[libvirt-users] unable to dissect libvirt rpc packets using wireshark plugin

Thu Jan 7 10:21:40 UTC 2016

On 07.01.2016 08:05, gowrishankar wrote:
> Hi Michal,
> Thank you for your suggestion. My apologies that I took sometime to get
> back
> on further confirmation. Regrettably, my tshark is still unable to find
> libvirt payload
> inside packet capture, though it lists libvirt as a possible filter.
> 
>      # rpm -ql libvirt-wireshark-1.2.9.3-2.fc21.x86_64
>      /usr/lib64/wireshark/plugins/1.12.5/libvirt.so
> 
>      As I used wireshark 1.12.6 version, I created 1.12.6 directory
> under plugins and copied above .so.
>      /usr/lib64/wireshark/plugins/1.12.6/libvirt.so
> 
>      # tshark -G protocols | grep -i libvirt
>      Libvirt    libvirt    libvirt
> 
>      # tshark -r libvirt.pcap libvirt
>      #
> 

Interesting. This indeed may be that your pcap file does not contain any
libvirt packets. Esp. if you tested it locally - if you haven't
specified to use TCP stack, UNIX socket is used by default.

> Are there any dependency between libvirt and wireshark dissector
> mechanism to co-exist and
> work together (ie. whether the above libvirt-wireshark missing some
> changes that dissector
> expecting ??). If you have sample pcap to recheck my wireshark/tshark,
> could you please
> share with me ?

Sure:

https://mprivozn.fedorapeople.org/libvirt.pcap

$ tshark -r libvirt.pcap libvirt | tail -n1
 89 29.520014062          ::1 -> ::1          Libvirt 114 Prog=REMOTE
Proc=CONNECT_CLOSE Type=REPLY Serial=32 Status=OK

So I can get 89 libvirt packets from the dump.

Michal