On 02/08/2015 08:25 PM, Petr Gotthard wrote:
> I'm trying to add SSL support for the AMQP dissector. I managed to correctly decrypt and reassemble the application data, however from some reason the SSL dissector (or someone else?) split the application data in two blocks: the first data block contains the first byte of the AMQP frame and the second data block contains the remaining bytes.
> -- In the "Packet Details" section I can see (after the SSL sub-tree) a sub-tree "Data (1 byte)" and below it another sub-tree "[Malformed Packet: AMQP]" (the packet is malformed because it is missing the first byte)
> -- in the "Packet Bytes" section I can see two "Decrypted SSL data" sections. One with 1 byte (the first byte of an AMQP frame) and the other section with the remaining bytes of this AMQP frame.
>
> Do you have any idea why did SSL create two "decrypted SSL data" sections and split the frame?
This sounds like the 1/n-1 split done to workaround the BEAST attack[1].
If you need more bytes, set pinfo->desegment_len (and maybe
pinfo->desegment_offset). See doc/README.dissector, section 2.7.2.
How is SSL implemented for AMQP? Is it immediately running on top of
SSL/TLS, or is there a preceding STARTTLS-like handshake? In the
latter case, see
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9515 and the
related patches.
--
Kind regards,
Peter Wu
https://lekensteyn.nl/
[1]: https://en.wikipedia.org/wiki/Transport_Layer_Security#BEAST_attack