Wireshark · Wireshark-dev: Re: [Wireshark-dev] Decrypting SSL in dissector

Wireshark-dev: Re: [Wireshark-dev] Decrypting SSL in dissector

From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>

Date: Sat, 11 Jan 2014 21:32:32 -0500

OK, sorry, I really shouldn't start talking about things I haven't aclue about. I was thinking the UAT was going to send you down a pathsimilar to decode-as which I guess it is.


Anyway, I think the answer is on the SSL wiki:

http://wiki.wireshark.org/SSL#start_tls

(Of course you'd also have to look into the LDAP dissector to figure outhow it deals with starting TLS.) It does appear there was somediscussion about it somewhat recently:


https://www.wireshark.org/lists/wireshark-dev/201306/msg00246.html

On 01/10/2014 04:05 PM, Rob Napier wrote:

So make a separate RSA key table within the amp protocol preferences?
And then pass that along to SSL when the protocol goes encrypted?

I assume the same issue impacts LDAP/TLS and XMPP?

-Rob


On Fri, Jan 10, 2014 at 11:51 AM, Jeff Morriss
<jeff.morriss.ws@xxxxxxxxx <mailto:jeff.morriss.ws@xxxxxxxxx>> wrote:

    I think for that you can't enter the encryption keys in the UAT but
    rather your amp dissector would need to register for the SSL after
    the negotiation.


    On 01/09/14 11:55, Rob Napier wrote:

        That was exactly it. Thank you!

        I'm now seeing a much less critical issue:

        The amp protocol starts off unencrypted, and then switches to
        SSL after
        some negotiation. When I first start wireshark (without providing a
        decryption key), I see the two AMP negotiation packets, and then
        SSLv3
        packets. When I add the decryption key, the initial two handshake
        packets get re-decoded as "SSL Continuation Data" and I lose the
        unencrypted handshake information. The encrypted traffic then
        dissects
        correctly.

        Is this expected? Is it possible to view both the encrypted and
        unencrypted portions of the protocol on the same port?

        -Rob


        On Thu, Jan 9, 2014 at 11:38 AM, Dirk Jagdmann <doj@xxxxxxxxx
        <mailto:doj@xxxxxxxxx>
        <mailto:doj@xxxxxxxxx <mailto:doj@xxxxxxxxx>>> wrote:

             do you have a new_register_dissector("amp", ...) in the
             proto_register_amp()
             function? Otherwise the SSL dissector can not match the
        "amp" string
             to a
             dissector handle/function.



___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

References:
- [Wireshark-dev] Decrypting SSL in dissector
  - From: Rob Napier
- Re: [Wireshark-dev] Decrypting SSL in dissector
  - From: Rob Napier
- Re: [Wireshark-dev] Decrypting SSL in dissector
  - From: Dirk Jagdmann
- Re: [Wireshark-dev] Decrypting SSL in dissector
  - From: Rob Napier
- Re: [Wireshark-dev] Decrypting SSL in dissector
  - From: Jeff Morriss
- Re: [Wireshark-dev] Decrypting SSL in dissector
  - From: Rob Napier

Prev by Date: Re: [Wireshark-dev] Wireshark-dev] Linking error tfshark
Next by Date: [Wireshark-dev] setcap for CMake install under Linux
Previous by thread: Re: [Wireshark-dev] Decrypting SSL in dissector
Next by thread: Re: [Wireshark-dev] Is it possible to update the version of gcrypt?
Index(es):
- Date
- Thread