First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to write a status prompter in the tls protocol for status prompting?

I want to compare the length of a certain data in the request and response, and then the status prompt is displayed in the packet of the responseļ¼Œ for example:

if len1 == len2
     show true
else
     show false

the result will be displayed in response. how to write this type of plugin or dissector ,and how to find some learning path? (above of this question may be need google translate,I'm not goot at english)

Desec's avatar
1
Desec
asked 2022-11-02 10:35:42 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

It's a bit of time investment on the front end, the Lua Support in Wireshark is very flexible and quick to code in.

The Wireshark Wiki Lua page has examples with the EASYPOST.lua script showing basic steps to add a post-dissector.

The Contrib section includes two Lua scripts related to TLS - TLS extend and tls_conversations.lua.

Chuckc's avatar
3k
Chuckc
answered 2022-11-02 13:08:45 +0000
cmaynard's avatar
11.1k
cmaynard
updated 2022-11-02 14:04:12 +0000
edit flag offensive 0 remove flag delete link
more

Comments

(apologies for the updates on this answer)

Chuckc's avatar Chuckc (2022-11-02 13:57:55 +0000) edit
more
  • delete

Thanks, I will try this suggestion. I might need to learn some LUA first after that

Desec's avatar Desec (2022-11-03 03:07:52 +0000) edit
more
  • delete
add a comment see more comments
0

Let's see, first discuss some building blocks. You will need to keep track of state (i.e. the length) between related packets. The packet relation can be defined by a so called conversation. With that conversation, data can be stored (len1) and later reused (in the expression len1 == len2).

Now comes the tricky part, how to build this into Wireshark? The TLS dissector is an established, build in dissector, so cannot be overridden by some plugin. You would either need to build your own Wireshark instance, with this addition, or see if there are other means to reach this goal. I would be looking at so called post dissectors, dissectors that can retrieve field information from the dissected protocol tree and MATE, an analysis scripting language. I'm no expert on either of these, but would look at MATE first.

Jaap's avatar
13.7k
Jaap
answered 2022-11-02 12:29:00 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks,i'll be the try.

Desec's avatar Desec (2022-11-03 03:10:58 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer