error in column 'Protocol': Could not find dissector for: 'amp'Valid dissectors are:'http' TCP 443'smtp' TCP 465'ldap' TCP 636'imap' TCP 993'pop' TCP 995'q931.tpkt' TCP 1300'skinny' TCP 2443'sip.tcp' TCP 5061'amp' TCP 52230
Kurt Knochner helpfully pointed me here versus my original ask.wireshark.org question.I'm writing a new dissector for a protocol that can include SSL traffic. It is somewhat similar to LDAP in that it can start a session unencrypted and switch to SSL on the same port when a certain message is received, so I've based my code on packet-ldap. I've also referred to packet-pop, packet-http, and packet-xmpp, which all have various forms of this code.
At the appropriate points, my code is successfully getting to:
call_dissector(ssl_handle, tvb, pinfo, tree);
But in the output of tshark, I don't see any decrypted data:
tshark -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list: 172.16.244.160,52230,amp,cacert.key" -r ../tests/AMP-connect-SSL-trimmed.pcap -x
All this prints is the encrypted data.
If I switch the protocol to ldap, http or xmpp, then I get SSL decryption:
tshark -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list: 172.16.244.160,52230,ldap,cacert.key" -r ../tests/AMP-connect-SSL-trimmed.pcap -x Frame (140 bytes): 0000 00 0c 29 22 80 34 00 50 56 c0 00 08 08 00 45 00 ..)".4.PV.....E. 0010 00 7e 31 1a 40 00 40 06 c8 9c ac 10 f4 01 ac 10 .~1.@.@......... 0020 f4 a0 f0 e6 cc 06 5d df 0c 2f b2 cc ff fa 80 18 ......]../...... 0030 20 00 39 1d 00 00 01 01 08 0a 34 15 f0 11 09 a1 .9.......4..... 0040 28 8f 17 03 00 00 20 ad d1 99 13 3a 22 ec 45 b9 (..... ....:".E. 0050 b1 ec 0e 1f 52 e7 84 d8 b9 27 9a 72 60 66 17 f2 ....R....'.r`f.. 0060 95 2a 82 8e 5a 3b 39 17 03 00 00 20 3c fc 1e d2 .*..Z;9.... <... 0070 b2 de 70 01 9b a7 00 b1 e9 3f 06 87 1d 5a 51 67 ..p......?...ZQg 0080 51 9d 2e 59 0b b1 35 a0 a2 de 37 a6 Q..Y..5...7. Decrypted SSL data (9 bytes): 0000 00 00 00 01 01 00 00 00 02 .........
My code is almost identical to the ldap code. I've tried basing my code on the http, pop, xmpp code (which are all a little different), to no effect. I also tried going back to the
dissector_t
interface rather thannew_dissector_t
, but that didn't change anything.if (amp_info && amp_info->start_tls_frame && ( pinfo->fd->num >= amp_info->start_tls_frame)) { guint32 old_start_tls_frame; dissector_delete_uint("tcp.port", AMP_PORT, amp_handle); ssl_dissector_add(AMP_PORT, "amp", TRUE); old_start_tls_frame = amp_info->start_tls_frame; amp_info->start_tls_frame = 0; /* make sure we don't call SSL again */ pinfo->can_desegment++; /* ignore this layer so SSL can use the TCP resegment */ int dissected_length = call_dissector(ssl_handle, tvb, pinfo, tree); amp_info->start_tls_frame = old_start_tls_frame; ssl_dissector_delete(AMP_PORT, "amp", TRUE); /* restore AMP as the dissector for this port */ dissector_add_uint("tcp.port", AMP_PORT, amp_handle); /* we are done */ return dissected_length; }
I'm not certain where next to troubleshoot. Is there something else dissectors need to do in order to use SSL? I'm not getting warnings or errors.
-Rob
- Follow-Ups:
- Re: [Wireshark-dev] Decrypting SSL in dissector
- From: Dirk Jagdmann
- Re: [Wireshark-dev] Decrypting SSL in dissector
- References:
- [Wireshark-dev] Decrypting SSL in dissector
- From: Rob Napier
- [Wireshark-dev] Decrypting SSL in dissector
- Prev by Date: Re: [Wireshark-dev] Expert item for TCP RST flag
- Next by Date: Re: [Wireshark-dev] Expert item for TCP RST flag
- Previous by thread: [Wireshark-dev] Decrypting SSL in dissector
- Next by thread: Re: [Wireshark-dev] Decrypting SSL in dissector
- Index(es):