Hello, I'm trying to build a protocol dissector. The dissector works just fine, however the problem is the body is encrypted. I already reversed everything and i can retrieve the session key from within the dissector (its hackish but w/e). However as the key changes, and we can not store extra info somewhere to link a key to a pcap file. So my question is, is there a way to: A) Store the key somewhere related to pcap file to load the key in the dissector for each pcap file B) Save modified packets to pcap file (its a hell, already tried, but perhaps i looked wrong) Kind regards, ~Intline9 asked 12 Mar '12, 16:46  Intline9 |
One Answer:
A) The capture files that Wireshark can read can be in a number of formats; the only format that allows arbitrary information of that sort to be stored in it is pcap-NG format, so that's not a general solution. It also involves registering a new block type for pcap-NG and adding code to support that. B) Wireshark does not support saving decrypted data out in a conversation (that's why it was hell to try to do so). Your only general alternative would be to store the extra information in another file, with a preference pointing to that file, or store it in a preference; that's what's used for the other flavors of decryption supported by Wireshark. answered 12 Mar '12, 18:34  Guy Harris ♦♦ |
After loads of thinkin i thought of another way, we could keep track of packet stream key pairs by getting a checksum of a packet we know that is unique each session and save the checksum with the session key.
Working now to implement that!