Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: [Wireshark-dev] Lua dissector calling sub dissectors seems to breaks ssl data re

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Jeremy Mary <J.Mary@xxxxxx>
Date: Wed, 5 Apr 2017 09:46:05 +0000

Hi,

 

I am attempting to write a lua dissector for an SSLVPN protocol tunneling PPP within an SSL connection with some vendor specific framing.

The dissector works just fine when I call 'data' subdissector on those ppp frames.

However, as soon as I call ppp subdissectors, some frames are not decoded, framing boundaries become incorrect and decoding fails.

Would you say that I am running into bugid 2345 ( https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2345 ) ?

Am I doing something wrong on my dissector?

 

I have also tried to remove ppp from the equation by calling directly the ip dissector but the same behavior can be observed.

 

 

Thanks for your help.

 

Regards,

Jeremy

 

 

Example of failing packet (failures before that packet are legitimate failures - the ssl tunnel starts with http before switching to ppp):

==========================

 

SSLTunnel preference "Dissect SSLTunnel frames as PPP" turned ON:

 

Frame 780: 5981 bytes on wire (47848 bits), 5981 bytes captured (47848 bits)

Ethernet II, Src: Vmware_86:1b:a3 (00:50:56:86:1b:a3), Dst: BrocadeC_9d:97:00 (00:0c:db:9d:97:00)

802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 4093

Internet Protocol Version 4, Src: 172.24.102.61, Dst: 192.168.164.133

Transmission Control Protocol, Src Port: 443, Dst Port: 60614, Seq: 119668, Ack: 41980, Len: 5810

Secure Sockets Layer

    TLSv1.2 Record Layer: Application Data Protocol: http-over-tls

    TLSv1.2 Record Layer: Application Data Protocol: Application Data

    TLSv1.2 Record Layer: Application Data Protocol: Application Data

SSLTunnel Frame

Point-to-Point Protocol

Internet Protocol Version 4, Src: 10.0.20.60, Dst: 10.5.5.3

Transmission Control Protocol, Src Port: 80, Dst Port: 47730, Seq: 98979, Ack: 1486, Len: 1332

[SSLTunnel Frame]

    Invalid frame delimiter

Data (1389 bytes)

[SSLTunnel Frame]

    Invalid frame delimiter

Data (1389 bytes)

 

 

SSLTunnel preference "Dissect SSLTunnel frames as PPP" turned OFF:

 

Frame 780: 5981 bytes on wire (47848 bits), 5981 bytes captured (47848 bits)

Ethernet II, Src: Vmware_86:1b:a3 (00:50:56:86:1b:a3), Dst: BrocadeC_9d:97:00 (00:0c:db:9d:97:00)

802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 4093

Internet Protocol Version 4, Src: 172.24.102.61, Dst: 192.168.164.133

Transmission Control Protocol, Src Port: 443, Dst Port: 60614, Seq: 119668, Ack: 41980, Len: 5810

[2 Reassembled TCP Segments (2807 bytes): #775(1402), #780(1405)]

Secure Sockets Layer

    TLSv1.2 Record Layer: Application Data Protocol: http-over-tls

SSLTunnel Frame

    Frame delimiter: 0xf500

    Size: 1385

Data (1385 bytes)

SSLTunnel Frame

    Frame delimiter: 0xf500

    Size: 1385

Data (1385 bytes)

Secure Sockets Layer

    TLSv1.2 Record Layer: Application Data Protocol: http-over-tls

    TLSv1.2 Record Layer: Application Data Protocol: http-over-tls

    TLSv1.2 Record Layer: Application Data Protocol: http-over-tls

SSLTunnel Frame

    Frame delimiter: 0xf500

    Size: 1385

Data (1385 bytes)

SSLTunnel Frame

    Frame delimiter: 0xf500

    Size: 1385

Data (1385 bytes)

SSLTunnel Frame

    Frame delimiter: 0xf500

    Size: 1385

Data (1385 bytes)

 

==========================

Capture file:

https://file.town/download/rvkoz3z9o7zb1854ktwpqb5dx

 

PMS for ssl decoding:

RSA Session-ID:a3a6ccc9863a507daa0e02700f2219a5ecbe4186d0c2fd52120f7e981ff2a9f4 Master-Key:6abea65f2d1f8b15f96fea2dd6fe14cd45118061ee15077afb7328b2b9cc2ee5b6fd167fd823f949d0d931b2e92e9fc3

 

Lua dissector:

https://pastebin.com/eMEWLUG9

==========================

 

 

Wireshark build:

==========================

Wireshark 2.2.4 (v2.2.4-0-gcc3dc1b)

 

Copyright 1998-2017 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.

License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>

This is free software; see the source for copying conditions. There is NO

warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

 

Compiled (64-bit) with Qt 5.3.2, with libpcap, without POSIX capabilities, with

GLib 2.36.0, with zlib 1.2.5, with SMI 0.4.8, with c-ares 1.12.0, with Lua

5.2.4, with GnuTLS 2.12.19, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP,

with QtMultimedia, without AirPcap.

 

Running on Mac OS X 10.11.6, build 15G1421 (Darwin 15.6.0), with locale

en_GB.UTF-8, with libpcap version 1.5.3 - Apple version 54, with GnuTLS 2.12.19,

with Gcrypt 1.5.0, with zlib 1.2.5.

Intel(R) Core(TM) i7-4960HQ CPU @ 2.60GHz (with SSE4.2)

 

Built using llvm-gcc 4.2.1 (Based on Apple Inc. build 5658) (LLVM build

2336.9.00).

==========================

 

 

Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube