This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Just looking to see if there are already some implemented dissectors for protocols that run on top of SSL protocol. I know HTTP is one but I'm looking for other examples. It doesn't really matter if these dissectors are standards dissectors or plugins in Wireshark.

Thanks! Flora

asked 18 Nov '14, 08:12

flora's gravatar image

flora
156313338
accept rate: 100%


Dissectors don't even know they're running on top of SSL, the SSL dissector uses the info in the ssl keys table to create an "association" that determines what dissector to call, looks up that dissector by name and then calls the dissector when traffic is found for that association.

permanent link

answered 18 Nov '14, 08:46

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Based on my understanding, In such this cade, dissectors should include ssl_dissector_add() which then adds the association if it is not exist. This is done in the proto_reg_handoff_xxx() instead of -for example-creating the dissector handle and then adding it by using the dissector_add_unit().

I've a question also that is related to the handoff routine as well. Why in some dissectors they include these two handles: data_handle = find_dissector("data"); http_handle = find_dissector("http"); while in others they don't? how this could be used by the dissector that runs on top of SSL ?

Thank you so much for your quick, helpful responses as usual. Flora

(18 Nov '14, 10:07) flora
1

I think that dissectors call ssl_dissector_add() for two main reasons:

  • The protocol normally runs over SSL when used on certain ports, e.g. https and port 443.
  • The protocol has a "start TLS" functionality where an unsecured connection can be converted to a secure one, e.g. ldap
(19 Nov '14, 02:23) grahamb ♦

As usual Grahamb. If not an answer for my question, then a hint that helps to correct what I misunderstood about wireshark. Thank you so much! flora

(02 Dec '14, 20:57) flora
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×319
×37
×18

question asked: 18 Nov '14, 08:12

question was seen: 2,547 times

last updated: 02 Dec '14, 20:57

p​o​w​e​r​e​d by O​S​Q​A