Wireshark mailing list archives
Re: Two "Descrypted SSL data" sections in one frame
From: Peter Wu <peter () lekensteyn nl>
Date: Sun, 08 Feb 2015 22:19:27 +0100
On 02/08/2015 08:25 PM, Petr Gotthard wrote:
I'm trying to add SSL support for the AMQP dissector. I managed to correctly decrypt and reassemble the application data, however from some reason the SSL dissector (or someone else?) split the application data in two blocks: the first data block contains the first byte of the AMQP frame and the second data block contains the remaining bytes. -- In the "Packet Details" section I can see (after the SSL sub-tree) a sub-tree "Data (1 byte)" and below it another sub-tree "[Malformed Packet: AMQP]" (the packet is malformed because it is missing the first byte) -- in the "Packet Bytes" section I can see two "Decrypted SSL data" sections. One with 1 byte (the first byte of an AMQP frame) and the other section with the remaining bytes of this AMQP frame. Do you have any idea why did SSL create two "decrypted SSL data" sections and split the frame?
This sounds like the 1/n-1 split done to workaround the BEAST attack[1]. If you need more bytes, set pinfo->desegment_len (and maybe pinfo->desegment_offset). See doc/README.dissector, section 2.7.2. How is SSL implemented for AMQP? Is it immediately running on top of SSL/TLS, or is there a preceding STARTTLS-like handshake? In the latter case, see https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9515 and the related patches. -- Kind regards, Peter Wu https://lekensteyn.nl/ [1]: https://en.wikipedia.org/wiki/Transport_Layer_Security#BEAST_attack ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Two "Descrypted SSL data" sections in one frame Petr Gotthard (Feb 08)
- Re: Two "Descrypted SSL data" sections in one frame Peter Wu (Feb 08)