Re: Keeping decryption state of dissector in sync

[Max <dmitrmax () gmail com>]

Jeff, thank you for you reply.

2011/4/29 Jeff Morriss <jeff.morriss.ws () gmail com>:
> Max wrote:
> > For now I use "global" conversation state for dissection if the packet
> > has no proto data associated with it, otherwise I use state from
> > associated data which
> > stores the state before first packet dissection was done. Am I right
> > doing such things?
>
> Do you mean you try to use data from the stored conversation state (ala
> README.request_response_tracking) and if that does not exist then fall back
> to a global variable?  I think normally the fallback to not having the
> conversation data is to just assume it's the first packet (decode it as such
> and then create a conversation structure).  But maybe I misunderstand your
> question.

I do in the following way:
1) if no conversation data is associated with my proto, I assume that
it is the first packet.
2) if I have conversation data, but no proto data associated with the
packet, I use conversation data's phase to dissect the packet. if
dissection succeeds than I save old phase information into the
packet's proto data and update the conversation's phase.
3) if the packet has proto data, I use its phase to dissect the
packet. Conversation state is not updated in that case.

> > The next problem is decryption and decompression. I've read how this
> > should be done, but I have not found any info regarding the following
> > moments:
> >
> > 1) Whether decryption and decompression should be done every time the
> > dissector is called? Or there is way to figure out that it was already
> > done?
>
> I don't know how it's normally done, but I think the only way you'd know if
> it had already been done is if you stored the result of the decryption in a
> dissector-specific structure in a way that you can easily find it again.  I
> suspect, though, that normally the decryption is redone each time it is
> needed.

I looked through SSL dissector. It decrypts packet only during first
dissection and keeps allocated buffer in packet's proto data. But the
child tvbuff is created every dissection for this buffer.

> > 2) How to run dissector on the decrypted tvbuff? Should it be done
> > manually or Wireshark does this itself?
>
> You need to do that manually: once you have the decrypted data in a (new)
> TVB you need to call a (sub)dissector on it.

Yep!

> > 3) If it is supposed that decryption is done every time the dissector
> > is called, how then should I keep the decryption cipher context?
> >    Cloning and storing cipher context for every packet may cost a lot
> > of memory, and AFAIK libgcrypt doesn't provide any means
> >    to clone the context (cipher handle).
>
> I can't even hazard a guess on this one...
Since the decryption is done only once, the problem is absent.

--
  Max
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe