2023-07-08 20:30:30 +0000 | received badge | ● Popular Question (source) |
2023-07-08 20:27:06 +0000 | received badge | ● Notable Question (source) |
2023-07-08 17:13:17 +0000 | marked best answer | "Asked" year is incorrect here at ask.wireshark.org Anyone here that can tell the ask.wireshark.org maintainers: The "asked" datestamps are shown incorrectly here. For example, "Asked: Aug 27 '2" is shown,but when hovering the mouse over, it shows "2022-08-27 13:30:11 +0000". So apparently 2022 is being shortened to '2 instead of '22. Another example:
so the Last updated field is shown correctly though. |
2023-07-08 16:06:28 +0000 | asked a question | "Asked" year is incorrect here at ask.wireshark.org "Asked" year is incorrect here at ask.wireshark.org Anyone here that can tell the ask.wireshark.org maintainers: The "a |
2022-10-24 08:25:02 +0000 | commented answer | Cannot initiate capture session on a device after having installed 4.0.0 Thanks for your observation. Feel free to also comment on https://gitlab.com/wireshark/wireshark/-/issues/18414 and http |
2022-10-23 16:16:40 +0000 | received badge | ● Commentator |
2022-10-23 16:16:40 +0000 | commented answer | Cannot initiate capture session on a device after having installed 4.0.0 Npcap 1.60 works with Windows 11, Npcap 1.71 does not. |
2022-07-27 13:32:40 +0000 | commented answer | Lua ProtoField.ipv4 input data syntax Gotcha, thanks again. |
2022-07-27 10:44:08 +0000 | received badge | ● Popular Question (source) |
2022-07-27 06:43:15 +0000 | marked best answer | Lua ProtoField.ipv4 input data syntax I'm writing a dissector in Lua (https://github.com/markkuleinio/wires...) and trying to use a The error message in Wireshark is "userdata expected, got string" (or whatever syntax I try). The original data is an IPv4 address as dotted decimal string ("10.1.2.3"), but I've also tried to use it as converted to uint32 (generated with a Markku |
2022-07-27 06:42:49 +0000 | commented answer | Lua ProtoField.ipv4 input data syntax Thanks! It works great. I somehow totally overlooked the Address class in WSDG. I'll publish the updated dissector code |
2022-07-26 20:52:59 +0000 | commented question | Lua ProtoField.ipv4 input data syntax Oh, the day has been long and I only now found this: https://osqa-ask.wireshark.org/questions/43013/conversion-of-string |
2022-07-26 20:52:19 +0000 | commented question | Lua ProtoField.ipv4 input data syntax Oh, the day has been long and I only now found this: https://osqa-ask.wireshark.org/questions/43013/conversion-of-string |
2022-07-26 20:38:55 +0000 | asked a question | Lua ProtoField.ipv4 input data syntax Lua ProtoField.ipv4 input data syntax I'm writing a dissector in Lua (https://github.com/markkuleinio/wireshark-zabbix-d |
2022-07-26 06:41:36 +0000 | received badge | ● Famous Question (source) |
2021-06-27 00:55:46 +0000 | received badge | ● Famous Question (source) |
2021-06-20 09:33:22 +0000 | received badge | ● Notable Question (source) |
2020-10-28 06:37:30 +0000 | received badge | ● Popular Question (source) |
2020-06-17 07:50:56 +0000 | received badge | ● Notable Question (source) |
2020-06-17 07:50:56 +0000 | received badge | ● Popular Question (source) |
2020-03-13 11:09:27 +0000 | commented answer | How to press Meta+1 etc. on Windows? Thanks for the information. Opened https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16437 |
2020-03-12 18:54:33 +0000 | edited question | How to press Meta+1 etc. on Windows? How to press Meta+1 etc. on Windows In Wireshark, in File - Open Recent menu, there are the shortcut keys shown: Meta+0 |
2020-03-12 18:19:35 +0000 | asked a question | How to press Meta+1 etc. on Windows? How to press Meta+1 etc. on Windows In Wireshark, in File - Open Recent menu, there are the shortcut keys shown: Meta+0 |
2020-03-01 10:18:13 +0000 | commented question | Slow download My comments (helpful or not): client IP address 250.x.x.x is unusual max TCP length is 1238, so MSS is apparently quit |
2020-02-23 14:54:51 +0000 | commented answer | Accessing decrypted TLS data in Lua dissector In case someone is interested in a working example based on this discussion, here are the dissectors: https://github.com |
2020-02-22 19:46:43 +0000 | received badge | ● Supporter (source) |
2020-02-22 18:50:08 +0000 | marked best answer | Accessing decrypted TLS data in Lua dissector As I hinted in my TLS 1.3 decrypt question in https://ask.wireshark.org/question/14..., I've now attempted to decrypt Zabbix TLS traffic in Lua dissector. In my dissector function (which is registered for Dissector.get("tls"):call(tvb, pktinfo, tree) right away and the decrypted Zabbix data is successfully shown in the "Decrypted TLS" tab (as I have captured and added the relevant session keys in Wireshark), but I don't know how to access that decrypted data in my dissector after that call. Any hints? I already searched for a "tls.something" field that would contain the decrypted data, but didn't find one. Markku |
