Wireshark-dev: Re: [Wireshark-dev] help needed in tracking down a bug in SSL dissector
From: "Kukosa, Tomas" <tomas.kukosa@xxxxxxxxxxx>
Date: Wed, 6 Jun 2007 07:51:24 +0200
Hi, problem is that DESEGMENT_UNTIL_FIN is not implemented (well) in the SSL dissector. I will think about it but I can not guarantee that I will find solution soon. regards, Tomas Mailcode: NdD2sKHg -----Original Message----- From: Brian Vandenberg [mailto:Brian.Vandenberg@xxxxxxxxxxxxxxxxxx] Sent: Tuesday, June 05, 2007 10:32 PM To: Kukosa, Tomas Subject: Re: [Wireshark-dev] help needed in tracking down a bug in SSL dissector Tomas, Not a problem. Oh, and I meant TLSv1 (was thinking SSL3). The IP is 192.168.20.68, the port is 9091, and I've attached two key files. I'm unsure which is the right one, I was just using both to avoid figuring it out. Ignoring the first two http packets in this sample, every response packet from the server seems to exhibit this behavior. The same reconstructed data is added as a data source two times instead of one, and the http dissector is then called twice, once on each of the two data sources that are themselves identical to eachother. -Brian Kukosa, Tomas wrote: >Hi Brian, > >please could you send me your sample capure? (with key and key config) > >Regards, > Tomas > > >Mailcode: NdD2sKHg >-----Original Message----- >From: Brian Vandenberg [mailto:phantal@xxxxxxxxx] >Sent: Monday, June 04, 2007 5:22 PM >To: Kukosa, Tomas >Cc: Brian Vandenberg >Subject: Re: [Wireshark-dev] help needed in tracking down a bug in SSL dissector > >Tomas, > > Did you see my response to your email last week? I've had to shelve >fixing this temporarily because it's taking me so long to track it down, >but I'm probably going to be working on it sometime this week. If you'd >like me to send you a sample capture to try reproducing this issue I can >do that. > > In response to your question, I'm using code from about 1.5wks ago >from the wireshark trunk. The ssl protocol is TSLv3. I'm unfamiliar >with H.225 and SIP, so I'm not sure what other information you'd need. > >-Brian > >Kukosa, Tomas wrote: > > >>Hi, >> >>which version do you use? I have rewritten SSL reasembling about one month ago. >>I have it tested witch segmented H.225 and SIP and it works well. >> >>Tomas >> >> >>Mailcode: NdD2sKHg >>-----Original Message----- >>From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Brian Vandenberg >>Sent: Thursday, May 31, 2007 12:40 AM >>To: Developer support list for Wireshark >>Subject: [Wireshark-dev] help needed in tracking down a bug in SSL dissector >> >> I found a bug about 9-10 months ago in the SSL dissector that was >>never fixed, so I'm trying to find/fix the problem myself, but I'm >>having a hard time tracking it down. >> >> Essentially this is what happens: >> >>* POST to server occurs, the SSL chunk isn't fragmented. >>* When SSL dissector decrypts it a single new data source is added and >>displayed entitled "Decrypted SSL Data" >>* The new data source is then passed to the http dissector. >>* ... >>* A response from the server is sent, the SSL chunk *IS* fragmented. >>* The SSL dissector decrypts each chunk then reconstructs it; four new >>data sources are added: >>** Decrypted SSL data (X bytes) >>** Reassembled SSL (Y bytes) >>** Decrypted SSL data (Z bytes) >>** Reassembled SSL (Y bytes) >>** note that both 'Reassembled' data sources have the same size, and the >>exact same data. >>* The reassembled chunks are *both* passed to the http dissector. >> >> The problem is that the SSL dissector is adding the same reassembled >>chunk as a new data source twice (possibly more, if it is broken up into >>more than 2 chunks, but so far I've only seen it broken in two chunks). >>I've spent a couple of days on this, and though