Mailing List Archive

Royce Fessenden wrote:
> I need to write a plug in that will take the data from a TCP packet where
> the flags are 0x0018 (PSH, ACK) and decrypt it.

Did you mean to say "I need to write a plugin to dissect a protocol that
runs atop TCP and contains encrypted data"?

If so, then you first need to arrange that the dissector be called when
the TCP traffic is traffic for your protocol. If your protocol uses a
standard port number, you could use that; if it doesn't, you could either
give your dissector a preference to specify the port number of numbers to
use, or, *IF* the protocol data can be examined to determine whether it
looks like it's for your protocol or not (which, if it's encrypted, is
probably not the case) make the dissector a heuristic dissector.


_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-dev

Ah, two posts and already I'm discovering who the Gurus around here are!

And yes, I am needing to write a plugin to dissect a protocol that runs atop
TCP and contains encrypted data.

In this case, the data always starts with the same 3 bytes, which are not
encrypted, so I might be able to use a heuristic dissector. It usually uses
the same port, but not always.

All the protocol has to do is take the data block, pass it to a Data
Transformer and display the transformed data in the data pane. Should be
simple, and I suspect it has been done before. I was hoping to find an
example to study/copy. (I'm a fan of code reuse.) I realize I can just
start examining existing plugins but there are a lot to look at.

Royce

-----Original Message-----
From: ethereal-dev-bounces@ethereal.com
[mailto:ethereal-dev-bounces@ethereal.com] On Behalf Of Guy Harris
Sent: Monday, June 05, 2006 9:56 PM
To: Ethereal development
Subject: Re: [Ethereal-dev] Ethereal Plugin for decrypting Code.

Royce Fessenden wrote:
> I need to write a plug in that will take the data from a TCP packet where
> the flags are 0x0018 (PSH, ACK) and decrypt it.

Did you mean to say "I need to write a plugin to dissect a protocol that
runs atop TCP and contains encrypted data"?

If so, then you first need to arrange that the dissector be called when
the TCP traffic is traffic for your protocol. If your protocol uses a
standard port number, you could use that; if it doesn't, you could either
give your dissector a preference to specify the port number of numbers to
use, or, *IF* the protocol data can be examined to determine whether it
looks like it's for your protocol or not (which, if it's encrypted, is
probably not the case) make the dissector a heuristic dissector.


_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-dev

_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-dev

You probably want to decrypt the data into a temporary buffer.

Please see README.malloc and grep for ep_alloc() for examples on an
easy to use function for temporary buffers.


you also want to store and dissect the decrypted data from a new
temporary tvb structure.
grep for how tvb_new_real_data() for examples on how to do this.




essentially you probably want to
1, display the originalk encrypted blob using proto_tree_add_item(0
and a fh field that is FT_NONE (or FT_BYTES)
2, decrypt the data into an ep_alloc()ed buffer
3, create a new tvb using tvb_new_real_data() for that buffer and
dissect off the new tvb



On 6/6/06, Royce Fessenden <rfessenden@dmp.com> wrote:
> Ah, two posts and already I'm discovering who the Gurus around here are!
>
> And yes, I am needing to write a plugin to dissect a protocol that runs atop
> TCP and contains encrypted data.
>
> In this case, the data always starts with the same 3 bytes, which are not
> encrypted, so I might be able to use a heuristic dissector. It usually uses
> the same port, but not always.
>
> All the protocol has to do is take the data block, pass it to a Data
> Transformer and display the transformed data in the data pane. Should be
> simple, and I suspect it has been done before. I was hoping to find an
> example to study/copy. (I'm a fan of code reuse.) I realize I can just
> start examining existing plugins but there are a lot to look at.
>
> Royce
>
> -----Original Message-----
> From: ethereal-dev-bounces@ethereal.com
> [mailto:ethereal-dev-bounces@ethereal.com] On Behalf Of Guy Harris
> Sent: Monday, June 05, 2006 9:56 PM
> To: Ethereal development
> Subject: Re: [Ethereal-dev] Ethereal Plugin for decrypting Code.
>
> Royce Fessenden wrote:
> > I need to write a plug in that will take the data from a TCP packet where
> > the flags are 0x0018 (PSH, ACK) and decrypt it.
>
> Did you mean to say "I need to write a plugin to dissect a protocol that
> runs atop TCP and contains encrypted data"?
>
> If so, then you first need to arrange that the dissector be called when
> the TCP traffic is traffic for your protocol. If your protocol uses a
> standard port number, you could use that; if it doesn't, you could either
> give your dissector a preference to specify the port number of numbers to
> use, or, *IF* the protocol data can be examined to determine whether it
> looks like it's for your protocol or not (which, if it's encrypted, is
> probably not the case) make the dissector a heuristic dissector.
>
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@ethereal.com
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@ethereal.com
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
>
_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-dev