Wireshark mailing list archives

Re: decryption SSL

From: Peter Wu <peter () lekensteyn nl>
Date: Fri, 8 Sep 2017 22:02:43 +0100

Hi Sadik,

On Fri, Sep 08, 2017 at 05:15:19PM +0200, Sadik Sikder wrote:

Thanks Mr. Peter for you kind help and cooperation...
i have figured-out how should i write my own decryption function . i have
some confusion or problem to understand... i am giving a example what i
would like to know.
in epan/packet-ssl.c file,  i have a seen a method called:
void
ssl_load_keyfile(const gchar *ssl_keylog_filename, FILE **keylog_file,
                 const ssl_master_key_map_t *mk_map)

or
void
ssl_debug_printf(const gchar* fmt, ...)
{
    va_list ap;

    if (!ssl_debug_file)
        return;

    va_start(ap, fmt);
    vfprintf(ssl_debug_file, fmt, ap);
    va_end(ap);
}

here ssl_load_keyfile or ssl_debug_print() are  methods. i havenot found
where these method are called into main function. similar this problem i
have faced several situations. In order to overcome the situation what
should i follow? how can i or which file/folder contains main functions
regarding epan/packet-ssl.c, epan/packet-ssl-utils.c?


Wireshark has a lot of dissectors and functionality, as far as
functionality is concerned, you need to start looking at "dissect_ssl".
See the first step of
https://www.wireshark.org/lists/wireshark-dev/201709/msg00006.html
which says:

    The program flow in the common case (SSLv3/TLS) is as follows:

     1. dissect_ssl is the entrypoint (commonly called from TCP dissector).
     ...

the main function is located in wireshark-qt.cpp (or tshark.c if you use
tshark).

Specifically for ssl_debug_printf, these are called in multiple
functions in epan/dissectors/packet-ssl.c and
epan/dissectors/packet-ssl-utils.c. Have you tried a simple text search
in these files?

i have used Eclipse IDE to track of these methods to figure-out main
function  but i was unable to find the main functions regarding
 packet-ssl.c, packet-ssl-utils.c and packet-ssl-utils.h.


I suggest you to use a debugger, set a breakpoint starting in
dissect_ssl (or whatever function you are interested in). Then run the
the "console" version of Wireshark using the capture and keys from the
source directory:

    tshark -r test/captures/dhe1.pcapng.gz -o ssl.keylog_file:test/keys/dhe1_keylog.dat 
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Re: Wireshark-dev Digest, Vol 136, Issue 4 Sadik Sikder (Sep 08)
- Re: decryption SSL Peter Wu (Sep 08)