Wireshark-users: Re: [Wireshark-users] wireshark ssl decryption for dummies

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Ulf Lamping <ulf.lamping@xxxxxx>
Date: Tue, 12 Sep 2006 23:40:29 +0200
ronnie sahlberg wrote:

On 9/12/06, Andrew Schweitzer <a.schweitzer.grps@xxxxxxxxx> wrote:

Hello, I'm trying to decrypt some SSL traffic.

The connection initiator talk to port 37000. It talks a proprietary
protocol (one not present in wireshark). I have the keys of the
initiator and the listener. I am capturing on the listener. What should
my RSA keys list be?

Should it be:
127.0.0.1,3700,3700,e:\keys\initiator.key?
or maybe
I don't get decrypted data in either case. SSL log says, in second case: 

===Begin SSL log===
ssl_init keys string 127.0.0.1,37000,37000,c:\keys\initiator.key
ssl_init found host entry 127.0.0.1,37000,37000,c:\keys\initiator.key
ssl_init addr 127.0.0.1 port 37000 filename c:\keys\initiator.key
ssl_get_version: 1.5.0
ssl_init private key file c:\keys\initiator.key successfully loaded
association_add port 37000 protocol 37000 handle 00000000
===End SSL log===


Can decryption only occur if the conversation is sniffed from its
beginning?


yes


Do I need both initiator and listener keys?


no the servers key should be sufficient


Why is there both a port and protocol specified? How would you


the protocol is used to tell wireshark what the next payload is, i.e.
what is inside the ssl wrapping


differentiate two protocols on the same port? What if the protocol is
unknown, (or at least there's no dissector for it?)


then you can probably specify "data" instead to use the "data" dissector

try:
127.0.0.1,3700,data,e:\keys\server.key

Thanks

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users


_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users


Hi Ronnie!
As you seem to be the one with some knowledge about the SSL stuff, is there a place where all this is explained?
I get the feeling that a lot of current stuff will only be usable to the developers, as no one else get a clue how it's working (including me :-). 

Could you start a Wiki page about how to use the SSL stuff?

Regards, ULFL