I'm trying to dissect data protected with SSL/TLS encryption. I can decrypt the SSL data, because I have access to the Master Secret, but I can't figure out how to apply a dissector on the decrypted data. I can see in SSL preferences that if I were using an RSA key list, I could just input the name of the protocol to use for the decrypted data (and I've tested that it works). I'd like to get that same functionality when I'm using a Master-Secret log, is that possible? Alternatively, is it possible to write a Lua dissector chained with the built-in SSL dissector to dissect the decrypted data? If so, how do I access the decrypted data? The SSL dissector puts them in as a new Data Source, but I don't know how to work with that, is there a way? Can I somehow get a Tvb filled with the decrypted data? Thank you for any advice! asked 18 Dec '16, 11:25  MixMaxMo |
2 Answers:
OK I tried it out in Wireshark 2.2.3 and it appears that once you've decrypted using a Master-Secret file that you're then able to right-click on a frame and Decode-As the SSL/TLS port as some protocol of your choosing (you just want to choose the Field name @luffy_loundi is correct: if you control the (upper layer) dissector it is easy enough to register the dissector on the answered 06 Jan '17, 06:12  JeffMorriss ♦ You're absolutely right, thank you and thanks to luffy_koundi as well, all it took was to add the dissector to the (10 Jan '17, 12:49) MixMaxMo |
SSL dissector uses the port number to decide on how to dissect the decrypted data. Various protocols register their ports into an "association". So your dissector needs to add itself if it isn't doing it already. In case there is no association found for a particular port, heuristic dissectors are tried which further claim the packet. answered 05 Jan '17, 23:12  koundi edited 11 Jan '17, 04:26 |
I don't use SSL much but, after doing decrypting, can you right-click on one of the packets and do Decode-As your dissector? Or will that do Decode-As at the TCP layer rather than the SSL layer?