2020-02-22 18:49:51 +0000 | commented answer | Accessing decrypted TLS data in Lua dissector Thanks Peter! In this case there is a small twist: The port 10050/tcp can be either TLS or unencrypted. So, I did this: |
2020-02-22 11:23:44 +0000 | asked a question | Accessing decrypted TLS data in Lua dissector Accessing decrypted TLS data in Lua dissector As I hinted in my TLS 1.3 decrypt question in https://ask.wireshark.org/qu |
2020-02-22 09:52:55 +0000 | marked best answer | How to decrypt TLS 1.3 PSK sent by Zabbix? Hi, I'm trying to decrypt TLS 1.3 traffic, generated by Zabbix. This is configured with pre-shared key as described in the documentation in https://www.zabbix.com/documentation/... . I have configured Wireshark 3.2.1 (or tshark 3.2.1) to use the configured TLS PSK. I'm not able to see the traffic unencrypted however. What am I missing here? The example capture file is in https://my.syncplicity.com/share/daz6.... The PSK is "dac86d7afb589557e876f16b59b8b5b4". PSK Identity is "psk" in Zabbix but I don't think that's relevant for TLS decryption in Wireshark. (It is shown plaintext in frame 4 in tls.handshake.extensions.psk.identity.identity anyway) For example: tshark -r zabbix-tls-agent.pcap -Y "frame.number==28" -V -O tls -o tls.psk:dac86d7afb589557e876f16b59b8b5b4 Frame 28: 90 bytes on wire (720 bits), 90 bytes captured (720 bits) Ethernet II, Src: VMware_fa:68:50 (00:0c:29:fa:68:50), Dst: VMware_3e:95:31 (00:0c:29:3e:95:31) Internet Protocol Version 4, Src: 192.168.7.10, Dst: 192.168.7.12 Transmission Control Protocol, Src Port: 60130, Dst Port: 10050, Seq: 433, Ack: 407, Len: 24 Transport Layer Security TLSv1.3 Record Layer: Application Data Protocol: Application Data Opaque Type: Application Data (23) Version: TLS 1.2 (0x0303) Length: 19 Encrypted Application Data: 6e493a8a471ddd55eb82d095f02d88e037db62 What puzzles me as well is the output of "tshark -G userprefs": # Pre-Shared-Key as HEX string. Should be 0 to 16 bytes. # A string #tls.psk: Where is that 16-byte limit coming from? Update: TLS debug file (-o tls.debug_file:debug.txt) says: dissect_ssl enter frame #4 (first time) packet_from_server: is from server - FALSE conversation = 000002F97BB5FA40, ssl_session = 000002F97BB605E0 record: offset = 0, reported_length_remaining = 312 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 307, ssl state 0x00 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 303 bytes Calculating hash with offset 5 307 ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01 dissect_ssl enter frame #6 (first time) packet_from_server: is from server - TRUE conversation = 000002F97BB5FA40, ssl_session = 000002F97BB605E0 record: offset = 0, reported_length_remaining = 258 ssl_try_set_version found version 0x0303 -> state 0x91 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 161, ssl state 0x91 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 157 bytes ssl_try_set_version found version 0x0304 -> state 0x91 ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93 ssl_set_cipher found CIPHER 0x1303 TLS_CHACHA20_POLY1305_SHA256 -> state 0x97 ssl_load_keyfile dtls/tls.keylog_file is not configured! tls13_load_secret transitioning to new key, old state 0x97 tls13_load_secret Cannot find CLIENT_HANDSHAKE_TRAFFIC_SECRET, decryption impossible tls13_load_secret transitioning to new key, old state 0x97 tls13_load_secret Cannot find SERVER_HANDSHAKE_TRAFFIC_SECRET, decryption impossible record: offset = 166, reported_length_remaining = 92 dissect_ssl3_record: content_type 20 Change Cipher Spec record: offset = 172, reported_length_remaining = 86 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 23, ssl state 0x97 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available record: offset = 200, reported_length_remaining = 58 dissect_ssl3_record: content_type 23 Application ... |
2020-02-22 09:52:55 +0000 | received badge | ● Scholar (source) |
2020-02-22 09:52:45 +0000 | commented answer | How to decrypt TLS 1.3 PSK sent by Zabbix? Well yes, what can I say, thanks a lot to both of you Peter and Chuck for these! I just tried the Peter's instructions |
2020-02-22 00:15:32 +0000 | received badge | ● Student (source) |
2020-02-21 15:16:51 +0000 | commented question | How to decrypt TLS 1.3 PSK sent by Zabbix? Thanks Chuck for the information. I hoped that the PSK option in Wireshark/tshark would enable the decrypt. So I take it |
2020-02-20 16:53:33 +0000 | received badge | ● Editor (source) |
2020-02-20 16:53:33 +0000 | edited question | How to decrypt TLS 1.3 PSK sent by Zabbix? How to decrypt TLS 1.3 PSK sent by Zabbix? Hi, I'm trying to decrypt TLS 1.3 traffic, generated by Zabbix. This is confi |
2020-02-20 16:25:15 +0000 | asked a question | How to decrypt TLS 1.3 PSK sent by Zabbix? How to decrypt TLS 1.3 PSK sent by Zabbix? Hi, I'm trying to decrypt TLS 1.3 traffic, generated by Zabbix. This is confi |