Re: Two "Descrypted SSL data" sections in one frame

[Peter Wu <peter () lekensteyn nl>]

On 02/08/2015 08:25 PM, Petr Gotthard wrote:
> I'm trying to add SSL support for the AMQP dissector. I managed to correctly decrypt and reassemble the application 
> data, however from some reason the SSL dissector (or someone else?) split the application data in two blocks: the 
> first data block contains the first byte of the AMQP frame and the second data block contains the remaining bytes.
>  -- In the "Packet Details" section I can see (after the SSL sub-tree) a sub-tree "Data (1 byte)" and below it 
> another sub-tree "[Malformed Packet: AMQP]" (the packet is malformed because it is missing the first byte)
>  -- in the "Packet Bytes" section I can see two "Decrypted SSL data" sections. One with 1 byte (the first byte of an 
> AMQP frame) and the other section with the remaining bytes of this AMQP frame.
>  
> Do you have any idea why did SSL create two "decrypted SSL data" sections and split the frame?

This sounds like the 1/n-1 split done to workaround the BEAST attack[1].

If you need more bytes, set pinfo->desegment_len (and maybe
pinfo->desegment_offset). See doc/README.dissector, section 2.7.2.

How is SSL implemented for AMQP? Is it immediately running on top of
SSL/TLS, or is there a preceding STARTTLS-like handshake? In the
latter case, see
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9515 and the
related patches.
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl/

[1]: https://en.wikipedia.org/wiki/Transport_Layer_Security#BEAST_attack
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe