Ask Your Question

Revision history [back]

You should not try to access the decrypted data via a field, but ensure that dissectors call each other.

Register your protocol with the tls.port dissector table. This ensures that the TLS dissector is called when that TCP port is encountered, and ensures that your protocol is called for the decrypted payload.

Alternatively, register a heuristics dissector for the tls heuristics dissector table. From there, you could try to detect whether the data matches your protocol. I would suggest the former approach if possible.

Finally, if your protocol has an ALPN registration, register your protocol with the tls.alpn dissector table.