Ask Your Question

Markku's profile - activity

2021-06-27 00:55:46 +0000 received badge  Famous Question (source)
2021-06-20 09:33:22 +0000 received badge  Notable Question (source)
2020-10-28 06:37:30 +0000 received badge  Popular Question (source)
2020-06-17 07:50:56 +0000 received badge  Notable Question (source)
2020-06-17 07:50:56 +0000 received badge  Popular Question (source)
2020-03-13 11:09:27 +0000 commented answer How to press Meta+1 etc. on Windows?

Thanks for the information. Opened https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16437

2020-03-12 18:54:33 +0000 edited question How to press Meta+1 etc. on Windows?

How to press Meta+1 etc. on Windows In Wireshark, in File - Open Recent menu, there are the shortcut keys shown: Meta+0

2020-03-12 18:19:35 +0000 asked a question How to press Meta+1 etc. on Windows?

How to press Meta+1 etc. on Windows In Wireshark, in File - Open Recent menu, there are the shortcut keys shown: Meta+0

2020-03-01 10:18:13 +0000 commented question Slow download

My comments (helpful or not): client IP address 250.x.x.x is unusual max TCP length is 1238, so MSS is apparently quit

2020-02-23 14:54:51 +0000 commented answer Accessing decrypted TLS data in Lua dissector

In case someone is interested in a working example based on this discussion, here are the dissectors: https://github.com

2020-02-22 19:46:43 +0000 received badge  Supporter (source)
2020-02-22 18:50:08 +0000 marked best answer Accessing decrypted TLS data in Lua dissector

As I hinted in my TLS 1.3 decrypt question in https://ask.wireshark.org/question/14..., I've now attempted to decrypt Zabbix TLS traffic in Lua dissector.

In my dissector function (which is registered for 10050/tcp packets in this case), when I know I expect TLS-encrypted data, I can basically call

Dissector.get("tls"):call(tvb, pktinfo, tree)

right away and the decrypted Zabbix data is successfully shown in the "Decrypted TLS" tab (as I have captured and added the relevant session keys in Wireshark), but I don't know how to access that decrypted data in my dissector after that call.

Any hints?

I already searched for a "tls.something" field that would contain the decrypted data, but didn't find one.

Markku

2020-02-22 18:49:51 +0000 commented answer Accessing decrypted TLS data in Lua dissector

Thanks Peter! In this case there is a small twist: The port 10050/tcp can be either TLS or unencrypted. So, I did this:

2020-02-22 11:23:44 +0000 asked a question Accessing decrypted TLS data in Lua dissector

Accessing decrypted TLS data in Lua dissector As I hinted in my TLS 1.3 decrypt question in https://ask.wireshark.org/qu

2020-02-22 09:52:55 +0000 marked best answer How to decrypt TLS 1.3 PSK sent by Zabbix?

Hi, I'm trying to decrypt TLS 1.3 traffic, generated by Zabbix. This is configured with pre-shared key as described in the documentation in https://www.zabbix.com/documentation/... .

I have configured Wireshark 3.2.1 (or tshark 3.2.1) to use the configured TLS PSK. I'm not able to see the traffic unencrypted however. What am I missing here?

The example capture file is in https://my.syncplicity.com/share/daz6.... The PSK is "dac86d7afb589557e876f16b59b8b5b4". PSK Identity is "psk" in Zabbix but I don't think that's relevant for TLS decryption in Wireshark. (It is shown plaintext in frame 4 in tls.handshake.extensions.psk.identity.identity anyway)

For example:

tshark -r zabbix-tls-agent.pcap -Y "frame.number==28" -V -O tls -o tls.psk:dac86d7afb589557e876f16b59b8b5b4

Frame 28: 90 bytes on wire (720 bits), 90 bytes captured (720 bits)
Ethernet II, Src: VMware_fa:68:50 (00:0c:29:fa:68:50), Dst: VMware_3e:95:31 (00:0c:29:3e:95:31)
Internet Protocol Version 4, Src: 192.168.7.10, Dst: 192.168.7.12
Transmission Control Protocol, Src Port: 60130, Dst Port: 10050, Seq: 433, Ack: 407, Len: 24
Transport Layer Security
    TLSv1.3 Record Layer: Application Data Protocol: Application Data
        Opaque Type: Application Data (23)
        Version: TLS 1.2 (0x0303)
        Length: 19
        Encrypted Application Data: 6e493a8a471ddd55eb82d095f02d88e037db62

What puzzles me as well is the output of "tshark -G userprefs":

# Pre-Shared-Key as HEX string. Should be 0 to 16 bytes.
# A string
#tls.psk:

Where is that 16-byte limit coming from?

Update: TLS debug file (-o tls.debug_file:debug.txt) says:

dissect_ssl enter frame #4 (first time)
packet_from_server: is from server - FALSE
  conversation = 000002F97BB5FA40, ssl_session = 000002F97BB605E0
  record: offset = 0, reported_length_remaining = 312
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 307, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 303 bytes
Calculating hash with offset 5 307
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #6 (first time)
packet_from_server: is from server - TRUE
  conversation = 000002F97BB5FA40, ssl_session = 000002F97BB605E0
  record: offset = 0, reported_length_remaining = 258
ssl_try_set_version found version 0x0303 -> state 0x91
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 161, ssl state 0x91
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 157 bytes
ssl_try_set_version found version 0x0304 -> state 0x91
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93
ssl_set_cipher found CIPHER 0x1303 TLS_CHACHA20_POLY1305_SHA256 -> state 0x97
ssl_load_keyfile dtls/tls.keylog_file is not configured!
tls13_load_secret transitioning to new key, old state 0x97
tls13_load_secret Cannot find CLIENT_HANDSHAKE_TRAFFIC_SECRET, decryption impossible
tls13_load_secret transitioning to new key, old state 0x97
tls13_load_secret Cannot find SERVER_HANDSHAKE_TRAFFIC_SECRET, decryption impossible
  record: offset = 166, reported_length_remaining = 92
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 172, reported_length_remaining = 86
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 23, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
  record: offset = 200, reported_length_remaining = 58
dissect_ssl3_record: content_type 23 Application ...
(more)
2020-02-22 09:52:55 +0000 received badge  Scholar (source)
2020-02-22 09:52:45 +0000 commented answer How to decrypt TLS 1.3 PSK sent by Zabbix?

Well yes, what can I say, thanks a lot to both of you Peter and Chuck for these! I just tried the Peter's instructions

2020-02-22 00:15:32 +0000 received badge  Student (source)
2020-02-21 15:16:51 +0000 commented question How to decrypt TLS 1.3 PSK sent by Zabbix?

Thanks Chuck for the information. I hoped that the PSK option in Wireshark/tshark would enable the decrypt. So I take it

2020-02-20 16:53:33 +0000 received badge  Editor (source)
2020-02-20 16:53:33 +0000 edited question How to decrypt TLS 1.3 PSK sent by Zabbix?

How to decrypt TLS 1.3 PSK sent by Zabbix? Hi, I'm trying to decrypt TLS 1.3 traffic, generated by Zabbix. This is confi

2020-02-20 16:25:15 +0000 asked a question How to decrypt TLS 1.3 PSK sent by Zabbix?

How to decrypt TLS 1.3 PSK sent by Zabbix? Hi, I'm trying to decrypt TLS 1.3 traffic, generated by Zabbix. This is confi