Hotwire allows you to study network traffic of a few popular protocols in a simple way

Last update: Dec 30, 2022

Overview

Hotwire

Hotwire is a gtk GUI application that leverages the wireshark and tshark infrastructure to capture traffic and explore the contents of tcpdump files, but displays the data in a more focused way than wireshark. Hotwire supports only a few protocols (currently PostgreSQL, HTTP and HTTP2), but for these protocols it offers a high-level, clear display of the network traffic, tailored for each specific protocol. Hotwire can open tcpdump files or record traffic through a fifo file, therefore without requiring elevated privileges.

The UI layout

The main view is divided in four panes; from left to right and top to bottom:

The servers; Hotwire is only interested in client-server protocols, so it can group packets by server. We also display metadata there, like the number of remote hosts, the number of TCP sessions, and details depending on the protocol (host name for HTTP, database name for PGSQL);
The messages. In the case of HTTP, we group request & response in one single row, in the case of PGSQL we group query and query result in one row as well. It's possible to sort by any column. The color on the left highlights the TCP stream, so it's easier to track which messages are related to one another;
The incoming connections. These hold for the currently selected server only. We can see remote hosts and tcp streams, and selecting items here will filter the messages grid;
The message details view. Showing details about the currently selected message.

Protocols

Currently Hotwire supports:

HTTP
HTTP2
PGSQL (PostgreSQL wire protocol)

Note that for PGSQL you can often see "Unknown statement". This can happen with prepared statements, where the statement is declared once and then reused. If the declaration is not caught in the recording, Hotwire has no way of recovering it and it must show "Unknown statement". It can still recover result rows and parameters (without types or column names though).

HTTPS and HTTP2: decryption

It is possible to view encrypted traffic in Hotwire, the same as with wireshark and tshark, if you have the encryption keys. You can recover the encryption keys from server software (for instance apache tomcat) or client software (firefox, chrome). To recover the keys from chrome or firefox, launch them with:

SSLKEYLOGFILE=browser_keylog.txt firefox

(or same with google-chrome) More information is available in the wireshark wiki.

Hotwire doesn't allow to open separately keylog files. Instead, you should use editcap to merge the secrets in the pcap file and open the combined file with Hotwire:

editcap --inject-secrets tls,/path/to/keylog.txt ~/testtls.pcap ~/outtls.pcapng

Live traffic recording

You can also record and observe live network traffic in Hotwire. For that, Hotwire will open a FIFO, and listen for pcap contents on that FIFO. Note that this will not work on Windows. Then tcpdump can be invoked to write pcap data to the fifo, and Hotwire will capture and display the data in real-time. That way Hotwire can display live traffic without elevated privileges.

When Hotwire is run as a linux native app, it can invoke pkexec to launch tcpdump with elevated privileges and everything works transparently to the user. When it runs as a flatpak or under OSX for instance, Hotwire gives to the user a tcpdump command-line to run with sudo.

Installation

The recommended way to install the application on linux is with flatpak. For other platforms you'll have to build from source -- using the rust toolchain. Hotwire requires tshark to be installed and in the PATH to operate correctly, and tcpdump to record traffic, and on non-flatpak linux pkexec for simple recording.

To build from source: install rust and cargo, then run cargo run --release. The binary in target/release/hotwire can be copied anywhere, as it embeds icons and other dependencies (but not shared libraries like gtk). On OSX, you'll need gtk+3 and adwaita-icon-theme from homebrew.

The netns-rs crate provides an ultra-simple interface for handling network namespaces in Rust.

netns-rs The netns-rs crate provides an ultra-simple interface for handling network namespaces in Rust. Changing namespaces requires elevated privileg

7 Dec 15, 2022

Small MQTT router. Allows creating multiple inputs/outputs and run action when input triggers.

