Wireshark-dev: Re: [Wireshark-dev] decryption SSL

From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Fri, 8 Sep 2017 22:02:43 +0100
Hi Sadik,

On Fri, Sep 08, 2017 at 05:15:19PM +0200, Sadik Sikder wrote:
> Thanks Mr. Peter for you kind help and cooperation...
> i have figured-out how should i write my own decryption function . i have
> some confusion or problem to understand... i am giving a example what i
> would like to know.
> in epan/packet-ssl.c file,  i have a seen a method called:
> void
> ssl_load_keyfile(const gchar *ssl_keylog_filename, FILE **keylog_file,
>                  const ssl_master_key_map_t *mk_map)
> 
> or
> void
> ssl_debug_printf(const gchar* fmt, ...)
> {
>     va_list ap;
> 
>     if (!ssl_debug_file)
>         return;
> 
>     va_start(ap, fmt);
>     vfprintf(ssl_debug_file, fmt, ap);
>     va_end(ap);
> }
> 
> here ssl_load_keyfile or ssl_debug_print() are  methods. i havenot found
> where these method are called into main function. similar this problem i
> have faced several situations. In order to overcome the situation what
> should i follow? how can i or which file/folder contains main functions
> regarding epan/packet-ssl.c, epan/packet-ssl-utils.c?

Wireshark has a lot of dissectors and functionality, as far as
functionality is concerned, you need to start looking at "dissect_ssl".
See the first step of
https://www.wireshark.org/lists/wireshark-dev/201709/msg00006.html
which says:

    The program flow in the common case (SSLv3/TLS) is as follows:

     1. dissect_ssl is the entrypoint (commonly called from TCP dissector).
     ...

the main function is located in wireshark-qt.cpp (or tshark.c if you use
tshark).

Specifically for ssl_debug_printf, these are called in multiple
functions in epan/dissectors/packet-ssl.c and
epan/dissectors/packet-ssl-utils.c. Have you tried a simple text search
in these files?

> i have used Eclipse IDE to track of these methods to figure-out main
> function  but i was unable to find the main functions regarding
>  packet-ssl.c, packet-ssl-utils.c and packet-ssl-utils.h.

I suggest you to use a debugger, set a breakpoint starting in
dissect_ssl (or whatever function you are interested in). Then run the
the "console" version of Wireshark using the capture and keys from the
source directory:

    tshark -r test/captures/dhe1.pcapng.gz -o ssl.keylog_file:test/keys/dhe1_keylog.dat 
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl