Wireshark-dev: Re: [Wireshark-dev] Listener (Tap) in Lua to write SSL cert bytes
From: Evan Huus <eapache@xxxxxxxxx>
Date: Fri, 24 May 2013 10:27:11 -0400
On Fri, May 24, 2013 at 10:04 AM, Rion Carter <rion@xxxxxxxxxx> wrote:
>
> Hi everyone,
>
> If this is the wrong place for my question please let me know. I've used Wireshark for 5 years now and am looking to get more out of this excellent tool.
>
> To get started I want to write a Tap that will write out the certificate used during an SSL handshake. While I think I have it setup to pull the cert, I can't seem to actually write the bytes to disk. Here is what I have:
>
> tap = Listener.new(nil, "ssl.handshake.certificate");
> Cert_info = Field.new("ssl.handshake.certificate");
>
> function tap.packet(pinfo, buffer, userdata)
>  local cert = Cert_info();
>  file:write(cert.value);
> end
>
> I have the file defined elsewhere. When I try to write I get a message about a "Bad argument to write". I'm on my phone right now or I'd post the full error text.
>
> Is this something I need to write in c, or does the Lua binding let me write non string data to files?

I think you're asking for the wrong field, actually (the lua code
looks fine to me). "ssl.handshake.certificate" appears to be a
non-typed field used just for a tree header. The actual certificate
appears to be parsed as a BER sequence, if I'm reading the code
correctly. If you open the capture in Wireshark and find the
certificate item in the tree, what is the actual field name listed as?

Evan