On 02/08/2015 08:25 PM, Petr Gotthard wrote: > I'm trying to add SSL support for the AMQP dissector. I managed to correctly > decrypt and reassemble the application data, however from some reason the SSL > dissector (or someone else?) split the application data in two blocks: the > first data block contains the first byte of the AMQP frame and the second > data block contains the remaining bytes. > -- In the "Packet Details" section I can see (after the SSL sub-tree) a > sub-tree "Data (1 byte)" and below it another sub-tree "[Malformed Packet: > AMQP]" (the packet is malformed because it is missing the first byte) > -- in the "Packet Bytes" section I can see two "Decrypted SSL data" > sections. One with 1 byte (the first byte of an AMQP frame) and the other > section with the remaining bytes of this AMQP frame. > > Do you have any idea why did SSL create two "decrypted SSL data" sections and > split the frame?
This sounds like the 1/n-1 split done to workaround the BEAST attack[1]. If you need more bytes, set pinfo->desegment_len (and maybe pinfo->desegment_offset). See doc/README.dissector, section 2.7.2. How is SSL implemented for AMQP? Is it immediately running on top of SSL/TLS, or is there a preceding STARTTLS-like handshake? In the latter case, see https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9515 and the related patches. -- Kind regards, Peter Wu https://lekensteyn.nl/ [1]: https://en.wikipedia.org/wiki/Transport_Layer_Security#BEAST_attack ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
