This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I've written my own dissector (in lua) to dissect USB URB packets, remove a header, and send the remaining packet data on to the ssl dissector like so:

local ssl = Dissector.get('ssl') local newbuf = tvbuf:range(42, pktlen-42):tvb() ssl:call(newbuf, pktinfo, root)

Works all well and good ^.^ but when I add RSA keys, they seem to be associated with TCP port 0, so I cannot get them to be recognized by my packet stream which logs them as "UDP port -1"

ssl-debug.log excerpts:

ssl_association_remove removing TCP 0 - data handle 0x1f471b0 Private key imported: KeyID 4c:2a:fb:42:99:02:85:8d:24:87:ff:f7:67:97:e6:6b:... ssl_load_key: swapping p and q parameters and recomputing u ssl_init IPv4 addr '0.0.0.0' (0.0.0.0) port '0' filename '/home/jonah/Workspace/mobdev/iRealD/root_private_key.pem' password(only for p12 file) '' ssl_init private key file /home/jonah/Workspace/mobdev/iRealD/root_private_key.pem successfully loaded. association_add TCP port 0 protocol data handle 0x1f471b0

dissect_ssl enter frame #103 (first time) conversation = 0x7f0b999dda38, ssl_session = 0x7f0b999ddb30 record: offset = 0, reported_length_remaining = 138 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 133, ssl state 0x00 association_find: UDP port -1 found (nil) packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 129 bytes, remaining 138 packet_from_server: is from server - FALSE ssl_find_private_key server 7.4:4 ssl_find_private_key can't find private key for this server! Try it again with universal port 0 ssl_find_private_key can't find private key for this server (universal port)! Try it again with universal address 0.0.0.0 ssl_find_private_key can't find any private key! dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #105 (first time) conversation = 0x7f0b999ddf10, ssl_session = 0x7f0b999ddfb0 record: offset = 0, reported_length_remaining = 79 dissect_ssl3_record found version 0x0300 -> state 0x10 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 74, ssl state 0x10 association_find: UDP port 5 found (nil) packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 79 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x12 dissect_ssl3_hnd_srv_hello found CIPHER 0x0035 -> state 0x16 dissect_ssl3_hnd_srv_hello trying to generate keys ssl_generate_keyring_material not enough data to generate key (0x16 required 0x37 or 0x57) dissect_ssl3_hnd_srv_hello can't generate keyring material

dissect_ssl enter frame #106 (first time) conversation = 0x7f0b999ddf10, ssl_session = 0x7f0b999ddfb0 record: offset = 0, reported_length_remaining = 608 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 580, ssl state 0x16 association_find: UDP port 5 found (nil) packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 11 offset 5 length 576 bytes, remaining 585 record: offset = 585, reported_length_remaining = 23 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 9, ssl state 0x16 association_find: UDP port 5 found (nil) packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 13 offset 590 length 5 bytes, remaining 599 record: offset = 599, reported_length_remaining = 9 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 4, ssl state 0x16 association_find: UDP port 5 found (nil) packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 14 offset 604 length 0 bytes, remaining 608

asked 22 Dec '14, 11:53

TinyTimZamboni's gravatar image

TinyTimZamboni
11112
accept rate: 0%


Non-satisfying answer to my own question:

RSA key-matching is done on port_type, port, and ip. port_type is hardcoded to PT_TCP whenever the SSL dissector is used and PT_UDP when the dtls dissector is used. When I apply the dtls dissector, it's not able to dissect my packets anymore.

From Lua, I can't seem to set port_type so I can either rewrite my dissector in C or rebuild Wireshark with tcp = FALSE instead of hardcoded to true.

permanent link

answered 22 Dec '14, 16:47

TinyTimZamboni's gravatar image

TinyTimZamboni
11112
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×319
×56
×20

question asked: 22 Dec '14, 11:53

question was seen: 1,887 times

last updated: 22 Dec '14, 16:47

p​o​w​e​r​e​d by O​S​Q​A