Re: SSL decryption breaks after retransmission

[Max Dmitrichenko <dmitrmax () gmail com>]

2012/2/10 Martin Wilck <martin.wilck () ts fujitsu com>

> On 02/10/2012 01:09 PM, Max Dmitrichenko wrote:
> >     Thanks - I assume you're talking about
> >     https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5971 ?
> > Yep!
>
> I built wireshark with this patch applied, but it didn't solve my
> problem. I still need to tell wireshark manually to ignore the
> retransmitted packets in order to get proper SSL decryption of the
> follow-up SSL stream.

It will not work "out of the box". A higher level dissector has to assist
this and needs a patch.

Actually the problem is that TCP is not a datagram but stream protocol. A
subdissector for any protocol over TCP should not ignore this fact.

In general, there are following cases.

0) Any TCP based dissector should be prepared to receive a TVB containing
more than one logical PDU.

1) tvb contains a full logical PDU. Nothing to be done.
2) tvb contains the first part of logical PDU. Desegmentation needed.
Currently TCP-desegmentor skips retransmissions of later parts.
3) tvb contains the second (or later) part of logical PDU or the first
retransmitted part. Currently this is not handled.

My patch is about to solve 3). You should patch the dissector to detect
this situation and request the TCP-desegmentor to do the rest job.

I guess this could be solved in "out of the box" way. But this will break
the behavior of existing dissectors - they will not receive and dissect
retransmissions which could be of someone's interest.

--
Max

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe