Re: Decoding New TLS CLient Hello Extension

[<nalini.elkins () insidethestack com>]

On Thu, Apr 14, 2016 at 3:07 PM, <nalini.elkins () insidethestack com> wrote:

Guys,

I am trying to decode a new TLS extension in the Client Hello packet.  I have the following statement in my LUA:

local ssl_ext_table = DissectorTable.get("ssl.handshake.extension.type")

This is getting an error.  Would appreciate any help that anyone can give.


> Where did you get that string?  I can't find it in the SSL dissector.
That is the name of the field.

> In order to get a dissector table (DissectorTable.get()) such a dissector table has to exist.  (A common mistake is to 
> believe that there is a dissector table for every field (hf) in Wireshark-->there isn't even though there are 
> sometimes fields that share a name with a dissector table--"tcp.port" is a good example.) 
Yes, I was thinking that maybe there is not such a table.

> So: you're getting an error because the SSL dissector does not publish such a table; in other words the dissector is 
> not prepared to have other dissectors dissecting TLS extensions.

> Your best path forward would likely be to just modify the SSL dissector's C code; ideally you could then push that 
> code to Wireshark so future versions will dissect the extension too.
Sure.  Happy to do that (once it all works!) but I was having trouble finding where that SSL dissector's C code 
actually was.  It looks like it may be invoking gnutls libraries?  Thanks for your help.

Nalini

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe