Ask Your Question

Forcing wireshark to dissect null cipher TLS

asked 2021-09-09 14:26:55 +0000

eike gravatar image


we have a dissector for a custom protocol which can be the payload of TLSv1.2 packets with the cipher suite TLS_ECDHE_ECDSA_WITH_NULL_SHA (0xc006). The dissector is registered in lua with:

DissectorTable.get("tls.port"):add(49502, my_protocol)

These packages get dissected properly for connections, where the TLS handshake is part of the capture. When the handshake is missing wireshark does not dissect the application data of the tls packets.

Is it possible to tell wireshark to assume the that all TLS packages on a given port are not encrypted and to dissect them with the given dissector?

Kind regards and thank you. Eike

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted

answered 2021-09-09 19:03:23 +0000

André gravatar image

Without the handshake Wireshark does not know the size of the Message Authentication Code (MAC) and possibly padding. That is needed for a correct dissection.

A feature request can be done at

In the past, before complete sessions with NULL ciphers were dissected, I had a similar issue and made a little modification in the upper layer protocol to simply skip the 5-byte Application Data header. That was good enough in my case.

edit flag offensive delete link more


Thank you very much. Registering the dissector to TCP and skipping the first 5 bytes did the trick for me.

eike gravatar imageeike ( 2021-09-10 08:54:42 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2021-09-09 14:26:55 +0000

Seen: 81 times

Last updated: Sep 09