I think I'm close, I >>just don't know enough about the Wireshark API, so I'm making very slow >>progress. >> >> I expected that it would be as simple as going to line 920 of >>packet-ssl.c, set a breakpoint, observe that the line is executed twice >>for each packet where this occurs, then figure out why it executes more >>than once ... but it only executes that line once for each packet where >>this occurs, and I don't see another line of code that tries to add a >>new data source with the text "Reassembled SSL", . I haven't managed to >>find where the 2nd call to add_new_data_source takes place. >> >> I'm going to continue working on this, however, if anyone has a >>suggestion, or see's something I'm missing, I'd appreciate the help. >> >>-Brian >> >>Anders Broman wrote: >> >> >> >>>Hi, >>>ETR 091 (ETSI ETR 091 ed.1 (1993-07)) downloadable from ETSI. >>>http://www.etsi.org/services_products/freestandard/home.htm >>>Regards >>>Anders >>> >>>________________________________________ >>>Från: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] För Kukosa, Tomas >>>Skickat: den 30 maj 2007 23:19 >>>Till: wireshark-dev@xxxxxxxxxxxxx >>>Ämne: Re: [Wireshark-dev] [Wireshark-commits] rev 22008:/trunk/asn1/gsmmap/ /trunk/asn1/gsmmap/:MAP-ApplicationContexts.asn MAP-BS-Code.asnMAP-CH-DataTypes.asn MAP-CommonDataTypes.asnMAP-ER-DataTypes.asn MAP-GR-DataTypes.asn ... >>> >>>Hi, >>> >>>which document the MobileDomainDefinitions.asn comes from? >>> >>>I have tries do find any reference in the 3GPP TS 29.002 but without any success. >>> >>>Regards, >>> Tomas >>> >>>________________________________________ >>>Od: wireshark-commits-bounces@xxxxxxxxxxxxx za uživatele etxrab@xxxxxxxxxxxxx >>>Odesláno: st 30.5.2007 21:03 >>>Komu: wireshark-commits@xxxxxxxxxxxxx >>>Předmět: [Wireshark-commits] rev 22008: /trunk/asn1/gsmmap/ /trunk/asn1/gsmmap/: MAP-ApplicationContexts.asn MAP-BS-Code.asn MAP-CH-DataTypes.asn MAP-CommonDataTypes.asn MAP-ER-DataTypes.asn MAP-GR-DataTypes.asn ... >>>http://anonsvn.wireshark.org/viewvc/viewvc.cgi?view=rev&revision=22008 >>> >>>User: etxrab >>>Date: 2007/05/30 07:03 PM >>> >>>Log: >>> Add separate asn1 files that may be used later. >>> >>>Directory: /trunk/asn1/gsmmap/ >>> Changes Path Action >>> +196 -0 MAP-ApplicationContexts.asn Added >>> +130 -0 MAP-BS-Code.asn Added >>> +463 -0 MAP-CH-DataTypes.asn Added >>> +627 -0 MAP-CommonDataTypes.asn Added >>> +406 -0 MAP-ER-DataTypes.asn Added >>> +197 -0 MAP-GR-DataTypes.asn Added >>> +2596 -0 MAP-MS-DataTypes.asn Added >>> +214 -0 MAP-OM-DataTypes.asn Added >>> +246 -0 MAP-SM-DataTypes.asn Added >>> +186 -0 MAP-SS-Code.asn Added >>> +341 -0 MAP-SS-DataTypes.asn Added >>> >>> >>>(3 files not shown) >>>_______________________________________________ >>>Wireshark-commits mailing list >>>Wireshark-commits@xxxxxxxxxxxxx >>>http://www.wireshark.org/mailman/listinfo/wireshark-commits >>> >>>_______________________________________________ >>>Wireshark-dev mailing list >>>Wireshark-dev@xxxxxxxxxxxxx >>>http://www.wireshark.org/mailman/listinfo/wireshark-dev >>> >>> >>> >>> >>_______________________________________________ >>Wireshark-dev mailing list >>Wireshark-dev@xxxxxxxxxxxxx >>http://www.wireshark.org/mailman/listinfo/wireshark-dev >> >> >> > > >
- References:
- Re: [Wireshark-dev] help needed in tracking down a bug in SSL dissector
- From: Kukosa, Tomas
- Re: [Wireshark-dev] help needed in tracking down a bug in SSL dissector
- Prev by Date: [Wireshark-dev] [PATCH] ETHERNET Powerlink enhancement
- Next by Date: [Wireshark-dev] decode many type of messages
- Previous by thread: Re: [Wireshark-dev] help needed in tracking down a bug in SSL dissector
- Next by thread: Re: [Wireshark-dev] Asn1 question
- Index(es):
- Get Wireshark
- Download
- Code of Conduct