Releasing Wireshark dissectors for Ethereum ÐΞVp2p protocols
At PegaSys, we specialize in the low-level, deep aspects of the Ethereum ecosystem. [In case you didn’t know, PegaSys is the Protocol Engineering Groups and Systems team here at ConsenSys.]
We’re addressing an array of challenges in the Ethereum ecosystem: privacy, sharding, consensus, scalability, etc. as well as working on Pantheon, a Java-based Ethereum client that will be released on October 30th in Devcon4 (Prague). Pantheon will serve as the public chain foundation for our Enterprise edition, to be released some months after Devcon4.
Building Pantheon means implementing the network stack of Ethereum (ÐΞVp2p) from scratch, and ensuring it’s correct behavior and interoperability at all times with other clients like Geth and Parity is not easy.
To enable us to debug and observe the network behavior of Ethereum clients, a few months ago we decided to develop a set of Wireshark dissectors for Ethereum ÐΞVp2p. See it in action:
And today we are announcing their release as Open Source Software. We hope it will contribute in facilitating the work researchers (such as the team that reported Eclipse Attacks exploiting vulnerabilities in discovery), engineers, devops, and anybody who is curious about Ethereum’s network traffic.
But before we delve into the dissectors themselves, let me give you a bird’s eye view of the ÐΞVp2p stack in Ethereum clients.
About ÐΞVp2p
There are many ways to explain what public chain Ethereum is.
One of the definitions is: “a decentralized peer-to-peer network of untrusted nodes that execute transactions, and share and agree on the same view of data — the world state.”
In Ethereum 1.0, nodes speak with each other through a framework of network protocols called ÐΞVp2p (devp2p), in order to discover peers, gossip about transactions, broadcast blocks, and share their status.
ÐΞVp2p is a layered stack, composed of:
- The RLPx framework: responsible for the plumbing of communications. Split in two protocols: discovery and wire protocol.
- Pluggable user-land subprotocols, such as ETHv63, SHHv1, LESv1, etc.
Here’s some more detail on that:
- RLPx discovery. Handles peer discovery via a Kademlia DHT-based UDP protocol. It bootstraps from a set of seed nodes and performs iterative lookups on the network, filling up a k-bucket peer routing table where nodes take up positions based on their the XOR distance metric.
- RLPx wire protocol. Establishes TCP-based encrypted and authenticated sessions with peers, manages their lifecycle, performs keepalives (PING-PONG), agrees on mutually supported capabilities (subprotocols), performs compression and decompression, and multiplexes subprotocol messages through a single socket.
- Subprotocols. Self-contained protocols that define a set of messages transported over the RLPx connections set up above. For example, Ethereum data such as blocks, headers, transactions, etc. are propagated through the ETH protocol, used by the sync loop of Ethereum clients to synchronise the chain. Other subprotocols include Whisper (SHH), Swarm (BZZ), the Light Client protocol (LES), and even client-specific ones like Parity’s Warp Sync (PAR). Nodes advertise supported subprotocols when they handshake (as tuples of [ID, version]), and agree on which ones will be used during the RLPx session.
What is a Wireshark dissector?
Wireshark is a popular tool amongst network and protocol experts, but not everybody is familiar with it, so let’s cover that ground quickly.
Wireshark is an application to inspect what’s happening at the network level in our machines. It works by intercepting network traffic via the kernel in a non-intrusive manner, and provides a live view of the frames and packets that are flowing through a link. It allows us to identify protocols, decode data, follow streams and conversations, calculate statistics, and much more, all through a neat workbench with the features you’d expect: filter, search, mark, comment, etc.
A dissector is a protocol parser that registers itself onto the Wireshark environment through its SDK. It gets called by Wireshark to analyse portions of packets and publishes the result as a structured tree to present to the user, which can be seen under the “Packet Details” pane.
Dissectors are instrumental to Wireshark and they are not limited to layer 7. Even the lower level constructs (frames, Ethernet, IP, TCP, UDP, etc.) are decoded via the built-in dissectors. In fact, Wireshark calls dissectors recursively for inner (enveloped) protocols, as top-level dissectors attach new information about the packet to the dissection.
Open sourcing the RLPx discovery ÐΞVp2p dissector
We’re very happy to push this development to the community. As mentioned above, we hope it will contribute in facilitating the work researchers, engineers, devops, and the technical Ethereum community in general.
So far, we have completed the dissector for the RLPx discovery protocol, supporting the following features:
- Decoding of
PING,PONG,FIND_NODEandNODESpacket, breaking the messages into its elements, with the appropriate datatypes. - Heuristics to dynamically detect Ethereum discovery traffic, no matter the port it’s running on.
- Linking of
PING=>PONGframes, as well asFIND_NODE=>NODESinteractions in protocol trees. - Lots of supported filters!
- Service response time calculation for RPC interactions. Find out how long your peers are taking to respond.
- A bunch of useful protocol statistics: message counts per type, nodes reported per response, etc.
If you want to try it out, for now you will need to compile from source by following the instructions on our README.
We are committed to Open Source Software, and we are exploring ways to bundle this dissector with the standard Wireshark distribution, just like the Bitcoin dissector already is.
Dissecting the Wire, ETH, SHH, BZZ and LES protocols
We’re working on a new version of the dissector that will support dissecting the remainder of the ÐΞVp2p protocol suite.
This is somewhat complicated, as TCP connections are encrypted with an AES symmetric key derived per-session via ECIES (Elliptic Curve Integrated Encryption Scheme), which means that even if the dissector had access to the private key of the local node, it would not be enough to decrypt communications, as the encryption key factors in our private key, the public key of the peer, and a randomly-generated ephemeral key.
We’re currently exploring approaches that require instrumenting existing clients to dump the AES secret of RLPx sessions, which is less than ideal, but likely necessary.
If you’d like to get involved, or want to discuss other approaches, please reach out to us on Twitter and stay up to date with PegaSys via our newsletter.
In the meantime, merry dissecting!
Disclaimer: The views expressed by the author above do not necessarily represent the views of Consensys AG. ConsenSys is a decentralized community with ConsenSys Media being a platform for members to freely express their diverse ideas and perspectives. To learn more about ConsenSys and Ethereum, please visit our website.
