ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] Decrypting SSL in dissector

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Rob Napier <robnapier@xxxxxxxxx>
Date: Thu, 9 Jan 2014 08:18:02 -0500
A little more followup on this one because I'm seeing some even odder behaviors in wireshark than in tshark.

I load my plugin for my new protocol "amp" that relies on SSL (as described below). I then go to the SSL preferences to add a decrypt key:

IP address: <server>
Port:l 52230
Protocol: amp
Key File: <file>
Password: <none>

This returns the following error:

error in column 'Protocol': Could not find dissector for: 'amp'
Valid dissectors are:
'http' TCP 443
'smtp' TCP 465
'ldap' TCP 636
'imap' TCP 993
'pop' TCP 995
'q931.tpkt' TCP 1300
'skinny' TCP 2443
'sip.tcp' TCP 5061
'amp' TCP 52230

Note that 'amp' is in the list of known protocols, but it still says it can't find the dissector. If I enter "http" as the protocol, it goes forward fine. I notice that XMPP is not among the listed protocols, but if I enter that as the protocol, it also goes forward fine.

Is there a registration call I'm missing?

-Rob


On Tue, Jan 7, 2014 at 3:23 PM, Rob Napier <robnapier@xxxxxxxxx> wrote:
Kurt Knochner helpfully pointed me here versus my original ask.wireshark.org question.

I'm writing a new dissector for a protocol that can include SSL traffic. It is somewhat similar to LDAP in that it can start a session unencrypted and switch to SSL on the same port when a certain message is received, so I've based my code on packet-ldap. I've also referred to packet-pop, packet-http, and packet-xmpp, which all have various forms of this code.

At the appropriate points, my code is successfully getting to:

call_dissector(ssl_handle, tvb, pinfo, tree);

But in the output of tshark, I don't see any decrypted data:

tshark -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list: 172.16.244.160,52230,amp,cacert.key" -r ../tests/AMP-connect-SSL-trimmed.pcap -x

All this prints is the encrypted data.

If I switch the protocol to ldap, http or xmpp, then I get SSL decryption:

tshark -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list: 172.16.244.160,52230,ldap,cacert.key" -r ../tests/AMP-connect-SSL-trimmed.pcap -x

Frame (140 bytes):
0000  00 0c 29 22 80 34 00 50 56 c0 00 08 08 00 45 00   ..)".4.PV.....E.
0010  00 7e 31 1a 40 00 40 06 c8 9c ac 10 f4 01 ac 10   .~1.@.@.........
0020  f4 a0 f0 e6 cc 06 5d df 0c 2f b2 cc ff fa 80 18   ......]../......
0030  20 00 39 1d 00 00 01 01 08 0a 34 15 f0 11 09 a1    .9.......4.....
0040  28 8f 17 03 00 00 20 ad d1 99 13 3a 22 ec 45 b9   (..... ....:".E.
0050  b1 ec 0e 1f 52 e7 84 d8 b9 27 9a 72 60 66 17 f2   ....R....'.r`f..
0060  95 2a 82 8e 5a 3b 39 17 03 00 00 20 3c fc 1e d2   .*..Z;9.... <...
0070  b2 de 70 01 9b a7 00 b1 e9 3f 06 87 1d 5a 51 67   ..p......?...ZQg
0080  51 9d 2e 59 0b b1 35 a0 a2 de 37 a6               Q..Y..5...7.
Decrypted SSL data (9 bytes):
0000  00 00 00 01 01 00 00 00 02                        .........

My code is almost identical to the ldap code. I've tried basing my code on the http, pop, xmpp code (which are all a little different), to no effect. I also tried going back to the dissector_t interface rather than new_dissector_t, but that didn't change anything.

    if (amp_info &&
            amp_info->start_tls_frame &&
            ( pinfo->fd->num >= amp_info->start_tls_frame))
    {
        guint32 old_start_tls_frame;

        dissector_delete_uint("tcp.port", AMP_PORT, amp_handle);
        ssl_dissector_add(AMP_PORT, "amp", TRUE);

        old_start_tls_frame = amp_info->start_tls_frame;
        amp_info->start_tls_frame = 0; /* make sure we don't call SSL again */
        pinfo->can_desegment++; /* ignore this layer so SSL can use the TCP resegment */

        int dissected_length = call_dissector(ssl_handle, tvb, pinfo, tree);

        amp_info->start_tls_frame = old_start_tls_frame;
        ssl_dissector_delete(AMP_PORT, "amp", TRUE);

        /* restore AMP as the dissector for this port */
        dissector_add_uint("tcp.port", AMP_PORT, amp_handle);

        /* we are done */
        return dissected_length;
    }

I'm not certain where next to troubleshoot. Is there something else dissectors need to do in order to use SSL? I'm not getting warnings or errors.

-Rob

Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube