Wireshark mailing list archives
Re: Keeping decryption state of dissector in sync
From: Max <dmitrmax () gmail com>
Date: Sat, 30 Apr 2011 00:33:24 +0400
Jeff, thank you for you reply. 2011/4/29 Jeff Morriss <jeff.morriss.ws () gmail com>:
Max wrote:For now I use "global" conversation state for dissection if the packet has no proto data associated with it, otherwise I use state from associated data which stores the state before first packet dissection was done. Am I right doing such things?Do you mean you try to use data from the stored conversation state (ala README.request_response_tracking) and if that does not exist then fall back to a global variable? I think normally the fallback to not having the conversation data is to just assume it's the first packet (decode it as such and then create a conversation structure). But maybe I misunderstand your question.
I do in the following way: 1) if no conversation data is associated with my proto, I assume that it is the first packet. 2) if I have conversation data, but no proto data associated with the packet, I use conversation data's phase to dissect the packet. if dissection succeeds than I save old phase information into the packet's proto data and update the conversation's phase. 3) if the packet has proto data, I use its phase to dissect the packet. Conversation state is not updated in that case.
The next problem is decryption and decompression. I've read how this should be done, but I have not found any info regarding the following moments: 1) Whether decryption and decompression should be done every time the dissector is called? Or there is way to figure out that it was already done?I don't know how it's normally done, but I think the only way you'd know if it had already been done is if you stored the result of the decryption in a dissector-specific structure in a way that you can easily find it again. I suspect, though, that normally the decryption is redone each time it is needed.
I looked through SSL dissector. It decrypts packet only during first dissection and keeps allocated buffer in packet's proto data. But the child tvbuff is created every dissection for this buffer.
2) How to run dissector on the decrypted tvbuff? Should it be done manually or Wireshark does this itself?You need to do that manually: once you have the decrypted data in a (new) TVB you need to call a (sub)dissector on it.
Yep!
3) If it is supposed that decryption is done every time the dissector is called, how then should I keep the decryption cipher context? Cloning and storing cipher context for every packet may cost a lot of memory, and AFAIK libgcrypt doesn't provide any means to clone the context (cipher handle).I can't even hazard a guess on this one...
Since the decryption is done only once, the problem is absent. -- Max ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Keeping decryption state of dissector in sync Max (Apr 29)
- Re: Keeping decryption state of dissector in sync Jeff Morriss (Apr 29)
- Re: Keeping decryption state of dissector in sync Max (Apr 29)
- Re: Keeping decryption state of dissector in sync Stephen Fisher (Apr 29)
- Re: Keeping decryption state of dissector in sync Jeff Morriss (Apr 29)