MQRT Small MQTT router. Allows creating multiple inputs/outputs and run action when input triggers. Features multi-(input/output) multiple actions tie

0 Jan 4, 2022

Multiplex server for rust-analyzer, allows multiple LSP clients (editor windows) to share a single rust-analyzer instance per cargo workspace

ra-multiplex Multiplex server for rust-analyzer, allows multiple LSP clients (editor windows) to share a single rust-analyzer instance per cargo wor

95 Dec 29, 2022

QUIC proxy that allows to use QUIC to connect to an SSH server without needing to patch the client or the server.

quicssh-rs 😄 quicssh-rs is a QUIC proxy that allows to use QUIC to connect to an SSH server without needing to patch the client or the server. quicss

18 May 5, 2023

Network simulation in Rust

netsim - A Rust library for network simulation and testing (currently linux-only). netsim is a crate for simulating networks for the sake of testing n

115 Dec 15, 2022

A private network system that uses WireGuard under the hood.

innernet A private network system that uses WireGuard under the hood. See the announcement blog post for a longer-winded explanation. innernet is simi

4.1k Dec 29, 2022

A Curve-like AMM for Secret Network

A Curve-like AMM for Secret Network. Supports a varibale number of tokens with the same underlying value.

16 Dec 11, 2022

A multi-protocol network relay

43 Dec 13, 2022

A Rust library for parsing the SOME/IP network protocol (without payload interpretation).

someip_parse A Rust library for parsing the SOME/IP network protocol (without payload interpretation). Usage Add the following to your Cargo.toml: [de

18 Oct 31, 2022

Comments

not possible to run tcpdump manually for flatpak-version

sudo tcpdump -ni any -s0 --immediate-mode --packet-buffered -w /home/freddii/.var/app/com.github.emmanueltouzery.hotwire/data/hotwire/hotwire-record-2 -B 8192 [sudo] Passwort für freddii: tcpdump: data link type LINUX_SLL2 tcpdump: /home/freddii/.var/app/com.github.emmanueltouzery.hotwire/data/hotwire/hotwire-record-2: Permission denied

opened by freddii 7

better types for MessageParser

comment on top of the MessageParser interface:

/// A MessageParser allows hotwire to parse & display messages related to
/// a certain protocol, for instance HTTP. The message parser deals with
/// parsing packets as well as displaying them.
///
/// The first step is to take TSharkPackets and build a StreamData from it.
/// The StreamData contains among other things a list of messages, which
/// the parser builds from the packets. Conceptually the MessageParser
/// trait "should" have two associated types: one for a StreamGlobals type
/// specific for the parser, and one for a MessageData type specific
/// for the parser.
/// This was attempted in the 'better_types' branch, but it complicated
/// many things, because then it was not possible to iterate over parsers
/// or over messages from different parsers.
///
/// Instead we now have a "workaround" where MessageData and StreamGlobals
/// are enums and basically each parser puts and expects to find its own
/// type. Hopefully a better solution can be found in the future.

In the better_types branch, I have things like:

pub trait MessageParser {
    type MessageType;
    type StreamGlobalsType;

    fn initial_globals(&self) -> Self::StreamGlobalsType;

    fn add_to_stream(
        &self,
        stream: &mut StreamData<Self::MessageType, Self::StreamGlobalsType>,
        new_packet: TSharkPacket,
    ) -> Result<(), String>;

While in mainline:

    fn initial_globals(&self) -> StreamGlobals;

    fn add_to_stream(
        &self,
        stream: &mut StreamData,
        new_packet: TSharkPacket,
    ) -> Result<(), String>;

// ...

pub enum StreamGlobals {
    Postgres(PostgresStreamGlobals),
    Http2(Http2StreamGlobals),
    Http(HttpStreamGlobals),
    None,
}

pub enum MessageData {
    Http(HttpMessageData),
    Postgres(PostgresMessageData),
}

However that forced me to have in win.rs in that branch a message_parser_visitor macro to be able to work on multiple message parsers. And also things like:

    http_streams: HashMap<u32, StreamData<HttpMessageData, ()>>,
    http2_streams: HashMap<u32, StreamData<HttpMessageData, ()>>,
    postgres_streams: HashMap<u32, StreamData<PostgresMessageData, PostgresStreamGlobals>>,

    // ...

    http_details_component_emitters:
        Vec<Box<dyn Fn(mpsc::Sender<BgFunc>, PathBuf, HttpMessageData)>>,
    http2_details_component_emitters:
        Vec<Box<dyn Fn(mpsc::Sender<BgFunc>, PathBuf, HttpMessageData)>>,
    postgres_details_component_emitters:
        Vec<Box<dyn Fn(mpsc::Sender<BgFunc>, PathBuf, PostgresMessageData)>>,

While in mainline I have a single field in both cases. Note otherwise that the better_types branch is waaaay behind mainline in other aspects of the code.

