From 95a37ff2fe1017bd2a97e9f0d96d9fd0faffdbf4 Mon Sep 17 00:00:00 2001 From: Aurelien Aptel Date: Wed, 19 Feb 2020 22:16:45 +0100 Subject: SMB2: allow users to give decryption keys directly Previously users could only give a session key via uat:smb2_seskey_list:, which was used to generate the decryption keys, as long as the trace contained the session establishement. Users have often asked about how to decrypt traffic captured in the middle of an existing session but this wasn't possible. This commit extends uat:smb2_seskey_list with 2 extra columns to store decryption keys so that traffic can be decrypted at any point of the session. This has the side effect of changing the current syntax from: ... -o uat:smb2_seskey_list:, To: ... -o 'uat:smb2_seskey_list:,,"",""' (make sure the quoting is right) Change-Id: I810d464b6f3e749de39b4428d73e0d6be29f3152 Reviewed-on: https://code.wireshark.org/review/36135 Reviewed-by: Peter Wu Petri-Dish: Peter Wu Tested-by: Petri Dish Buildbot Reviewed-by: Alexis La Goutte --- test/suite_decryption.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'test') diff --git a/test/suite_decryption.py b/test/suite_decryption.py index 85a5dc7349..9a044bbcc8 100644 --- a/test/suite_decryption.py +++ b/test/suite_decryption.py @@ -1112,7 +1112,7 @@ class case_decrypt_smb2(subprocesstest.SubprocessTestCase): sesid = '1900009c003c0000' proc = self.assertRun((cmd_tshark, '-r', capture_file('smb300-aes-128-ccm.pcap.gz'), - '-o', 'uat:smb2_seskey_list:{},{}'.format(sesid, seskey), + '-o', 'uat:smb2_seskey_list:{},{},"",""'.format(sesid, seskey), '-Y', 'frame.number == 7', )) self.assertIn('Invalid header', proc.stdout_str) @@ -1122,7 +1122,7 @@ class case_decrypt_smb2(subprocesstest.SubprocessTestCase): sesid = '2900009c003c0000' proc = self.assertRun((cmd_tshark, '-r', capture_file('smb311-aes-128-ccm.pcap.gz'), - '-o', 'uat:smb2_seskey_list:{},{}'.format(sesid, seskey), + '-o', 'uat:smb2_seskey_list:{},{},"",""'.format(sesid, seskey), '-Y', 'frame.number == 7' )) self.assertIn('Invalid header', proc.stdout_str) @@ -1134,7 +1134,7 @@ class case_decrypt_smb2(subprocesstest.SubprocessTestCase): tree = r'\\dfsroot1.foo.test\IPC$' proc = self.assertRun((cmd_tshark, '-r', capture_file('smb300-aes-128-ccm.pcap.gz'), - '-o', 'uat:smb2_seskey_list:{},{}'.format(sesid, seskey), + '-o', 'uat:smb2_seskey_list:{},{},"",""'.format(sesid, seskey), '-Tfields', '-e', 'smb2.tree', '-Y', 'smb2.tree == "{}"'.format(tree.replace('\\', '\\\\')), @@ -1148,7 +1148,7 @@ class case_decrypt_smb2(subprocesstest.SubprocessTestCase): tree = r'\\dfsroot1.foo.test\IPC$' proc = self.assertRun((cmd_tshark, '-r', capture_file('smb311-aes-128-ccm.pcap.gz'), - '-o', 'uat:smb2_seskey_list:{},{}'.format(sesid, seskey), + '-o', 'uat:smb2_seskey_list:{},{},"",""'.format(sesid, seskey), '-Tfields', '-e', 'smb2.tree', '-Y', 'smb2.tree == "{}"'.format(tree.replace('\\', '\\\\')), @@ -1162,7 +1162,7 @@ class case_decrypt_smb2(subprocesstest.SubprocessTestCase): tree = r'\\dfsroot1.foo.test\IPC$' proc = self.assertRun((cmd_tshark, '-r', capture_file('smb311-aes-128-gcm.pcap.gz'), - '-o', 'uat:smb2_seskey_list:{},{}'.format(sesid, seskey), + '-o', 'uat:smb2_seskey_list:{},{},"",""'.format(sesid, seskey), '-Tfields', '-e', 'smb2.tree', '-Y', 'smb2.tree == "{}"'.format(tree.replace('\\', '\\\\')), -- cgit v1.2.3