Wireshark-dev: Re: [Wireshark-dev] SSL decryption breaks after retransmission

From: Max Dmitrichenko <dmitrmax@xxxxxxxxx>
Date: Fri, 10 Feb 2012 17:31:12 +0400
2012/2/10 Martin Wilck <martin.wilck@xxxxxxxxxxxxxx>
On 02/10/2012 01:09 PM, Max Dmitrichenko wrote:
>     Thanks - I assume you're talking about
>     https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5971 ?
> Yep!

I built wireshark with this patch applied, but it didn't solve my
problem. I still need to tell wireshark manually to ignore the
retransmitted packets in order to get proper SSL decryption of the
follow-up SSL stream.

It will not work "out of the box". A higher level dissector has to assist this and needs a patch.

Actually the problem is that TCP is not a datagram but stream protocol. A subdissector for any protocol over TCP should not ignore this fact.

In general, there are following cases.

0) Any TCP based dissector should be prepared to receive a TVB containing more than one logical PDU.

1) tvb contains a full logical PDU. Nothing to be done.
2) tvb contains the first part of logical PDU. Desegmentation needed. Currently TCP-desegmentor skips retransmissions of later parts.
3) tvb contains the second (or later) part of logical PDU or the first retransmitted part. Currently this is not handled.

My patch is about to solve 3). You should patch the dissector to detect this situation and request the TCP-desegmentor to do the rest job.

I guess this could be solved in "out of the box" way. But this will break the behavior of existing dissectors - they will not receive and dissect retransmissions which could be of someone's interest.

--
Max