I'd like to see that we could have both the advantages of the better types of the branch and the ergonomics of mainline... (besides the fact that in mainline the enums must be "casted" to the right type)

opened by emmanueltouzery 2

Releases(v0.2.3)

v0.2.3(Feb 20, 2022)
HTTP: display basic authentication credentials in a friendly manner

Display errors loading files even if we partially succeeded

Add support for HTTP 1.1 pipelining

Port to latest gtkrs/relm

HTTP: ability to filter based on request or response size

HTTP: fix very long URLs or headers causing an horizontal scrollbar in the display

HTTP: expanders for requests and responses

Source code(tar.gz)
Source code(zip)
v0.2.2(Feb 5, 2022)
Fix important regression in 0.2.1 for streams with more than 100 messages (messages would get duplicated many times over)

For HTTP1 streams, we can now display final messages in communications even if they are not categorized as HTTP by wireshark

Source code(tar.gz)
Source code(zip)
v0.2.1(Jan 30, 2022)
Fix #1 change the design, better type-safety

HTTP: properly escape body contents. previously depending on the contents, some gtk/pango "escape sequences" would get through and the markup would potentially be invalid. If it came to that, we did not display the contents or worse, left the previous content, which could be very confusing.

Also know how to indent and format ndjson now

Search GUI: properly escape the " and \ in search values

Search implementation: properly parse escaped \ characters

Refresh dependencies

Source code(tar.gz)
Source code(zip)
v0.2.0(Oct 31, 2021)
Upgrade dependencies, especially gtk and relm

Considerably improved search, mini language with and/or conditions and brackets that can filter on several subparts of messages

Communication info header: ability to select client IP and stream ID

New "keyboard shortcuts" dialog

HTTP: ability to copy communication to the clipboard

Animate the infobar when showing or hiding it

Source code(tar.gz)
Source code(zip)
0.1.0(Jul 5, 2021)

Initial release.
Source code(tar.gz)
Source code(zip)

Owner

GitHub

Docker containers on a synthetic network. Run applications in a context that lets you manipulate their network conditions.

Synthetic Network Docker containers on a synthetic network. Run applications in a context that lets you manipulate their network conditions. Dependenc

58 Dec 15, 2022

An online version of the popular game four in a row, written in Rust on the server side and Flutter + Dart on the client.

Four in a Row - Server An online version of the popular game four in a row, written in Rust on the server side and Flutter + Dart on the client. Downl

8 Sep 16, 2022

Many modbus devices support only one or very few clients

Modbus TCP proxy Many modbus devices support only one or very few clients. This proxy acts as a bridge between the client and the modbus device. It ca

6 Aug 10, 2022

Tunnel TCP traffic through SOCKS5 or HTTP using a TUN interface.

tun2proxy Tunnel TCP traffic through SOCKS5 or HTTP on Linux. Authentication not yet supported. Error handling incomplete and too restrictive. Build C

34 Nov 29, 2022

Hybrid Traffic Mesh Proxy

Hybrid Traffic Mesh Proxy L7 proxy on kubernetes dependencies: routeagent: refresh proxy routes fetched with k8s sdk register routes curl -v --unix-s

1 Feb 11, 2022

Userspace libpcap-based tool to mirror your dns traffic

DNS traffic mirroring tool (dns-mirror) Description Userspace libpcap-based tool. dns-mirror sniffs dns packets on the given interface and proxies it

1 Mar 15, 2022

Rust implementation of PRECIS Framework: Preparation, Enforcement, and Comparison of Internationalized Strings in Application Protocols

Rust PRECIS Framework libray PRECIS Framework: Preparation, Enforcement, and Comparison of Internationalized Strings in Application Protocols as descr

1 Oct 20, 2022

RDE1 (Rusty Data Exfiltrator) is client and server tool allowing auditor to extract files from DNS and HTTPS protocols written in Rust. 🦀

Information: RDE1 is an old personal project (end 2022) that I didn't continue development on. It's part of a list of projects that helped me to learn

32 Oct 6, 2023

Simple in-network file transfer with barely any overhead.

fftp fftp is the "Fast File Transport Protocol". It transfers files quickly between computers on a network with low overhead. Motivation FTP uses two

4 May 12, 2022

A simple configuration-based module for inter-network RPC in Holochain hApps.

DNA Auth Resolver A simple configuration-based module for inter-network RPC in Holochain hApps. About Usage In the origin zome In the destination DNA

0 Feb 4, 2022