mac os packetflix hander and xattr

[hellt]

I am not sure what caused the packetflix-handler.zip to be detected as a malicious download
First, chrome warns a user that this is a malicious download, and then suddenly xattr is required.

None of these steps were necessary for the handler app I initially shared, so I think it makes sense to dig a little bit deeper and see what caused that behavior. siemens/cshargextcap#14

And maybe there is a wireshark option that sets the window title that can also be set in the AppleScript to actually show the contianer/pid name and interface for the captured flow. Right now it is just saying "capturing from packetflix"

[thediveo]

What I observed and what killed a few hours of my lifetime: when I zipped everything on the same machine and then unzipped again in Downloads/ and copied to /Applications there was never an issue.

But downloading triggers the whole (cyber) security cargo culture we all so love. Luckily, I remembered that we just lost a few hours worth of company time on another download quarantine a few weeks ago and luckily someone then remembered that there is an xattr flag. Took some more time to finally nail down the correct flag.

[thediveo]

let's see:

1. macos Monterey 12.7.2
2. Script Editor 2.11 (227)
3. zip says 3.0 July 5th 2008
4. Firefox -- not Chrome -- 122.0.1 for downloading

[thediveo]

same with Chrome 121.0.6167.160.

[hellt]

Let me try downloading via curl indeed.
If it doesn't quarantine, then I believe this should be the official way to download the file.

I propose using the following oneliner:

curl -s https://api.github.com/repos/siemens/cshargextcap/releases/latest \
  | grep "browser_download_url.*packetflix-handler.zip" \
  | cut -d : -f 2,3 | tr -d \" \
  | xargs -n 1 curl -sLO

[hellt]

I just tried using curl and no security warnings occurred 🥳
maybe then it is worth adding && unzip packetflix-handler.zip && mv packetflix-handler.zip /Applications to the oneliner to make it a really one-click install

[thediveo]

what if an older downloaded version is still in the Downloads? does curl overwrite or else...?

[thediveo]

re: title; looking at https://www.wireshark.org/docs/wsug_html_chunked/ChCustCommandLine.html, there isn't anything available from the wireshark CLI args. The extcap definitively hasn't access to this. I would recommend hopping over to Wireshark's discord server and into the "developer den", asking there for this feature.

[thediveo]

wondering whether we get also something in powershell 5, and some bash magic in linux should be more straightforward.

[hellt]

you can add me as a co-author in the commit :D

use framework "Foundation"
use scripting additions

on open location thisURL
	set theURL to current application's NSURL's URLWithString:thisURL
	
	set theComponents to current application's NSURLComponents's componentsWithURL:theURL resolvingAgainstBaseURL:false
	set queryItems to theComponents's queryItems
	set containerValue to ""
	
	set theEnumerator to queryItems's objectEnumerator()
	set aQueryItem to theEnumerator's nextObject()
	
	repeat while aQueryItem is not missing value
		if ((aQueryItem's valueForKey:"name") as string is "container") then
			set containerValue to ((aQueryItem's valueForKey:"value") as string)
			exit repeat
		end if
		set aQueryItem to theEnumerator's nextObject()
	end repeat
	-- uncomment to see the parsed json from the URL
	--	display dialog (containerValue as string)
	
	
	try
		-- Convert the containerValue to NSData
		set nsContainerValue to current application's NSString's stringWithString:containerValue
		set theData to nsContainerValue's dataUsingEncoding:(current application's NSUTF8StringEncoding)
		
		-- Parse the containerValue as JSON
		set theDict to current application's NSJSONSerialization's JSONObjectWithData:theData options:0 |error|:(missing value)
		
		-- Get the value of the namespace/container "name" key
		set nodeName to (theDict's valueForKey:"name") as string
		
		-- Get the value of the "network-interfaces" key
		set networkInterfacesList to (theDict's valueForKey:"network-interfaces") as list
		
		-- Concatenate the elements into a comma-separated string
		set netIFs to ""
		repeat with i from 1 to count networkInterfacesList
			set netIFs to netIFs & item i of networkInterfacesList
			if i is not (count networkInterfacesList) then
				set netIFs to netIFs & ", "
			end if
		end repeat
		
		-- Display the value in a dialog box
		--		display dialog (netIFs as string)
		--		display dialog (nodeName as string)
		-- open wireshark
		-- create a title for wireshark window
		set title to nodeName & ": " & netIFs
	on error errMsg number errNum
		display dialog ("Error " & errNum & ": " & errMsg)
	end try
	do shell script "/Applications/Wireshark.app/Contents/MacOS/Wireshark -k -i packetflix -o gui.window_title:\"" & title & "\" -o extcap.packetflix.url:\"" & thisURL & "\""
end open location

I hate it more than py because there is no way I can remember what happened here in a week from now, but maybe it is better then shelling out to py3

[thediveo]

Here we are, with Apple's (well, NeXT's) very own COBOL dialect.

[thediveo]

fun fact: both Ghostwire and Packetflix started their life as Python3 implementations. I then soon rewrote Packetflix in Go because of better performance, memory consumption, and especially maintenance (single binary, not the whole Python ecosystem in a container anymore). Ghostwire took much longer, and only after my personal experiment lxkns showed that it is possible to write a Linux kernel namespace discovery engine in Go.

[thediveo]

released in v0.10.7. Thank you very much, @hellt for your valuable contribution! Of course, you're mentioned as co-author, that's the least I can do.

Now I might have an idea how to get the same feature on Linux and Windows ... maybe I can reuse the extcap binary as a shim loader for Wireshark...