Wireshark-dev: Re: [Wireshark-dev] Listener (Tap) in Lua to write SSL cert bytes

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Rion Carter <rion@xxxxxxxxxx>
Date: Fri, 24 May 2013 16:08:26
When I look at the capture in the UI I see this:

Secure Sockets Layer
-TLSv1 Record Layer: Handshake Protocol: Certificate
--Content Type: Handshake (22)
--Version: TLS 1.0 (0x0301)
--Length: 1295
--Handshake Protocol: Certificate
----Handshake Type: Certificate (11)
----Length: 1291
----Certificates Length: 1288
----Certificates (1288 bytes) 
------Certificate Length: 1285
------Certificate (...)

It is the 'Certificate' field that contains what I need. When I try Field.New("certificate") in my Lua script I get a message of "A field with this name must exist".

When I right click and export bytes from the 'Certificate' label within the UI I get valid cert data. Is the display name the same as the field? 

Rion


From: Evan Huus
Sent: Friday, May 24, 2013 08:29 PM
To: Developer support list for Wireshark
Reply To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Listener (Tap) in Lua to write SSL cert bytes

On Fri, May 24, 2013 at 10:04 AM, Rion Carter <rion@xxxxxxxxxx> wrote:
>
> Hi everyone,
>
> If this is the wrong place for my question please let me know. I've used Wireshark for 5 years now and am looking to get more out of this excellent tool.
>
> To get started I want to write a Tap that will write out the certificate used during an SSL handshake. While I think I have it setup to pull the cert, I can't seem to actually write the bytes to disk. Here is what I have:
>
> tap = Listener.new(nil, "ssl.handshake.certificate");
> Cert_info = Field.new("ssl.handshake.certificate");
>
> function tap.packet(pinfo, buffer, userdata)
> local cert = Cert_info();
> file:write(cert.value);
> end
>
> I have the file defined elsewhere. When I try to write I get a message about a "Bad argument to write". I'm on my phone right now or I'd post the full error text.
>
> Is this something I need to write in c, or does the Lua binding let me write non string data to files?

I think you're asking for the wrong field, actually (the lua code
looks fine to me). "ssl.handshake.certificate" appears to be a
non-typed field used just for a tree header. The actual certificate
appears to be parsed as a BER sequence, if I'm reading the code
correctly. If you open the capture in Wireshark and find the
certificate item in the tree, what is the actual field name listed as?

Evan
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe