I used to decrypt HTTPS session by providing "Client Random" and "Master Secret" into wireshark.
Recently, I need to decrypt SSL session which is created in USB communication. USB header is parsed by wireshark.
But some byte and SSL header are not parsed by wireshark. it just show me payload as "Leftover Capture Data"
So I decide to use Lua script for parsing "Leftover Capture Data" as 28-byte unknown protocol and SSL.
My Lua script is
This script can parse SSL header successfully
I also extract Client Random and Master secret. And I put it in the Preferences -> Protocols -> SSL -> (Pre)master-Secret Log file
Even though I give key file for decrypting, I cannot get decrypted payload of SSL.
Is there any tips for decrypting ssl session using Lua ssl dissector?
asked 03 Oct ‘16, 23:05
edited 04 Oct ‘16, 02:13
For SSL/TLS decryption, a client and server side must be known identified since both sides contribute to the session secret via the nonces in their Hello messages (Client Random and Server Random). This client/server is determined automatically when using UDP/TCP, but for other protocols you (as the parent layer) must provide this information.
On the USB level, data packets go from the host to the device (for an OUT endpoint) or from the device to the host (for an IN endpoint). These endpoint numbers are not necessarily the same and in that case Wireshark sees two separate conversations:
Thus the SSL dissector is unable to understand that these two data streams are paired. According to the WSLUA documentation, fields like
Note that these properties form a "conversation" (see
To ensure that the old, USB-specific conversations are not accidentally matched, chose source/destination addresses that are definitely different or pick any other port type.
The SSL dissector currently does not check the port type, so if you for example have HTTP, you could set a conversation like this (swap roles accordingly):
(If you pick
If this still does not give the expected result, enable the SSL debug log. For example, if the log shows two different "ssl_session" pointer addresses, then you know that the conversation is messed up.
answered 07 Oct '16, 15:57
edited 08 Oct '16, 08:21