Ask Your Question
0

How to write a status prompter in the tls protocol for status prompting?

asked 2022-11-02 10:35:42 +0000

Desec gravatar image

I want to compare the length of a certain data in the request and response, and then the status prompt is displayed in the packet of the response, for example:

if len1 == len2
     show true
else
     show false

the result will be displayed in response. how to write this type of plugin or dissector ,and how to find some learning path? (above of this question may be need google translate,I'm not goot at english)

edit retag flag offensive close merge delete

2 Answers

Sort by » oldest newest most voted
0

answered 2022-11-02 13:08:45 +0000

Chuckc gravatar image

updated 2022-11-02 14:04:12 +0000

cmaynard gravatar image

It's a bit of time investment on the front end, the Lua Support in Wireshark is very flexible and quick to code in.

The Wireshark Wiki Lua page has examples with the EASYPOST.lua script showing basic steps to add a post-dissector.

The Contrib section includes two Lua scripts related to TLS - TLS extend and tls_conversations.lua.

edit flag offensive delete link more

Comments

(apologies for the updates on this answer)

Chuckc gravatar imageChuckc ( 2022-11-02 13:57:55 +0000 )edit

Thanks, I will try this suggestion. I might need to learn some LUA first after that

Desec gravatar imageDesec ( 2022-11-03 03:07:52 +0000 )edit
0

answered 2022-11-02 12:29:00 +0000

Jaap gravatar image

Let's see, first discuss some building blocks. You will need to keep track of state (i.e. the length) between related packets. The packet relation can be defined by a so called conversation. With that conversation, data can be stored (len1) and later reused (in the expression len1 == len2).

Now comes the tricky part, how to build this into Wireshark? The TLS dissector is an established, build in dissector, so cannot be overridden by some plugin. You would either need to build your own Wireshark instance, with this addition, or see if there are other means to reach this goal. I would be looking at so called post dissectors, dissectors that can retrieve field information from the dissected protocol tree and MATE, an analysis scripting language. I'm no expert on either of these, but would look at MATE first.

edit flag offensive delete link more

Comments

Thanks,i'll be the try.

Desec gravatar imageDesec ( 2022-11-03 03:10:58 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-11-02 10:35:42 +0000

Seen: 116 times

Last updated: Nov 02 '22