Ask Your Question
0

Accessing decrypted TLS data in Lua dissector

asked 2020-02-22 11:23:44 +0000

Markku gravatar image

As I hinted in my TLS 1.3 decrypt question in https://ask.wireshark.org/question/14..., I've now attempted to decrypt Zabbix TLS traffic in Lua dissector.

In my dissector function (which is registered for 10050/tcp packets in this case), when I know I expect TLS-encrypted data, I can basically call

Dissector.get("tls"):call(tvb, pktinfo, tree)

right away and the decrypted Zabbix data is successfully shown in the "Decrypted TLS" tab (as I have captured and added the relevant session keys in Wireshark), but I don't know how to access that decrypted data in my dissector after that call.

Any hints?

I already searched for a "tls.something" field that would contain the decrypted data, but didn't find one.

Markku

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
1

answered 2020-02-22 17:29:00 +0000

Lekensteyn gravatar image

You should not try to access the decrypted data via a field, but ensure that dissectors call each other.

Register your protocol with the tls.port dissector table. This ensures that the TLS dissector is called when that TCP port is encountered, and ensures that your protocol is called for the decrypted payload.

Alternatively, register a heuristics dissector for the tls heuristics dissector table. From there, you could try to detect whether the data matches your protocol. I would suggest the former approach if possible.

Finally, if your protocol has an ALPN registration, register your protocol with the tls.alpn dissector table.

edit flag offensive delete link more

Comments

Thanks Peter! In this case there is a small twist: The port 10050/tcp can be either TLS or unencrypted. So, I did this:

  • In the dissector function I tried to make sure to return 0 if the packet could not be recognized (this needs more work still as not all versions of Zabbix protocol contain directly identifying header in the packet, but anyway)
  • I then registered the same dissector for both tcp.port and tls.port

With quick testing this seems to work, I guess this is the way to implement it. Thanks again!

Markku gravatar imageMarkku ( 2020-02-22 18:49:51 +0000 )edit

In case someone is interested in a working example based on this discussion, here are the dissectors: https://github.com/markkuleinio/wires...

Markku gravatar imageMarkku ( 2020-02-23 14:54:51 +0000 )edit
1

Thanks for sharing your code. Has been immensely helpful for me trying to do something very similar.

joshenders gravatar imagejoshenders ( 2020-11-17 11:42:04 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2020-02-22 11:23:44 +0000

Seen: 1,254 times

Last updated: Feb 22 '20

Related questions

how to invert two bytes in lua script dissector ?

Adjusting Bit order and Endianess in LUA between Dissectors

Error while creating a Lua listener in 2.4.2 with filter

Lua Dumper to variable

http2 decrypted data in tshark lua script

Decode as LUA - how do I do that?

LUA: dissector wide global table

How to get TLSv1.2 to decode

How to verify what protocol was used in an encrypted file transfer?

Reuse (part of) a Wireshark Dissector

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2