Wireshark-users: Re: [Wireshark-users] wireshark ssl decryption for dummies

From: "ronnie sahlberg" <ronniesahlberg@xxxxxxxxx>
Date: Tue, 12 Sep 2006 20:25:21 +0000
On 9/12/06, Andrew Schweitzer <a.schweitzer.grps@xxxxxxxxx> wrote:
Hello, I'm trying to decrypt some SSL traffic.

The connection initiator talk to port 37000. It talks a proprietary
protocol (one not present in wireshark). I have the keys of the
initiator and the listener. I am capturing on the listener. What should
my RSA keys list be?

Should it be:
127.0.0.1,3700,3700,e:\keys\initiator.key?
or maybe
>
I don't get decrypted data in either case. SSL log says, in second case:

===Begin SSL log===
ssl_init keys string 127.0.0.1,37000,37000,c:\keys\initiator.key
ssl_init found host entry 127.0.0.1,37000,37000,c:\keys\initiator.key
ssl_init addr 127.0.0.1 port 37000 filename c:\keys\initiator.key
ssl_get_version: 1.5.0
ssl_init private key file c:\keys\initiator.key successfully loaded
association_add port 37000 protocol 37000 handle 00000000
===End SSL log===


Can decryption only occur if the conversation is sniffed from its
beginning?

yes


Do I need both initiator and listener keys?

no the servers key should be sufficient


Why is there both a port and protocol specified? How would you

the protocol is used to tell wireshark what the next payload is, i.e.
what is inside the ssl wrapping

differentiate two protocols on the same port? What if the protocol is
unknown, (or at least there's no dissector for it?)

then you can probably specify "data" instead to use the "data" dissector

try:
127.0.0.1,3700,data,e:\keys\server.key

Thanks

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users