Wireshark can sniff TPM2 protocol

[ This is 2 year old news, but I’m just learning about it… 😦 ]

Wireshark is a tool used to sniff network packets and dissect the protocols and help debug them. Since version 3.0.0 or so, you can use Wireshark to sniff TPM v2. Not the hardware TPM chip, but a TPM2 simulator, which is simulated over the network, so Wireshark can capture it, and there’s a Wireshark Dissector (parser) for TPM2 protocol.

https://www.wireshark.org/lists/wireshark-commits/201804/msg00451.html

Documentation:
https://www.wireshark.org/docs/dfref/t/tpm.html

Sample PCAP:
https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=policy-authorizeNV.pcap

Created by the TPM2 community:
https://github.com/tpm2-software

There is a brief mention of this Wireshark TPM2 dissector in this FOSDEM presentation:

PS: Mostly only related by the “Shark” suffix string, but if you are debugging Linux, KernelShark is a nice tool. I haven’t tried it with a TPM, but you might be able to see Linux kernel TPM trace log traffic through KernelShark…
https://kernelshark.org/

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s