 | 1 | initial version |
There can be more than one ssl.handshake.type field within a single packet, so you need to account for this. The following is a simple Lua post-dissector that appends the SSL handshake type(s) to the Info column. It ought to serve as a basic starting point for any further work:
sslpost = Proto("SSLpost", "SSL post-dissector")
ssl_handshake_type_f = Field.new("ssl.handshake.type")
function sslpost.dissector(tvb, pinfo, tree)
local ssl_hst = {ssl_handshake_type_f()}
if ssl_hst then
pinfo.cols.info:append(": Handshake Type" .. ((#ssl_hst > 1) and "s: " or ": "))
for i in pairs(ssl_hst) do
pinfo.cols.info:append(ssl_hst[i]() .. " ")
end
end
end
register_postdissector(sslpost)
Testing this against the ssl.pcap file in the Wireshark menagerie produces this tshark result:
$ tshark -r ssl.pcap -Y "ssl.handshake.type" 2009-02-13 11:55:59.814985 0.045490 0.000000 9.155.133.167 → unlabelled-50-61-58-81.versatel.net SSLv2 196 Client Hello: Handshake Type: 1 2009-02-13 11:55:59.910024 0.140529 0.095039 unlabelled-50-61-58-81.versatel.net → 9.155.133.167 SSLv3 989 Server Hello, Certificate, Server Hello Done: Handshake Types: 2 11 14 2009-02-13 11:55:59.912738 0.143243 0.002714 9.155.133.167 → unlabelled-50-61-58-81.versatel.net SSLv3 258 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message: Handshake Type: 16