This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decoding SSL layer in EAP-TTLS

0

Hi, sorry if this has been clarified before, but I've had a quick search through the mailing lists and nothing jumps out at me.

I am trying to decode EAP-TTLS. Wireshark works out of the box down up as far as TLS layer. That is, I can see the following:

  1. Radius over UDP, or EAPoL fragments
  2. EAP packets
  3. SSL Handshake over a sequence of EAP packets

After the handshake however, the TLS cipher kicks in and I can't see what's happening. This is a "good thing" in the normal operation of the protocol. I'm trying to perform some diagnostics however so this is a bit of a problem.

I have the private key and all, so it should in theory be possible to decode this, but I guess it's just a case of making a few modifications.

I'd be interested in taking a look at adding this feature. It seems this is a solved problem for many other protocols (HTTPS, LDAP) so how hard could it be?

It seems as though I can see it attempt to decode the TLS layer for the first EAP frame, but then it gives up for the remainder of the session, so all that needs to be done is to correlate the remaining frames. Easy!

I'll have a look now at the code and see if it makes any sense. If anybody can provide and guidance I would be very grateful.

Thanks, Rob

asked 21 Oct '14, 11:04

robert_'s gravatar image

robert_
11225
accept rate: 0%

Very well. Have a look at packet-eap.c and packet-ssl[-utils].c which handle this case. At least that's what the code suggests. Sounds as if it's not working right?

(22 Oct '14, 01:41) Jaap ♦