Ask Your Question
0

Accessing decrypted TLS data in Lua dissector

asked 2020-02-22 11:23:44 +0000

Markku gravatar image

As I hinted in my TLS 1.3 decrypt question in https://ask.wireshark.org/question/14..., I've now attempted to decrypt Zabbix TLS traffic in Lua dissector.

In my dissector function (which is registered for 10050/tcp packets in this case), when I know I expect TLS-encrypted data, I can basically call

Dissector.get("tls"):call(tvb, pktinfo, tree)

right away and the decrypted Zabbix data is successfully shown in the "Decrypted TLS" tab (as I have captured and added the relevant session keys in Wireshark), but I don't know how to access that decrypted data in my dissector after that call.

Any hints?

I already searched for a "tls.something" field that would contain the decrypted data, but didn't find one.

Markku

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2020-02-22 17:29:00 +0000

Lekensteyn gravatar image

You should not try to access the decrypted data via a field, but ensure that dissectors call each other.

Register your protocol with the tls.port dissector table. This ensures that the TLS dissector is called when that TCP port is encountered, and ensures that your protocol is called for the decrypted payload.

Alternatively, register a heuristics dissector for the tls heuristics dissector table. From there, you could try to detect whether the data matches your protocol. I would suggest the former approach if possible.

Finally, if your protocol has an ALPN registration, register your protocol with the tls.alpn dissector table.

edit flag offensive delete link more

Comments

Thanks Peter! In this case there is a small twist: The port 10050/tcp can be either TLS or unencrypted. So, I did this:

  • In the dissector function I tried to make sure to return 0 if the packet could not be recognized (this needs more work still as not all versions of Zabbix protocol contain directly identifying header in the packet, but anyway)
  • I then registered the same dissector for both tcp.port and tls.port

With quick testing this seems to work, I guess this is the way to implement it. Thanks again!

Markku gravatar imageMarkku ( 2020-02-22 18:49:51 +0000 )edit

In case someone is interested in a working example based on this discussion, here are the dissectors: https://github.com/markkuleinio/wires...

Markku gravatar imageMarkku ( 2020-02-23 14:54:51 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-02-22 11:23:44 +0000

Seen: 184 times

Last updated: Feb 22