Hi, I am attempting to write a lua dissector for an SSLVPN protocol tunneling PPP within an SSL connection with some vendor specific framing. The dissector works just fine when I call 'data' subdissector on those ppp frames. However, as soon as I call ppp subdissectors, some frames are not decoded, framing boundaries become incorrect and decoding fails. Would you say that I am running into bugid 2345 ( https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2345 ) ? Am I doing something wrong on my dissector? I have also tried to remove ppp from the equation by calling directly the ip dissector but the same behavior can be observed. Thanks for your help. Regards, Jeremy Example of failing packet (failures before that packet are legitimate failures - the ssl tunnel starts with http before switching to ppp): ========================== SSLTunnel preference "Dissect SSLTunnel frames as PPP" turned ON: Frame 780: 5981 bytes on wire (47848 bits), 5981 bytes captured (47848 bits) Ethernet II, Src: Vmware_86:1b:a3 (00:50:56:86:1b:a3), Dst: BrocadeC_9d:97:00 (00:0c:db:9d:97:00) 802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 4093 Internet Protocol Version 4, Src: 172.24.102.61, Dst: 192.168.164.133 Transmission Control Protocol, Src Port: 443, Dst Port: 60614, Seq: 119668, Ack: 41980, Len: 5810 Secure Sockets Layer TLSv1.2 Record Layer: Application Data Protocol: http-over-tls TLSv1.2 Record Layer: Application Data Protocol: Application Data TLSv1.2 Record Layer: Application Data Protocol: Application Data SSLTunnel Frame Point-to-Point Protocol Internet Protocol Version 4, Src: 10.0.20.60, Dst: 10.5.5.3 Transmission Control Protocol, Src Port: 80, Dst Port: 47730, Seq: 98979, Ack: 1486, Len: 1332 [SSLTunnel Frame] Invalid frame delimiter Data (1389 bytes) [SSLTunnel Frame] Invalid frame delimiter Data (1389 bytes) SSLTunnel preference "Dissect SSLTunnel frames as PPP" turned OFF: Frame 780: 5981 bytes on wire (47848 bits), 5981 bytes captured (47848 bits) Ethernet II, Src: Vmware_86:1b:a3 (00:50:56:86:1b:a3), Dst: BrocadeC_9d:97:00 (00:0c:db:9d:97:00) 802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 4093 Internet Protocol Version 4, Src: 172.24.102.61, Dst: 192.168.164.133 Transmission Control Protocol, Src Port: 443, Dst Port: 60614, Seq: 119668, Ack: 41980, Len: 5810 [2 Reassembled TCP Segments (2807 bytes): #775(1402), #780(1405)] Secure Sockets Layer TLSv1.2 Record Layer: Application Data Protocol: http-over-tls SSLTunnel Frame Frame delimiter: 0xf500 Size: 1385 Data (1385 bytes) SSLTunnel Frame Frame delimiter: 0xf500 Size: 1385 Data (1385 bytes) Secure Sockets Layer TLSv1.2 Record Layer: Application Data Protocol: http-over-tls TLSv1.2 Record Layer: Application Data Protocol: http-over-tls TLSv1.2 Record Layer: Application Data Protocol: http-over-tls SSLTunnel Frame Frame delimiter: 0xf500 Size: 1385 Data (1385 bytes) SSLTunnel Frame Frame delimiter: 0xf500 Size: 1385 Data (1385 bytes) SSLTunnel Frame Frame delimiter: 0xf500 Size: 1385 Data (1385 bytes) ========================== Capture file: https://file.town/download/rvkoz3z9o7zb1854ktwpqb5dx PMS for ssl decoding: RSA Session-ID:a3a6ccc9863a507daa0e02700f2219a5ecbe4186d0c2fd52120f7e981ff2a9f4 Master-Key:6abea65f2d1f8b15f96fea2dd6fe14cd45118061ee15077afb7328b2b9cc2ee5b6fd167fd823f949d0d931b2e92e9fc3 Lua dissector: https://pastebin.com/eMEWLUG9 ========================== Wireshark build: ========================== Wireshark 2.2.4 (v2.2.4-0-gcc3dc1b) Copyright 1998-2017 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors. License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (64-bit) with Qt 5.3.2, with libpcap, without POSIX capabilities, with GLib 2.36.0, with zlib 1.2.5, with SMI 0.4.8, with c-ares 1.12.0, with Lua 5.2.4, with GnuTLS 2.12.19, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP, with QtMultimedia, without AirPcap. Running on Mac OS X 10.11.6, build 15G1421 (Darwin 15.6.0), with locale en_GB.UTF-8, with libpcap version 1.5.3 - Apple version 54, with GnuTLS 2.12.19, with Gcrypt 1.5.0, with zlib 1.2.5. Intel(R) Core(TM) i7-4960HQ CPU @ 2.60GHz (with SSE4.2) Built using llvm-gcc 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2336.9.00). ========================== |
- Prev by Date: Re: [Wireshark-dev] Where to report Bugs
- Next by Date: [Wireshark-dev] Adding libxml2 as optional Wireshark dependency
- Previous by thread: Re: [Wireshark-dev] Where to report Bugs
- Next by thread: [Wireshark-dev] Adding libxml2 as optional Wireshark dependency
- Index(es):