• siva
  • Member
  • Offline
  • Registered: 2013-11-12
  • Posts: 1

Topic: Sniffer ssl_DecodePacket Issue version 2.8.0

ssl_DecodePacket -> ProcessMessage -> DoApplicationData  in sniffer.c file.

DoApplicationData is working as expected in v.2.7.2 by removing the extra pad characters.

in v2.8.0 DoApplicationData is not removing the pad characters

Following lines are missing in v2.8.0 and i am not sure the issue is due that.

pad = *(input + idx + msgSz - ivExtra - 1);
padByte = 1;

dataSz = msgSz - ivExtra - digestSz - pad - padByte;

Testing was done with offline captured pcap file.

Much appreciated any help with this.

Thanks
Sivakumar

Share

  • From: Bozeman, MT
  • Registered: 2010-10-20
  • Posts: 650

Re: Sniffer ssl_DecodePacket Issue version 2.8.0

Hi Sivakumar,

The change you mentioned above was intentional.  Since we added support for encrypt/decrypt callbacks, padding is now handled at encrypt or decrypt time.

Are you using the same version of the sniffer as your are of wolfSSL?  If not, can you update both to the most current wolfSSL embedded SSL version?

If both are on the same version of wolfSSL, can you try using our most current version on GitHub and see if you still see the same problem?  wolfSSL on GitHub can be found here: https://github.com/cyassl/cyassl.

Do you mind if I ask what kind of project you are using the sniffer with?

Thanks,
Chris

https://www.wolfssl.com

chrisc's Website

Share

  • Registered: 2015-10-18
  • Posts: 3

Re: Sniffer ssl_DecodePacket Issue version 2.8.0

I'm using the pcap_loop callback then trying to use ssl_DecodePacket to decode in the callback function.  I'm getting an error in the trace:
Got a Packet to decode, packet 51
        dst:1.205.113.131 src:8.0.69.0
        Checking IP Header
        Wrong IP Version

It all works fine when I use:   pcap_next

How can I fix "ssl_DecodePacket" to work in a callback funciton?

Share

  • john
  • Moderator
  • Offline
  • From: Seattle, WA
  • Registered: 2011-11-14
  • Posts: 148

Re: Sniffer ssl_DecodePacket Issue version 2.8.0

Billy Bob:

It kind of looks like the filter isn't working on the PCAP loop. Since it is working with pcap_next(). The sniffer is assuming that the data passed to it starts with the IP frame, not with any link local headers.

Can I ask about your project? How are you using the sniffer?

--John

john's Website

Share

  • Registered: 2015-10-18
  • Posts: 3

Re: Sniffer ssl_DecodePacket Issue version 2.8.0

Changing an old performance monitor that had SSL for TLS 1.0 and hasn't been updated since 2010 or so.   Trying to add TLS 1.1 and 1.2.    Found wolfssl and thought it might be a great tool for doing this. The old code used the pcap_loop with a callback.  Suggestions?  I assume a rewrite of CheckHeaders function in sniffer.c may be needed.

Share

  • john
  • Moderator
  • Offline
  • From: Seattle, WA
  • Registered: 2011-11-14
  • Posts: 148

Re: Sniffer ssl_DecodePacket Issue version 2.8.0

Are you using VLAN IDs?

john's Website

Share

  • john
  • Moderator
  • Offline
  • From: Seattle, WA
  • Registered: 2011-11-14
  • Posts: 148

Re: Sniffer ssl_DecodePacket Issue version 2.8.0

Billy Bob:

In your callback for pcap_loop() are you accounting for the size of the ethernet header?

Our sniffer test code main function we have a variable called frame. It is normally set to 14, which is the size of the Ethernet frame header. (Or 4 if using a no-link interface.) The first thing that happens after receiving a packet from pcap_next() is the test adjusts the packet pointer past the ethernet frame header to the IP header (and adjusts the packet size accordingly) and then calls ssl_DecodePacket().

If the header isn't skipped, then the IP version number will be wrong as it is looking at part of the ethernet hardware address.

john's Website

Share

  • Registered: 2015-10-18
  • Posts: 3

Re: Sniffer ssl_DecodePacket Issue version 2.8.0

sniffer decrypting usually works when not going through an F5 load balancer, but works clients go directly to the servers and by-pass the F5.  At first we thought it was diffie-Hellman, but we made sure it  is turned off.  Here is what I think points to the  problem in the log..  The message "Decrypt Keys Not Set Up " is what I see different between setups that work and setups that don't work..  What could this mean?

Fri Jan 22 11:02:48 2016
    Got a Packet to decode, packet 6
    dst:10.49.10.133 src:10.49.10.143
    Checking IP Header
    dstPort:42684 srcPort:8081
    Checking TCP Header
    Sequence:3730116796, payload length:86
    Ack:104 Expected:104
    Expected sequence:1, received sequence:1
    Got a HandShake msg
    Got Server Hello msg
    Couldn't Resume Session Error

Fri Jan 22 11:02:48 2016
    Got a Packet to decode, packet 7
    dst:10.49.10.133 src:10.49.10.143
    Checking IP Header
    dstPort:42684 srcPort:8081
    Checking TCP Header
    Sequence:3730116882, payload length:59
    Ack:104 Expected:104
    Expected sequence:87, received sequence:87
    Session in Fatal Error State
    Got a Change Cipher Spec msg
    Another msg to Process
    Decrypt Keys Not Set Up

Fri Jan 22 11:02:48 2016
    Got a Packet to decode, packet 8
    dst:10.49.10.143 src:10.49.10.133
    Checking IP Header
    dstPort:8081 srcPort:42684
    Checking TCP Header
    Sequence:1171883772, payload length:0
    Ack:87 Expected:146
    Expected sequence:104, received sequence:104
    Session in Fatal Error State
    Partial SSL record received

Share