Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Let's see, first discuss some building blocks. You will need to keep track of state (i.e. the length) between related packets. The packet relation can be defined by a so called conversation. With that conversation, data can be stored (len1) and later reused (in the expression len1 == len2).

Now comes the tricky part, how to build this into Wireshark? The TLS dissector is an established, build in dissector, so cannot be overridden by some plugin. You would either need to build your own Wireshark instance, with this addition, or see if there are other means to reach this goal. I would be looking at so called post dissectors, dissectors that can retrieve field information from the dissected protocol tree and MATE, an analysis scripting language. I'm no expert on either of these, but would look at MATE first.