Dissector for custom TLS extension

edit

Hi everyone,

I have a question regarding packet dissection via a wireshark plugin.

My goal is to dissect a custom TLS extension for proof of concept purposes.

I already have a plugin working in Lua, but I don't think the way I did it can be the correct way, but I found no better solutions online.

I have two problems with my current solution:

The first thing is, that I am currently using a post-dissector. From everything I read I thought that a chained dissector would be a better solution, as I would like to run my dissector directly after the TLS dissector and only for packages that contain TLS obviously.

My problem is, that I didn't find a way to make a chained dissector not port specific. As the custom TLS extension is supposed to work for every TLS package, I need to have the dissector work for every port though.

From the example on wireshark.org, you have to set a specific port for the chained dissector and I found no way to make it work for every port, like it does for post-dissectors.

33   local tcp_dissector_table = DissectorTable.get("tcp.port")
34   original_http_dissector = tcp_dissector_table:get_dissector(80) -- save the original dissector so we can still get to it
35   tcp_dissector_table:add(80, http_wrapper_proto)                 -- and take its place in the dissector table

Is there a way to make chained dissectors not port specific?

The second problem is, that I currently use local fields = { all_field_infos() } and then use

for ix, finfo in ipairs(fields) do
   if finfo.name == "tls.handshake.extension.type" then
...

to get the fields for all TLS extensions, which is very performance intensive I imagine.

I tried to do it with

tls_extension_type_f = Field.new("tls.handshake.extension.type")
tls_fido_extension_len_f = Field.new("tls.handshake.extension.len")
tls_fido_extension_data_f = Field.new("tls.handshake.extension.data")

and

local tls_extension_type = tls_extension_type_f()
local tls_fido_extension_data = tls_fido_extension_data_f()
local tls_fido_extension_len = tls_fido_extension_len_f()

first, to get the data of the extension, but I encountered that I would only get data of a single TLS extension, probably the last one that filled the fields or something. I tried to find a way to get the data of all fields, if multiple of the same field exist in the same package, but I didn't find anything.

So I resorted to the first solution I showed, by getting the data of every single field in every package, which can't be the best and correct solution I imagine.

Is there an effecient way to get all fields of the same type if it exists multiple times in a single package? For example tls_extension_type_f()?

Thanks in advance. If the solution only works in C, I have no problem changing from Lua to C.