Analyzing the JBoss Remoting Protocol

In this article, I’d like to introduce the remoting-wireshark (see remoting-wireshark) project. This project is a Wireshark (Wireshark · Go Deep.) dissector plugin that can decode the JBoss Remoting (see JBoss Remoting) protocol.

Here is the screenshot that shows the running Wireshark that is decoding the JBoss Remoting protocol:

/assets/remoting/wireshark.png

From the above screenshot, we can see the Remoting protocol is decoded by the Wireshark.

Now let’s see how to enable the plugin. Firstly, you need to clone the remoting-wireshark from Github into your local machine. Here is the URL of the project:

https://github.com/jboss-remoting/remoting-wireshark

After cloning the above repository, we can see the code of the project:

$ tree
.
├── Makefile
├── src
│   └── main.c
└── target

From the above output, we can see the project just contain a main.c and a Makefile. The Makefile does not work on all the platforms at the time of writing. I have tested the Makefile on my 64-bit Linux box, and the Linux distribution I am using is Fedora 25:

$ cat /etc/*release
Fedora release 25 (Twenty Five)

At time of writing, there is a bug in the project which causes the plugin broken in Wireshark 2.x. I have submitted a PR to fix it (PR3) and you can apply the patch if you are running Wireshark 2.x.

Here are the Wireshark packages provided by Fedora Linux:

$ dnf search wireshark*
Last metadata expiration check: 23 days, 20:55:45 ago on Sat Apr 29 13:43:24 2017.
wireshark-qt.x86_64 : Wireshark's Qt-based GUI
wireshark-gtk.x86_64 : Wireshark's GTK+-based GUI
wireshark.x86_64 : Network traffic analyzer
wireshark-cli.x86_64 : Network traffic analyzer
wireshark-devel.x86_64 : Development headers and libraries for wireshark
openambit-wireshark.x86_64 : Wireshark dissector for openambit
libvirt-wireshark.x86_64 : Wireshark dissector plugin for libvirt RPC transactions

The above packages will provide Wireshark runtime and necessary header files and libraries for us to build the remoting project. To compile the project, we can run the make command in the project directory, and here is the output:

/assets/remoting/make.png

The above screenshot displays the compile process of the package, and the final output is remoting.so. Here is the relative output:

$ cc -shared -lwiretap -o remoting.so target/main.o

After the compilation is done, we need to put remoting.so into the plugin directory of the Wireshark. Here is the command to do so:

$ sudo cp remoting.so /usr/lib64/wireshark/plugins/

The above command will put the remoting.so into the wireshark plugin diretory defined by Fedora Linux. After the plugin is installed, we can start the Wireshark, and if everything goes fine, the plugin will be loaded. We can check the Analyze tab in the menu and select the Enabled Protocols... item. Here is the screenshot:

/assets/remoting/option.png

After clicking the above item, we can see the Enabled Protocols window. Here is the screenshot:

/assets/remoting/remoting.png

The above screenshot shows the enabled protocols. Wireshark will enable many protocols by default, so I have to put the string remoting into the Search field, and it will only show the Remoting protocol. This process verifies the installation of our remoting.so plugin.

To test the plugin, we can use the jboss-remoting project itself generate some network traffic and let Wireshark capture it. Here is the URL of the project:

https://github.com/jboss-remoting/jboss-remoting

You can clone the project and use the mvn install command to compile and install it into your local machine. I won’t dive into many details of these steps because they are quite straightforward. After the compilation is done, we can run the ConnectionTestCase provided by the project to generate the network traffic. Here is the screenshot of the class:

/assets/remoting/port.png

The above screenshot shows the tcp port used by ConnectionTestCase class is 30123, so we can set Wireshark to listen to lo loop interface and filter the data packet to show the data transferred via tcp port 30123.

To select the interface to capture, we can select the Capture -> Options... item as shown in following screenshot:

/assets/remoting/capture.png

After clicking the above item, we can enter the following window:

/assets/remoting/lo.png

In above window, we can select the lo interface for data capturing. After selecting the interface, we can click the start button in above window to start the data capture. Then we will enter the main window of the Wireshark and see data are captured for lo interface. Now we need to write a filter to show the data on port 30123 only. Here is the filter setting:

/assets/remoting/filter.png

Now the Wireshark is prepared to capture the network data. We can run the ConnectionTestCase in jboss-remoting project, and it will transfer the network data with Remoting protocol. In Wireshark you can see a lot of data packets captured, but they are just decoded as plain TCP packets. Now we can right click one of packet to display the popup window, and select the Decode As... item. Here is the screenshot:

/assets/remoting/decode.png

After the clicking the above item, you can see a drop menu that can be used to choose the protocol for decoding. Here is the screenshot:

/assets/remoting/select.png

And then you can click the TCP port and a very long droplist will appear. You can select JBoss Remoting as the protocol, and then the packet will be decoded correctly.

After the above steps are done, you will see the JBoss Remoting packets displayed in Wireshark window as shown at the beginning of this article.