Wireshark · Wireshark-dev: Re: [Wireshark-dev] Decrypting SSL in dissector

[Rob Napier <robnapier@xxxxxxxxx>]

So make a separate RSA key table within the amp protocol preferences? And then pass that along to SSL when the protocol goes encrypted?

I assume the same issue impacts LDAP/TLS and XMPP?

-Rob

On Fri, Jan 10, 2014 at 11:51 AM, Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> wrote:

I think for that you can't enter the encryption keys in the UAT but rather your amp dissector would need to register for the SSL after the negotiation.

On 01/09/14 11:55, Rob Napier wrote:

That was exactly it. Thank you!

I'm now seeing a much less critical issue:

The amp protocol starts off unencrypted, and then switches to SSL after
some negotiation. When I first start wireshark (without providing a
decryption key), I see the two AMP negotiation packets, and then SSLv3
packets. When I add the decryption key, the initial two handshake
packets get re-decoded as "SSL Continuation Data" and I lose the
unencrypted handshake information. The encrypted traffic then dissects
correctly.

Is this expected? Is it possible to view both the encrypted and
unencrypted portions of the protocol on the same port?

-Rob


On Thu, Jan 9, 2014 at 11:38 AM, Dirk Jagdmann <doj@xxxxxxxxx

<mailto:doj@xxxxxxxxx>> wrote:

    do you have a new_register_dissector("amp", ...) in the
    proto_register_amp()
    function? Otherwise the SSL dissector can not match the "amp" string
    to a
    dissector handle/function.