First time here? Check out the FAQ!
Sorry, this content is no longer available
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Accessing decrypted TLS data in Lua dissector

As I hinted in my TLS 1.3 decrypt question in https://ask.wireshark.org/question/14..., I've now attempted to decrypt Zabbix TLS traffic in Lua dissector.

In my dissector function (which is registered for 10050/tcp packets in this case), when I know I expect TLS-encrypted data, I can basically call

Dissector.get("tls"):call(tvb, pktinfo, tree)

right away and the decrypted Zabbix data is successfully shown in the "Decrypted TLS" tab (as I have captured and added the relevant session keys in Wireshark), but I don't know how to access that decrypted data in my dissector after that call.

Any hints?

I already searched for a "tls.something" field that would contain the decrypted data, but didn't find one.

Markku

Markku's avatar
19
Markku
asked 2020-02-22 11:23:44 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

1

You should not try to access the decrypted data via a field, but ensure that dissectors call each other.

Register your protocol with the tls.port dissector table. This ensures that the TLS dissector is called when that TCP port is encountered, and ensures that your protocol is called for the decrypted payload.

Alternatively, register a heuristics dissector for the tls heuristics dissector table. From there, you could try to detect whether the data matches your protocol. I would suggest the former approach if possible.

Finally, if your protocol has an ALPN registration, register your protocol with the tls.alpn dissector table.

Lekensteyn's avatar
2.3k
Lekensteyn
answered 2020-02-22 17:29:00 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks Peter! In this case there is a small twist: The port 10050/tcp can be either TLS or unencrypted. So, I did this:

  • In the dissector function I tried to make sure to return 0 if the packet could not be recognized (this needs more work still as not all versions of Zabbix protocol contain directly identifying header in the packet, but anyway)
  • I then registered the same dissector for both tcp.port and tls.port

With quick testing this seems to work, I guess this is the way to implement it. Thanks again!

Markku's avatar Markku (2020-02-22 18:49:51 +0000) edit
more
  • delete

In case someone is interested in a working example based on this discussion, here are the dissectors: https://github.com/markkuleinio/wires...

Markku's avatar Markku (2020-02-23 14:54:51 +0000) edit
more
  • delete
1

Thanks for sharing your code. Has been immensely helpful for me trying to do something very similar.

joshenders's avatar joshenders (2020-11-17 11:42:04 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer