[[Tips]] ** Main feature: shellcode detection on the tree view of the packet headers [#of659eb4] Wireshakr + libemu enables us to detect a shellcode within the packet selected on the tree view of packet headers by clicking "Detect a shellcode" on the context menu. When the shellocde is detected, the dialog box display the message "Detected a shellocde at the offset" and the offset value from the start of the byte code selected on the byte code view. After detection, the byte code view highlights the byte code of the shellcode. - Stable release: &ref(wireshark-1.10.0+libemu.tar.bz2); -- Difference file: &ref(wireshark-1.10.0+libemu.diff); - Old Stable release: &ref(wireshark-1.8.3+libemu.tgz); -- Difference file: &ref(wireshark-1.8.3+libemu.diff); - Old Development release: &ref(wireshark-1.9.0+libemu.tar.bz2); -- Difference file: &ref(wireshark-1.9.0+libemu.diff); (this file can be applied after 1.9.0) -- Difference file: &ref(wireshark-1.9.0+libemu.diff); ** Requirements [#c149fc90] libemu 0.2.0 http://libemu.carnivore.it/ ** "Compile and build" status [#o0ee6b54] - Debian GNU/Linux Lenny: OK - Debian GNU/Linux Squeeze 2009/12/04: OK - Debian GNU/Linux Wheezy 2013/02/13: OK ** Compile and build [#o74020f8] + sudo aptitude install yacc bison libgtk2.0-dev libpcap0.8-dev + tar xvzf wireshark-1.8.3+libemu.tgz + cd wireshark-1.8.3+libemu + ./autogen.sh + ./configure --enable-emu --with-emu-include=/opt/libemu/include --with-emu-lib=/opt/libemu/lib + make ** Usage [#z658b613] + Launch Wireshark $ ./wireshark + Capture network traffic + Select a packet on the packet list view + Select a packet header on the header tree view #ref(Wireshark + libemu でシェルコード検知/select.png,nolink) + Right-click the packet header and click "Detect a shellocde" on the context menu. #ref(Wireshark + libemu でシェルコード検知/menu.png,nolink) -- Detected a shellcode #ref(Wireshark + libemu でシェルコード検知/detected.png,nolink) -- Not found a shellcode #ref(Wireshark + libemu でシェルコード検知/notdetected.png,nolink)