1 unstable release
Uses old Rust 2015
0.0.1 | Sep 17, 2015 |
---|
#5 in #malicious
Used in rust_lldp
1.5MB
350 lines
rshark
, the Rusty Shark library, is a library for deep inspection
of malicious packets.
Wireshark is a very useful tool for network
debugging, but it's had its
fair share of security vulnerabilities.
rshark
uses the type safety of Rust to enable the dissection of
malicious packets without worry of buffer overflows or other common memory errors.
That is, Rusty Shark is compartmentalized to minimize the damage that
can be done by a successful adversary. The submarine metaphors write themselves.
Further details are available in the Rustdoc.
lib.rs
:
rshark
, the Rusty Shark library, is a library for deep inspection
of malicious packets.
Background
Wireshark is a very useful tool for network debugging, but it's had its fair share of security vulnerabilities. It's generally accepted that, to succeed at Capture the Flag, one should fuzz Wireshark for awhile before the competition to find a few new vulnerabilities (don't worry, they're there, you'll find some) and use those offensively to blind one's opponents. This speaks to both the indispensability of packet capture/dissection tools and the fundamental difficulty of ``just making Wireshark secure''. Wireshark has a lot of dissectors, which are written using a complex C API (although some are now written in Lua).
rshark
uses the type safety of Rust to enable the dissection of
malicious packets without worry of buffer overflows or other common memory errors.
Rusty Shark dissectors can make mistakes, but those logical errors should only
affect the interpretation of the current data, rather than all data.
That is to say, Rusty Shark is compartmentalized to minimize the damage that
can be done by a successful adversary. The submarine metaphors write themselves.
Usage
note: for help on the rshark
command-line client,
run man rshark
or rshark --help
.
The rshark
library provides packet dissection functions such as
rshark::ethernet::dissect()
. Every such dissection function, which should
conform to the rshark::Dissector
function type, takes as input a slice of bytes
and returns an rshark::Result
(which defaults to
Result<rshark::Val, rshark::Error>
).
Usage is pretty simple:
let data = vec![];
match rshark::ethernet::dissect(&data) {
Err(e) => println!["Error: {}", e],
Ok(val) => print!["{}", val.pretty_print(0)],
}
A Val
can represent an arbitrary tree of structured data
(useful in graphical displays) and can be pretty-printed with indentation for
sub-objects.
Dependencies
~4.5MB
~90K SLoC