Lua dissector for protocol with optional TLS established not from the very beginning

asked 2022-10-18 10:51:31 +0000

Alex Che gravatar image

updated 2022-10-18 10:54:48 +0000

I have a custom protocol, consisting of messages. In the beginning of connection there is a security negotiation process, when the peers send each other a message with security options. After that, the peers either continue to communicate unsecured, sending messages over TCP, or perform TLS handshake and then continue sending messages over the established SSL channel. The communication stays on the same connection, i.e. does not switch to another port for secured part.

I have written a Lua dissector for the protocol with my_proto.dissector(tvbuf, pktinfo, root) which assumes unencrypted data. The only mention of TLS/SSL in the dissector code is registering the dissector in DissectorTable.get("ssl.port") in addition to DissectorTable.get("tcp.port").

Now the problem is when I try to dissect communication, which negotiates to TLS at the beginning. For the secured part of communication the dissector works fine, but the first unsecured messages are shown as protocol TLSv1.2 with Ignored Unknown Record instead of my protocol, and I cannot get it to be decoded by my dissector, Decode As... does not help. The only way to see those first unsecured messages dissected by my dissector is to completely turn off TLS protocol in Analyse -> Enabled Protocols... menu. But then I obviously won't see the secured part of communication.

Is there a way to see both secured and unsecured communication dissected at the same time?

To descrypt TLS part I use SSLKEYLOGFILE file, if that matters.

edit retag flag offensive close merge delete

Comments

TCP Preferences

You could try registering your dissector as a heuristic (11.6.5.3. proto:register_heuristic(listname, func)) then setting the TCP Preference to Try heuristic sub-dissectors first.
With View -> Internals -> Dissector Tables (Internals menu items) you can see that there is a Heuristic Table for tcp.

Chuckc gravatar imageChuckc ( 2022-10-19 00:41:26 +0000 )edit