that we don't alter its contents an invalidate the signature.
$ cd temp/
$ cat SIGNATURES-1.0.5.txt | grep "SHA1(wireshark-1.0.5.tar.bz2)" > wireshark-sha1
$ sha1sum wireshark-1.0.5.tar.bz2 >> wireshark-sha1
$ vi wireshark-sha1
$ gpg --verify SIGNATURES-1.0.5.txt gpg: Signature made Wed 10 Dec 2008 11:28:42 AM CST using DSA key ID 21F2949A
gpg: Can't check signature: public key not found
[have to grab their key]
$ gpg --keyserver wwwkeys.pgp.net --recv-keys 21F2949A
gpg: requesting key 21F2949A from hkp server wwwkeys.pgp.net
gpg: key 21F2949A: public key "Gerald Combs <gerald@wireshark.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
$ gpg --verify SIGNATURES-1.0.5.txt
gpg: Signature made Wed 10 Dec 2008 11:28:42 AM CST using DSA key ID 21F2949A
gpg: Good signature from "Gerald Combs <gerald@wireshark.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EEE7 3F8C 231A 3C99 2D9A AE0B A70F 085D 21F2 949A
The above indicates a valid download - the warning tells me that I've not marked the wireshark key as trusted. However, me trusting (or not) that key has nothing to do with the validity of the download. So now that we know the source hasn't been diddled with...
Compile the source and complete the package
Since we're doing this from source, its best to download the source into a running version of the Live CD. We can then do the compilation there to make sure the Live CD has all the necessary dependencies.
First get the source into the Live CD. Since you've verified the signatures, scp them over from your primary box and then extract both files in the same directory
# mkdir build
# cd build
# scp matt@matt-box.example.com:/home/matt/download/wireshark-1.0.5.tar.bz2 ./
# tar -xzvf wireshark-1.0.5.tar.bz2
# cd wireshark-1.0.5.
So far so good. Now to get this guy install, all we really need to do is the 3 step Linux install dance - with a special variation I've come to prefer - two finds and a diff. We'll also specify some configure directives to get the architecture-dependent files into /opt/owasp/wireshark.
# ./configure --exec-prefix=/opt/owasp/wireshark --prefix=/opt/owasp/wireshark --mandir=/usr/share/man
[bunch of output - hopefully ending on a happy note]
FAIL. Says we need yacc (or bison). Since I should only need this for compiling Wireshark, I'm borrowing a Slackware package from here, checked its MD5sum and will convert it to SLAX and install it. Activating (i.ei installing) the module on the OWASP Live CD will allow the compilation to occur but won't become part of the actual ISO image.
# cd /root
# scp matt@matt-box.example.com:/home/matt/download/bison-2.3-i486-1.tgz ./
# tgz2lzm bison-2.3-i486-1.tgz bison-2.3-i486-1.lzm
# activate bison-2.3-i486-1.lzm
OK. Rety that ./configure above. Now I need to add flex. I'll repeat the above conversion from Slackware to SLAX. Get flex here.
