Hi, I wanted to know if every time i select a new SSL packet is the packet decrypted and dissected again. To be clearer If I give Wireshark the necessary info such as the session key and the client random the ssl stream is decrypted. Does this happen every time the packet is selected or it just happens once and we keep the whole decrypted frame? My intuition says it must be the Decrypted every time as keeping a decrypted record for every packet sounds impractical. Can someone please comment on this? Thanks -Koundi |
Once the TLS record is decrypted, it will be cached for future use. Basically it works like this:
so you what you are basically saying is it does store the decrypted record for every packet ?
(17 Oct '16, 03:26)
koundi
Yes it does store the decrypted record for every packet. Note that only the data (bytes) are stored, not the tree itself.
(17 Oct '16, 03:31)
Lekensteyn
yup! thanks. Also can you please tell me why not just store the tvb instead of the bytes. When the packet is decrypted first time when the visited flag is not set then we create a tvb and add it as a data source and pass it onto the next dissectors. So when I come back to the same point and get the existing decrypted record and create another tvb is not a redundancy? or is tvb not file scoped ?? Thanks a lot for answering these questions! I knew you would be the one answering this question :)
(17 Oct '16, 05:53)
koundi
Ok, actually when I said "bytes", I meant the tvb which was created from the decrypted data. This seems a good trade-off between memory use and CPU usage :)
(17 Oct '16, 06:01)
Lekensteyn
I am sorry but when I look into the code it looks like the ssl_add_data_info is actually copying the character array(guchar*) using wmem_alloc and doing a memcpy with a file scope. But by doing this isnt the first tvb left dangling?(yes later when tvb_free is called it is freed) but we are creating two tvbs with the same data are we not?? Can you please tell me when the tvb goes out of "scope"? Thanks again!
(17 Oct '16, 06:18)
koundi
Ok sorry for the misinformation, I just looked again and indeed the decrypted data is first stored in the Based on the comments in As for the SSL memory, note it is using wmem-allocated memory from the
(17 Oct '16, 06:40)
Lekensteyn
yes thanks a lot!
(17 Oct '16, 06:52)
koundi
showing 5 of 7
show 2 more comments
|