Wireshark-dev: Re: [Wireshark-dev] Listener (Tap) in Lua to write SSL cert bytes
From: Evan Huus <[email protected]>
Date: Fri, 24 May 2013 12:47:13 -0400
On Fri, May 24, 2013 at 12:08 PM, Rion Carter <[email protected]> wrote:
When I look at the capture in the UI I see this:

Secure Sockets Layer
-TLSv1 Record Layer: Handshake Protocol: Certificate
--Content Type: Handshake (22)
--Version: TLS 1.0 (0x0301)
--Length: 1295
--Handshake Protocol: Certificate
----Handshake Type: Certificate (11)
----Length: 1291
----Certificates Length: 1288
----Certificates (1288 bytes) 
------Certificate Length: 1285
------Certificate (...)

It is the 'Certificate' field that contains what I need. When I try Field.New("certificate") in my Lua script I get a message of "A field with this name must exist".

If you select the field then look in the status-bar at the bottom that will give you the field name (looks like ssl.handshake.certificate was right the first time).

It sounds like you don't want the value of the field, but the raw packet bytes that the field was extracted from. I'm not sure how to do that in Lua, hopefully somebody else will.