Ask Your Question
0

IS SSTP-dissector broken or can I simply not select it?

asked 2020-08-12 09:51:19 +0000

Zerqent gravatar image

updated 2020-08-12 10:02:11 +0000

Hello.

Trying both my own capture and the example-files provided in the Wiki ( https://gitlab.com/wireshark/wireshar... ). I cannot seem to get wireshark to display SSTP properly. In the example I am able to decrypt the TLS-stream, but now it only shows "HTTP continuation"-packets.

Trying to use "Decode As" will not allow me to select SSTP.

If I understand this correct SSTP is basically Data-in-PPP-in-HTTP-in-TLS.

edit retag flag offensive close merge delete

Comments

Not entirely sure what's going on, but the sample file has an unbelievable HTTP content-length of 18446744073709551615 in frame 125 which causes the HTTP dissector to look for the rest of the data which will never arrive.

grahamb gravatar imagegrahamb ( 2020-08-12 11:07:08 +0000 )edit

Content length seems to be a according to spec: https://docs.microsoft.com/en-us/open...

Anyway, I am trying older portable releases. Seems to work on 3.0.12 but doesn't work anymore on 3.1.0.. So perhaps there was an update to the http dissector on that point?

For my own trace it stops working after EAP takes over, might have to correct ciphers on my RADIUS-server.

Zerqent gravatar imageZerqent ( 2020-08-12 11:47:09 +0000 )edit

Hmm Content-Length: 18446744073709551615 (ULONGLONG_MAX) should we set a limit for reassembly?

Anders gravatar imageAnders ( 2020-08-12 13:04:52 +0000 )edit

As noted by @Zerqent, it's a bogus specified value in the SSTP docs which actually causes the HTTP\SSTP client to hang around for some time. As dissection works correctly by disabling reassembly as noted in my answer I don't think we need to do anything as the value is actually correct (for the protocol) in this case.

Even adding an Expert Info would cause an incorrect warning in this case.

grahamb gravatar imagegrahamb ( 2020-08-12 13:48:28 +0000 )edit

I was more thinking that we could skip reassembly if the content is bigger than some reasonable/configurable value

Anders gravatar imageAnders ( 2020-08-12 14:42:13 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-08-12 12:16:16 +0000

grahamb gravatar image

updated 2020-08-12 12:16:43 +0000

For the sample capture at least, you need to disable the HTTP preference "Reassemble HTTP bodies spanning multiple TCP segments" so that the "bogus" content-length header is ignored.

edit flag offensive delete link more

Comments

Cheers! that was the answer I needed. For newest version this also seems to work past the inner EAP-authentication.

Zerqent gravatar imageZerqent ( 2020-08-12 12:57:34 +0000 )edit

@Zerqent, if an answer has solved your issue please accept it for the benefit of others with the same question by clicking the checkmark icon to the left of the answer.

grahamb gravatar imagegrahamb ( 2020-08-12 13:49:23 +0000 )edit

Done - I was to blind to see how I did it :)

Zerqent gravatar imageZerqent ( 2020-08-12 13:53:23 +0000 )edit

Seems to be a perennial issue, no worries.

grahamb gravatar imagegrahamb ( 2020-08-12 13:56:15 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2020-08-12 09:51:19 +0000

Seen: 691 times

Last updated: Aug 12 '20