Lib.rs

Network programming
#packets #shark #inspection #deep #malicious #tool #debugging

bin+lib rshark

Rusty Shark is a tool for deep inspection of malicious packets

by Jonathan Anderson

1 unstable release

Uses old Rust 2015

0.0.1 Sep 17, 2015

#5 in #malicious


Used in rust_lldp

Apache-2.0

1.5MB
350 lines

Rusty Shark logo

rshark, the Rusty Shark library, is a library for deep inspection of malicious packets.

Wireshark is a very useful tool for network debugging, but it's had its fair share of security vulnerabilities. rshark uses the type safety of Rust to enable the dissection of malicious packets without worry of buffer overflows or other common memory errors. That is, Rusty Shark is compartmentalized to minimize the damage that can be done by a successful adversary. The submarine metaphors write themselves.

Further details are available in the Rustdoc.

lib.rs:

rshark, the Rusty Shark library, is a library for deep inspection of malicious packets.

Background

Wireshark is a very useful tool for network debugging, but it's had its fair share of security vulnerabilities. It's generally accepted that, to succeed at Capture the Flag, one should fuzz Wireshark for awhile before the competition to find a few new vulnerabilities (don't worry, they're there, you'll find some) and use those offensively to blind one's opponents. This speaks to both the indispensability of packet capture/dissection tools and the fundamental difficulty of ``just making Wireshark secure''. Wireshark has a lot of dissectors, which are written using a complex C API (although some are now written in Lua).

rshark uses the type safety of Rust to enable the dissection of malicious packets without worry of buffer overflows or other common memory errors. Rusty Shark dissectors can make mistakes, but those logical errors should only affect the interpretation of the current data, rather than all data. That is to say, Rusty Shark is compartmentalized to minimize the damage that can be done by a successful adversary. The submarine metaphors write themselves.

Usage

note: for help on the rshark command-line client, run man rshark or rshark --help.

The rshark library provides packet dissection functions such as rshark::ethernet::dissect(). Every such dissection function, which should conform to the rshark::Dissector function type, takes as input a slice of bytes and returns an rshark::Result (which defaults to Result<rshark::Val, rshark::Error>). Usage is pretty simple:

let data = vec![];

match rshark::ethernet::dissect(&data) {
    Err(e) => println!["Error: {}", e],
    Ok(val) => print!["{}", val.pretty_print(0)],
}

A Val can represent an arbitrary tree of structured data (useful in graphical displays) and can be pretty-printed with indentation for sub-objects.

Dependencies

~4.5MB
~90K SLoC