wireshark-users October 2010 archive
Main Archive Page > Month Archives  > wireshark-users archives
wireshark-users: Re: [Wireshark-users] need help with decrypting

Re: [Wireshark-users] need help with decrypting ssl messages

From: Burks, Doug <doug.burks_at_nospam>
Date: Thu Oct 14 2010 - 19:47:58 GMT
To: "Community support list for Wireshark" <wireshark-users@wireshark.org>

Your preferences config looks correct (it should be "http" NOT "https").

Two questions:
1. Does your capture contain the ENTIRE conversation (including the
Client Hello)?
2. Have you tried "Follow SSL Stream" instead of "Follow TCP Stream"?

Regards,
-- Doug Burks, GSE, CISSP -----Original Message----- From: wireshark-users-bounces@wireshark.org [mailto:wireshark-users-bounces@wireshark.org] On Behalf Of Al Sent: Thursday, October 14, 2010 3:15 PM To: wireshark-users@wireshark.org Subject: [Wireshark-users] need help with decrypting ssl messages I followed a guide where I extracted my private key and insert it into the SSL from wireshark preferences like: 123.456.55.678,443,http,C:\testkey.pem I tried both http and https - i thought since i am talking to server in https it might be https? Anyway, both failed to decrypt (still see jargon raw data when i view TCP stream. The debug log gives me: ssl_association_remove removing TCP 443 - http handle 03164D48 ssl_init keys string: 123.456.55.678,443,http,C:\testkey.pem ssl_init found host entry 123.456.55.678,443,http,C:\testkey.pem ssl_init addr '123.456.55.678' port '443' filename 'C:\testkey.pem' password(only for p12 file) '(null)' Private key imported: KeyID 01:31:a7:9e:fc:94:8b:08:2f:17:65:13:20:f9:d3:81:... ssl_init private key file C:\testkey.pem successfully loaded association_add TCP port 443 protocol http handle 03164D48 dissect_ssl enter frame #4 (first time) ssl_session_init: initializing ptr 04E41BAC size 584 conversation = 04E41868, ssl_session = 04E41BAC record: offset = 0, reported_length_remaining = 100 packet_from_server: is from server - FALSE ssl_find_private_key server 123.456.55.678:443 client random len: 32 padded to 32 dissect_ssl2_hnd_client_hello found CLIENT RANDOM -> state 0x01 ........ So it seems the key has been found and loaded BUT when i check the STOPPED TCP stream it is still all jargon... what am i doing wrong here? thanks I am pretty sure i am on the right server since the key is loaded and i checked netstat and found the ip of the webservice... but still from wire shark the client basically does handshake and cert check with server and then afterwards server just sends "fin" and ends it.... really not sure whats going on here... ________________________________________________________________________ ___ Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@wireshark.org?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@wireshark.org?subject=unsubscribe