Wireshark-dev: Re: [Wireshark-dev] Two "Descrypted SSL data" sections in one frame

From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Sun, 08 Feb 2015 22:19:27 +0100
On 02/08/2015 08:25 PM, Petr Gotthard wrote:
> I'm trying to add SSL support for the AMQP dissector. I managed to correctly decrypt and reassemble the application data, however from some reason the SSL dissector (or someone else?) split the application data in two blocks: the first data block contains the first byte of the AMQP frame and the second data block contains the remaining bytes.
>  -- In the "Packet Details" section I can see (after the SSL sub-tree) a sub-tree "Data (1 byte)" and below it another sub-tree "[Malformed Packet: AMQP]" (the packet is malformed because it is missing the first byte)
>  -- in the "Packet Bytes" section I can see two "Decrypted SSL data" sections. One with 1 byte (the first byte of an AMQP frame) and the other section with the remaining bytes of this AMQP frame.
>  
> Do you have any idea why did SSL create two "decrypted SSL data" sections and split the frame?

This sounds like the 1/n-1 split done to workaround the BEAST attack[1].

If you need more bytes, set pinfo->desegment_len (and maybe
pinfo->desegment_offset). See doc/README.dissector, section 2.7.2.

How is SSL implemented for AMQP? Is it immediately running on top of
SSL/TLS, or is there a preceding STARTTLS-like handshake? In the
latter case, see
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9515 and the
related patches.
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl/

[1]: https://en.wikipedia.org/wiki/Transport_Layer_Security#BEAST_attack