OK. We got the the ./configure without failure. Let try make:
# make
# find / > ../pre-wireshark
# make install
# find / > ../post-wireshark
# cd ../
# diff pre-wireshark post-wirewhark > wireshark-diff
# cat wireshark-diff | grep changes | grep -v build > wireshark-install
# vi wireshark-install
[remove any cruft and modify to copy the installed files to /root/fakeroot]
# cat wireshark-install
mkdir -p /root/fakeroot/opt/owasp
cp -a /opt/owasp/wireshark /root/fakeroot/opt/owasp
mkdir -p /root/fakeroot/usr/man/man4
cp -a /usr/man/man4/wireshark-filter.4 /root/fakeroot/usr/man/man4
mkdir -p /root/fakeroot/usr/man/man1
cp -a /usr/man/man1/rawshark.1 /root/fakeroot/usr/man/man1
cp -a /usr/man/man1/idl2wrs.1 /root/fakeroot/usr/man/man1
cp -a /usr/man/man1/dumpcap.1 /root/fakeroot/usr/man/man1
cp -a /usr/man/man1/editcap.1 /root/fakeroot/usr/man/man1
cp -a /usr/man/man1/capinfos.1 /root/fakeroot/usr/man/man1
cp -a /usr/man/man1/mergecap.1 /root/fakeroot/usr/man/man1
cp -a /usr/man/man1/text2pcap.1 /root/fakeroot/usr/man/man1
cp -a /usr/man/man1/tshark.1 /root/fakeroot/usr/man/man1
cp -a /usr/man/man1/wireshark.1 /root/fakeroot/usr/man/man1
# chmod u+x wireshark-install
# ./wireshark-install
Create support files in the fakeroot directory
Now we need to create a menu item for wireshark:
$ mkdir fakeroot/usr/share/applications
$ vi fakeroot/usr/share/applications/wireshark.desktop
[create the file]
$ cat fakeroot/usr/share/applications/wireshark.desktop
[Desktop Entry]
Encoding=UTF-8
Exec=wireshark
Icon=/usr/share/pixmaps/wireshark.png
Type=Application
Categories=Application;Network;
Name=Packet Sniffer
Name[cs]=Packet Sniffer
GenericName=Wireshark
GenericName[cs]=Wireshark
MimeType=text/html
X-KDE-StartupNotify=true
Wireshark has several binaries which were compiled. Instead of a herd of shell scripts, we're going to create a set of sym links instead:
# mkdir fakeroot/usr/bin
# cd fakeroot/usr/bin/
# ln -s ../../opt/owasp/wireshark/bin/wireshark wireshark
# ln -s ../../opt/owasp/wireshark/bin/tshark tshark
# ln -s ../../opt/owasp/wireshark/bin/text2pcap text2pcap
# ln -s ../../opt/owasp/wireshark/bin/mergecap mergecap
# ln -s ../../opt/owasp/wireshark/bin/capinfos capinfos
# ln -s ../../opt/owasp/wireshark/bin/editcap editcap
# ln -s ../../opt/owasp/wireshark/bin/randpkt randpkt
# ln -s ../../opt/owasp/wireshark/bin/dftest dftest
# ln -s ../../opt/owasp/wireshark/bin/dumpcap dumpcap
# ln -s ../../opt/owasp/wireshark/bin/rawshark rawshark
# ln -s ../../opt/owasp/wireshark/bin/idl2wrs idl2wrs
For the icon, I grabbed the icon which cane with the source code. Then, I moved that into fakeroot.
mkdir fakeroot/usr/share/pixmaps
$ cp build/wireshark-1.0.5/image/wsicon48.png fakeroot/usr/share/pixmaps/wireshark-icon.png
We should now have everything we need in fakeroot. Give it a final sanity check, then create a new module based on what's in fakeroot:
# find fakeroot/ | less
# dir2lzm fakeroot/ wireshark-1.0.5.lzm
Test the new modules
SLAX will allow you to add modules to a running system. Before going on, you should install the module and make sure it works like expected. Check out the page Add modules to a running system [PAGE NOT MADE] to see how to do this. Since I had to do a make install before I created the module, I used a freshly booted Live CD to test the module. Verify that wireshark works as expected.
If everything goes as expected, you'll need to add this module to the ISO image. Since we've created the module in the Live CD, you'll need to move it off to a "real" computer. You can use a USB drive, scp or whatever to get the files off the Live CD.
Add the modules to the ISO build directory
Also cake
$ cp -i wireshark-1.0.5.lzm ../contents/slax/base/
$ chmod 775 ../contents/slax/base/wireshark-1.0.5.lzm
This assumes your wireshark module was moved into your working directory. See Creating the base Live CD from SLAX (Create a Working Directory section)
Clean up and archive
Once you've got a working module, lets clean up a bit.
$ $ mkdir ./completed_modules/wireshark
$ mv wireshark-1.0.5.lzm ./completed_modules/wireshark/
$ mv temp/wireshark-1.0.5.tar.bz2 completed_modules/wireshark/
$ mv temp/SIGNATURES-1.0.5.txt completed_modules/wireshark/
$ mv temp/install-wireshark completed_modules/wireshark/
$ rm -rf ./temp/*