Michael Davidsaver created some lua plugins for wireshark that can be used to help diagnose gateway related protocol issues.
https://github.com/mdavidsaver/cashark/
Nominally you just clone the above repo to get the scripts and point wireshark or tshark at them.
tshark example
tshark -X lua_script:/cds/home/b/bhill/git-wa-neh/misc/cashark-git/ca.lua -PO ca -r ~/tmp/bh-ca1.pcap
First problem, the default wireshark on rhel7 is 1.10.14 and doesn't support the local variables used in ca.lua.
I had a version of wireshark/2.0.3 already built in the pkg_mgr and was able to use that one.
However, I was looking to capture and analyze a full caget exchange between a client and a gateway on one of the PCDS gateway hosts. I ran the client caget on a development host that no one was logged onto but me and suspended the IOCs so there wouldn't be any network traffic from them. The following command captured 26 packets on pscag03.
sudo tcpdump -i enp24s0f0.655 host 172.21.148.45 -w /tmp/bh-ca1.pcap
However, when running tshark on the pcap file it would only show the first UDP search request.
Turns out, the standard EPICS EPICS_CA_SERVER_PORT=5064 and EPICS_CA_REPEATER_PORT=5065 are hard coded into ca.lua.
This is fine as long as no other EPICS processes are running on your gateway host, but if you're doing diagnostics on a working gateway host those ports are already in use and EPICS assigns random port numbers for the UDP reply and the TCP connections.
ca.lua fragment
local utbl = DissectorTable.get("udp.port")
utbl:add(5064, ca)
utbl:add(5065, ca)
local ttbl = DissectorTable.get("tcp.port")
ttbl:add(5064, ca)
I'm not sure what the long term solution is, but I ran the tshark output through "grep -i port" and added those ports to ca.lua.
Modified ca.lua
local utbl = DissectorTable.get("udp.port")
utbl:add(5064, ca)
utbl:add(5065, ca)
+utbl:add(40528, ca)
local ttbl = DissectorTable.get("tcp.port")
ttbl:add(5064, ca)
+ttbl:add(43468, ca)
+ttbl:add(49170, ca)
Now the plugin works much better and shows the full sequence. Here's a filtered output just showing the Command sequence:
tshark CA output
% tshark -X lua_script:/cds/home/b/bhill/git-wa-neh/misc/cashark-git/ca.lua -PO ca -r ~/tmp/bh-ca1.pcap | egrep Command
Loading CA...
Loaded CA
Command: Version (0x0000)
Command: Search (0x0006)
Command: Version (0x0000)
Command: User (0x0014)
Command: Host (0x0015)
Command: Create Channel (0x0012)
Command: Version (0x0000)
Command: Rights (0x0016)
Command: Create Channel (0x0012)
Command: Read Notify (0x000f)
Command: Read Notify (0x000f)
Command: Clear Channel (0x000c)
Command: Clear Channel (0x000c)
By contrast, the pva.lua plugin has a solution for that hard coded problem but it requires a modern version of wireshark that supports heuristic UDP and TCP dissectors.
The wireshark 2.0.3 version wasn't good enough. I downloaded a tarball for wireshark/4.0.3 and finally got it to build a non gui version by added about 8 more packages to pkg_mgr. I needed qt 5.12 or greater to build the gui. pkg_mgr had qt/5.7.0, but I still haven't gotten qt/5.15.8 to build.
However, the non gui wireshark build doesn't have wireshark, the gui, but it does build tshark, the command line equivalent. Using that version of tshark, I finally got a good pva.lua output:
pva.lua outptu
% which tshark
/cds/group/pcds/pkg_mgr/release/wireshark-0.0.1/x86_64-rhel7-gcc48-opt/bin/tshark
% tshark -X lua_script:/cds/home/b/bhill/git-wa-neh/misc/cashark-git/pva.lua -PO pva -r ~/tmp/bh-pva1.pcap | egrep Command
Loading PVA...
Loaded PVA
Command: SEARCH_RESPONSE (0x04)
Control Command: SET_BYTE_ORDER (0x02)
Command: CONNECTION_VALIDATION (0x01)
Command: CONNECTION_VALIDATION (0x01)
Command: CONNECTION_VALIDATED (0x09)
Command: CREATE_CHANNEL (0x07)
Command: CREATE_CHANNEL (0x07)
Command: GET (0x0a)
Command: GET (0x0a)
Command: GET (0x0a)
Command: GET (0x0a)
Overview
Content Tools