This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Examples of Wireshark dissectors run on top of SSL

0

Just looking to see if there are already some implemented dissectors for protocols that run on top of SSL protocol. I know HTTP is one but I'm looking for other examples. It doesn't really matter if these dissectors are standards dissectors or plugins in Wireshark.

Thanks! Flora

asked 18 Nov '14, 08:12

flora's gravatar image

flora
156313338
accept rate: 100%


One Answer:

0

Dissectors don't even know they're running on top of SSL, the SSL dissector uses the info in the ssl keys table to create an "association" that determines what dissector to call, looks up that dissector by name and then calls the dissector when traffic is found for that association.

answered 18 Nov '14, 08:46

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Based on my understanding, In such this cade, dissectors should include ssl_dissector_add() which then adds the association if it is not exist. This is done in the proto_reg_handoff_xxx() instead of -for example-creating the dissector handle and then adding it by using the dissector_add_unit().

I've a question also that is related to the handoff routine as well. Why in some dissectors they include these two handles: data_handle = find_dissector("data"); http_handle = find_dissector("http"); while in others they don't? how this could be used by the dissector that runs on top of SSL ?

Thank you so much for your quick, helpful responses as usual. Flora

(18 Nov '14, 10:07) flora
1

I think that dissectors call ssl_dissector_add() for two main reasons:

  • The protocol normally runs over SSL when used on certain ports, e.g. https and port 443.
  • The protocol has a "start TLS" functionality where an unsecured connection can be converted to a secure one, e.g. ldap
(19 Nov '14, 02:23) grahamb ♦

As usual Grahamb. If not an answer for my question, then a hint that helps to correct what I misunderstood about wireshark. Thank you so much! flora

(02 Dec '14, 20:57) flora