Login/Register
Wireshark dissector that works with tls/ssl
Asked Answered
ssltcpluawireshark
B

0

3

I have a protocol that uses SSL/TLS over a non-standard port and transmits non-standard data (not http) through it. I'm trying to make a wireshark dissector (in lua) to dissect this protocol.

How do I do this? I can register a dissector that gets called for tcp fragments on that port

local dissector_table_tcp = DissectorTable.get("tcp.port")
dissector_table_tcp:add(1234, myprotocol)

I can get the SSL dissector to then decode all the fragments as SSL

function myprotocol.dissector(tvb, pinfo, root)

    local ssl_dissector = Dissector.get("ssl")
    local ssl_dissected_len = ssl_dissector:call(tvb, pinfo, root)
    pinfo.cols.protocol:set("My Protocol")

At this point, if I have a premaster key file set in Wireshark (Preferences->Protocols->SSL->Master key file), I can see the decrypted contents of the packets and all is good. Sort of.

But I want to create fields for my protocol and put them in the protocol tree. How do I get at the decrypted data that the ssl dissector produced?

Update:

I'm trying to muddle through this as best as I can; there's no tutorial on how exactly you're supposed to do this. It sort of looks like Wireshark has a programming model based on fields/variables that are populated by dissectors, and that in theory it should be possible to interrogate those variables to find the output of a dissector.

To that end, I've been running the SSL dissector and then looking at fields that it declares, but it doesn't actually seem to populate them. When I run a post-dissector after the SSL dissector, none of the seemingly-useful fields, like ssl.segments or ssl.segment.data, are set:

protocol_foo = Proto("foo", "Foo protocol")
port = 4172

g_field_segment = Field.new("ssl.segment")
g_field_segment_data = Field.new("ssl.segment.data")
g_field_segments = Field.new("ssl.segments")
g_field_reassembled_data = Field.new("ssl.reassembled.data")

function protocol_foo.dissector(tvb, pinfo, root)

    print("====== protocol_foo")

    for k,v in pairs({ g_field_segment, g_field_segment_data, g_field_segments, g_field_reassembled_data }) do
        if v() ~= nil then
            print("Field " .. v.name .. " is NOT nil")
        else
            print("Field " .. v.name .. " is nil")
        end
    end

end

-- post-dissector registration
local ssl_dissector = Dissector.get("ssl")
local dissector_table_tcp = DissectorTable.get("tcp.port")
dissector_table_tcp:add(port, ssl_dissector)
register_postdissector(protocol_foo)

When I run this code on my protocol, none of those ssl.segment* variables test positive; lots of variables (like the ssl.handshake.*) variables do test positive (at least with handshake pdus), but not the ones with the decrypted contents.

Does anyone have any ideas?

Bib answered 14/12, 2016 at 0:36 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.