Wireshark-dev: [Wireshark-dev] Dissecting TLS and non-TLS using the same ports

From: Markku Leiniö <markku@xxxxxx>
Date: Thu, 13 Jul 2023 17:48:52 +0300
Hi,

In my Zabbix dissector I'm currently using dissector_add_uint_range_with_preference("tcp.port", ZABBIX_TCP_PORTS, zabbix_handle) to define the TCP ports (defaulting to "10050,10051").

I'm now attempting to use ssl_dissector_add() to dissect also TLS-encrypted Zabbix protocol packets, using the same ports (that's how Zabbix works: some agents use TLS, some don't, and they all connect to the same port on the server). I see port number 0 being used in some dissectors (for example in packet-kafka.c), but that does not seem to work. From some comments I understand that it enables to use manual "Decode as" or something like that.

So, apparently I need to use ssl_dissector_add() with all the configured ports. I see examples of using range_foreach() to do that, so I used it like this:

       range_t *zabbix_tcp_range;
       zabbix_tcp_range = prefs_get_range_value("zabbix", "tcp.port");
range_foreach(zabbix_tcp_range, range_add_zabbix_tls_callback, NULL);

It seems to work with TLS packets, but now it won't dissect non-TLS Zabbix packets at all.

In Lua (with my previous dissector) I was able to do simply this:

DissectorTable.get("tcp.port"):add(default_settings.ports, zabbix_protocol) DissectorTable.get("tls.port"):add(default_settings.ports, zabbix_protocol)

and that worked fine, it dissected both TLS and non-TLS packets correctly.

How do I get the same behaviour with C dissector?

Markku