WIP: A wireshark plugin to analyze communication between lightning network nodes
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
plc @ f1ddd31
src
.gitignore
.gitmodules
CONTRIBUTING.md
LICENSE
README.md
lightning-dissector-scm-1.rockspec

README.md

lightning-dissector

A wireshark plugin to analyze communication between Lightning Network nodes

Installation

First of all, you have to make sure that luarocks for Lua 5.2 is installed.
Here is how to build it. (You should set --lua-version=5.2 option when doing ./configure.)
And you'll need Lua library and headers. (if Ubuntu you can get it by apt install lua5.2 liblua5.2-dev)

Other requirements:

  • libpcre (apt install libpcre3-dev)
git clone https://github.com/nayutaco/lightning-dissector.git --recursive
cd lightning-dissector
luarocks --local make
mkdir -p ~/.config/wireshark/plugins
ln -s ~/.luarocks/share/lua/5.2/lightning-dissector/wireshark-plugin.lua ~/.config/wireshark/plugins/lightning-dissector.lua

When a big BOLT message comes, lightning-dissector outputs a big message to Wireshark. (#25)
Therefore, you might have to apply these patches to Wireshark source code.

diff --git epan/proto.h epan/proto.h
index afe8dae6e2..81e1e74a60 100644
--- epan/proto.h
+++ epan/proto.h
@@ -60,7 +60,7 @@ extern "C" {
 WS_DLL_PUBLIC int hf_text_only;
 
 /** the maximum length of a protocol field string representation */
-#define ITEM_LABEL_LENGTH	240
+#define ITEM_LABEL_LENGTH	10000
 
 #define ITEM_LABEL_UNKNOWN_STR	"Unknown"

Setup

c-lightning (beta)

git clone https://github.com/arowser/lightning -b dissector
cd lightning
./configure  --enable-dissector
make -j
make install  # optional

Eclair

Set loglevel to DEBUG.
lightning-dissector searches debug log for decryption key.

sed -i 's/<root level="INFO">/<root level="DEBUG">/' eclair-node/src/main/resources/logback.xml

You can set location for the debug log by Edit Menu -> Preferences -> Protocols -> LIGHTNING. (~/.eclair/eclair.log by default)

Ptarmigan

You need to build ptarmigan with developer mode enabled.

sed -i 's/ENABLE_DEVELOPER_MODE=0/ENABLE_DEVELOPER_MODE=1/g' options.mak
make full

Set $LIGHTNINGKEYLOGFILE before starting ptarmigan.
ptarmigan dumps decryption keys to there.

mkdir ~/.cache/ptarmigan
export LIGHTNINGKEYLOGFILE=~/.cache/ptarmigan/keys.log 

You should set $LIGHTNINGKEYLOGFILE value and Protocols -> LIGHTNING -> Key log file preference same. (~/.cache/ptarmigan/keys.log by default)

Status

Supported implementations

Currently, lightning-dissector can decrypt messages sent from

  • c-lightning
  • eclair
  • ptarmigan

If you are developer of some BOLT implementation, I need your help!
You can make your BOLT implementation support lightning-dissector by dumping key log file, or writing a new SecretManager.