Wireshark-users: Re: [Wireshark-users] SSL issue not decoding data

From: Sake Blok <sake@xxxxxxxxxx>
Date: Fri, 23 May 2008 12:55:18 +0200
On Mon, May 19, 2008 at 11:24:16PM +0200, Ulf Lamping wrote:
> Sake Blok schrieb:
> >
> > Well, one option would be to have expert-messages, but I'm not really
> > fond of that idea. There is nothing "wrong" with the traffic so we 
> > don't want people starting to think their ssl sessions fail, just
> > because there are expert-messages stating *shark can't decrypt the
> > traffic.
>   
> Expert messages don't necessarily mean something is wrong with the data. 
> Just think about you're looking over the shoulder of someone using 
> Wireshark and telling him what you think as an expert of that protocol.

OK, true, but the expert is not there to interpret the message 
for the user. So care must be taken not to point the user in the
wrong direction.

> In this example, I would expect something like: "Full SSL handshake 
> wasn't captured, can't dissect".
> 
> I'm doing something similiar in the DCE/RPC dissector, as you simply 
> cannot dissect any messages if you couldn't capture the initial binding 
> handshake (packet-dcerpc.c, line 3409):
> 
>         expert_add_info_format(pinfo, pi, PI_UNDECODED, PI_NOTE, "No 
> bind info for interface Context ID:%u", ctx_id);

Something like that will work. Is all expert info printed with tshark 
too?

> Hmmm, thinking about this line, there's also possible improvement in the 
> message text here, to better tell users what's going on ;-)

:-)

> > I would think an SSL-decryption wiki-page gives more room to really
> > explain what's going on in different situations. We could add a link
> > to that wiki-page from the ssl preferences. That excludes tshark
> > users a bit, but wouldn't they have started with SSL decryption
> > in wireshark before they started using it in tshark?
> >
> > Any other ideas? If not, I will try to find some time to work on
> > a detailed ssl decryption page, as there are quite a bit of questions
> > asked about "Why doesn't wireshark decrypt my ssl traffic".
>   
> Having a more detailed page about SSL decryption would be a good idea 
> anyway ;-)

Will put both expert-info and wiki-page on my to-do list :-)

Cheers,
    Sake