wireshark-dev October 2010 archive
Main Archive Page > Month Archives  > wireshark-dev archives
wireshark-dev: Re: [Wireshark-dev] Need help with decrypting wir

Re: [Wireshark-dev] Need help with decrypting wireshark data....

From: Al <shaselai_at_nospam>
Date: Thu Oct 14 2010 - 20:24:02 GMT
To: Developer support list for Wireshark <wireshark-dev@wireshark.org>

Ok,
i found this message:

decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 4690
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
dissect_ssl3_hnd_srv_hello found CIPHER 0x0004 -> state 0x17
dissect_ssl3_hnd_srv_hello trying to generate keys
ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57)
dissect_ssl3_hnd_srv_hello can't generate keyring material

It seems the server decoder isn't available - how do i make it available or select some other decoder? i am kinda stuck on this... thanks!

--- On Thu, 10/14/10, Al <shaselai@yahoo.com> wrote:

> From: Al <shaselai@yahoo.com>
> Subject: Re: [Wireshark-dev] Need help with decrypting wireshark data....
> To: wireshark-dev@wireshark.org
> Date: Thursday, October 14, 2010, 3:11 PM
> I am pretty sure i am on the right
> server since the key is loaded and i checked netstat and
> found the ip of the webservice... but still from wire shark
> the client basically does handshake and cert check with
> server and then afterwards server just sends "fin" and ends
> it.... really not sure whats going on here...
>
> --- On Wed, 10/13/10, Al <shaselai@yahoo.com>
> wrote:
>
> > From: Al <shaselai@yahoo.com>
> > Subject: Need help with decrypting wireshark data....
> > To: wireshark-dev@wireshark.org
> > Date: Wednesday, October 13, 2010, 5:13 PM
> > I followed a guide where I extracted
> > my private key and insert it into the SSL from
> wireshark
> > preferences like:
> >
> > 123.456.55.678,443,http,C:\testkey.pem
> >
> > I tried both http and https - i thought since i am
> talking
> > to server in https it might be https? Anyway, both
> failed to
> > decrypt (still see jargon raw data when i view TCP
> stream.
> > The debug log gives me:
> >
> >
> > ssl_association_remove removing TCP 443 - http handle
> > 03164D48
> > ssl_init keys string:
> > 123.456.55.678,443,http,C:\testkey.pem
> > ssl_init found host entry
> > 123.456.55.678,443,http,C:\testkey.pem
> > ssl_init addr '123.456.55.678' port '443' filename
> > 'C:\testkey.pem' password(only for p12 file) '(null)'
> > Private key imported: KeyID
> > 01:31:a7:9e:fc:94:8b:08:2f:17:65:13:20:f9:d3:81:...
> > ssl_init private key file C:\testkey.pem successfully
> > loaded
> > association_add TCP port 443 protocol http handle
> 03164D48
> >
> > dissect_ssl enter frame #4 (first time)
> > ssl_session_init: initializing ptr 04E41BAC size 584
> > conversation = 04E41868, ssl_session = 04E41BAC
> > record: offset = 0, reported_length_remaining =
> 100
> > packet_from_server: is from server - FALSE
> > ssl_find_private_key server 123.456.55.678:443
> > client random len: 32 padded to 32
> > dissect_ssl2_hnd_client_hello found CLIENT RANDOM
> ->
> > state 0x01
> > ........
> >
> >
> > So it seems the key has been found and loaded BUT when
> i
> > check the STOPPED TCP stream it is still all jargon...
> what
> > am i doing wrong here? thanks
> >
> >
> >
> >
> >
> >
>
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
> Archives: http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>
> mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe
>

      
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe