This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do I dissect decrypted SSL data when I’m using a Master-Secret log?

0

I'm trying to dissect data protected with SSL/TLS encryption. I can decrypt the SSL data, because I have access to the Master Secret, but I can't figure out how to apply a dissector on the decrypted data. I can see in SSL preferences that if I were using an RSA key list, I could just input the name of the protocol to use for the decrypted data (and I've tested that it works). I'd like to get that same functionality when I'm using a Master-Secret log, is that possible?

Alternatively, is it possible to write a Lua dissector chained with the built-in SSL dissector to dissect the decrypted data? If so, how do I access the decrypted data? The SSL dissector puts them in as a new Data Source, but I don't know how to work with that, is there a way? Can I somehow get a Tvb filled with the decrypted data?

Thank you for any advice!

asked 18 Dec '16, 11:25

MixMaxMo's gravatar image

MixMaxMo
10114
accept rate: 0%

I don't use SSL much but, after doing decrypting, can you right-click on one of the packets and do Decode-As your dissector? Or will that do Decode-As at the TCP layer rather than the SSL layer?

(03 Jan '17, 15:26) JeffMorriss ♦

2 Answers:

1

OK I tried it out in Wireshark 2.2.3 and it appears that once you've decrypted using a Master-Secret file that you're then able to right-click on a frame and Decode-As the SSL/TLS port as some protocol of your choosing (you just want to choose the Field name SSL TCP Dissector).

@luffy_loundi is correct: if you control the (upper layer) dissector it is easy enough to register the dissector on the ssl.port dissector table. Along the same lines (to answer your second question), yes, you could write a Lua dissector to register for the appropriate ssl.port and then decode the (already decrypted) data. Or you could use that dissector as a "shim" which then just calls the built-in dissector of your choice.

answered 06 Jan '17, 06:12

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

You're absolutely right, thank you and thanks to luffy_koundi as well, all it took was to add the dissector to the ssl.port table and then do the Decode As... (or just register the right port).

(10 Jan '17, 12:49) MixMaxMo

1

SSL dissector uses the port number to decide on how to dissect the decrypted data. Various protocols register their ports into an "association". So your dissector needs to add itself if it isn't doing it already. In case there is no association found for a particular port, heuristic dissectors are tried which further claim the packet.

answered 05 Jan '17, 23:12

koundi's gravatar image

koundi
9791119
accept rate: 0%

edited 11 Jan '17, 04:26