Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Dissector for decryted content

From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Fri, 23 Feb 2018 11:58:00 -0500


On Wed, Feb 21, 2018 at 11:07 AM, Jose Selvi <jselvi@xxxxxxxxxxxx> wrote:
Hi there,

It's my first time developing a dissector, so apologize in advance if my
question is too obvious for you guys.

I'm trying to code a dissector (I'm using LUA) for a quick test. It
should match a piece of traffic inside a ESP tunnel. I have seen that
other dissectors are working inside the decrypted content, but not mine.

Browsing forums, I found this:

https://osqa-ask.wireshark.org/questions/58217/how-do-i-dissect-decrypted-ssl-data-when-im-using-a-master-secret-log

However, I can't find similar options for ESP, so I guess it only works
for SSL.

Actually I think the same principle applies for IPSEC/ESP traffic: I think you'd need to register your dissector in the `ip.proto` dissector table.