This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Dissector extra info

0

Hello,

I'm trying to build a protocol dissector.

The dissector works just fine, however the problem is the body is encrypted. I already reversed everything and i can retrieve the session key from within the dissector (its hackish but w/e).

However as the key changes, and we can not store extra info somewhere to link a key to a pcap file.

So my question is, is there a way to: A) Store the key somewhere related to pcap file to load the key in the dissector for each pcap file B) Save modified packets to pcap file (its a hell, already tried, but perhaps i looked wrong)

Kind regards, ~Intline9

asked 12 Mar '12, 16:46

Intline9's gravatar image

Intline9
5112
accept rate: 0%


One Answer:

0

A) The capture files that Wireshark can read can be in a number of formats; the only format that allows arbitrary information of that sort to be stored in it is pcap-NG format, so that's not a general solution. It also involves registering a new block type for pcap-NG and adding code to support that.

B) Wireshark does not support saving decrypted data out in a conversation (that's why it was hell to try to do so).

Your only general alternative would be to store the extra information in another file, with a preference pointing to that file, or store it in a preference; that's what's used for the other flavors of decryption supported by Wireshark.

answered 12 Mar '12, 18:34

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

After loads of thinkin i thought of another way, we could keep track of packet stream key pairs by getting a checksum of a packet we know that is unique each session and save the checksum with the session key.

Working now to implement that!

(01 Apr '12, 08:59) Intline9