Wireshark · Wireshark-dev: Re: [Wireshark-dev] packet-hislip & tls

[Jaap Keuter <jaap.keuter@xxxxxxxxx>]

Hi Guido,

I’m not sure we have another protocol which supports switching back to plain text after going TLS. Therefore I’m not sure if there is intrinsic support for it. 

My first instinct would be to setup a new conversation, starting the frame after ‘close notify’, with the HiSLIP dissector assigned to it. I’m not sure how that would interact with the existing HiSLIP over TLS conversation though, so YMMV.

Hopefully someone else has a better idea.

Thanks,

Jaap

On 29 Jan 2020, at 23:05, Guido Kiener <Guido.Kiener@xxxxxxxxxxxxxxxxx> wrote:

Hi all,

Our working group defines the HiSLIP 2.0 protocol over TLS. I could extend the new messages (e.g. like STARTTLS) and pass over the encrypted data with ssl_starttls_ack(tls_handle, pinfo, hislip_handle);

For performance/debug reason we also have a requirement to switch back the TLS connection (sockets) to plain text (e.g. when sensitive data is already exchanged). This is done with the ‘close notify’ alerts. I can see the plain text within the TLS dissector marked as ‘Continuation Data’, but I would like to see the packets again with the hislip dissector.

Question: Can you please give me a hint how I can fall back to the hislip dissector? Is there another dissector (code) where I can copy the logic?

-Guido