Follow TLS stream

asked 2019-11-15 08:24:38 +0000

grobelny gravatar image

I have a protocol over USB that I try to analyze. Key characteristics are that is is reliable (bulk transfer) and packet based (there is clear packet boundary). The first packets contain Client Hello, Server Hello, etc. and they are correctly shown as such in Wireshark capture list. Next packets contain encrypted Application Data. I also have private keys of both sides of the conversation (there is mutual certificate auth) and Wireshark does not complain about their format.

Now I would like to decrypt this TLS traffic so I tried to click on one of the messages and select "Follow -> TLS Stream" option. I got the message saying "A transport or network layer header is needed."

Now I understand that Wireshark needs some way to find out which packets belong to the same stream, but how do I indicate that to Wireshark in my dissector? How do I say that given packet belongs to stream 1 for example?

edit retag flag offensive close merge delete


Hello, this could sound to me you may have a resumption of a previous hand-shake done from a previous connection which is not in the current trace captured...?. I am using the version 3.0.4 of Wireshark and you ? Are you able to share the trace in any public site.

xinxolHH gravatar imagexinxolHH ( 2019-11-15 09:34:55 +0000 )edit

All traffic, including handshake, is in the currently analyzed .pcapng file. Also, there is only one stream from the perspective of my protocol. What I could share is the .pcapng file and my lua dissector, but not the private keys. Would that be of any help?

grobelny gravatar imagegrobelny ( 2019-11-15 14:57:52 +0000 )edit