Wireshark · Wireshark-dev: Re: [Wireshark-dev] Decrypting SSL in dissector

Wireshark-dev: Re: [Wireshark-dev] Decrypting SSL in dissector

From: Rob Napier <robnapier@xxxxxxxxx>

Date: Thu, 9 Jan 2014 11:55:32 -0500

That was exactly it. Thank you!

I'm now seeing a much less critical issue:

The amp protocol starts off unencrypted, and then switches to SSL after some negotiation. When I first start wireshark (without providing a decryption key), I see the two AMP negotiation packets, and then SSLv3 packets. When I add the decryption key, the initial two handshake packets get re-decoded as "SSL Continuation Data" and I lose the unencrypted handshake information. The encrypted traffic then dissects correctly.

Is this expected? Is it possible to view both the encrypted and unencrypted portions of the protocol on the same port?

-Rob

On Thu, Jan 9, 2014 at 11:38 AM, Dirk Jagdmann <doj@xxxxxxxxx> wrote:

do you have a new_register_dissector("amp", ...) in the proto_register_amp()
function? Otherwise the SSL dissector can not match the "amp" string to a
dissector handle/function.

Follow-Ups:
- Re: [Wireshark-dev] Decrypting SSL in dissector
  - From: Jeff Morriss

References:
- [Wireshark-dev] Decrypting SSL in dissector
  - From: Rob Napier
- Re: [Wireshark-dev] Decrypting SSL in dissector
  - From: Rob Napier
- Re: [Wireshark-dev] Decrypting SSL in dissector
  - From: Dirk Jagdmann

Prev by Date: Re: [Wireshark-dev] Decrypting SSL in dissector
Next by Date: Re: [Wireshark-dev] Expert item for TCP RST flag
Previous by thread: Re: [Wireshark-dev] Decrypting SSL in dissector
Next by thread: Re: [Wireshark-dev] Decrypting SSL in dissector
Index(es):
- Date
- Thread