Wireshark-users: Re: [Wireshark-users] using ssl filter for ssh trafic?

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Thu, 5 Oct 2006 22:21:42 +0200 (CEST)
Hi,

See http://www.rpatrick.com/tech/ssh-ssl/

Thanx,
Jaap

On Thu, 5 Oct 2006, Jeff Sadowski wrote:

> Is it possable to use the ssl filter for ssh traffic?
> I was trying to use it I think I figured out how to use the ssl filter
> and after I eperiment with it I'd like to write about it on the wiki.
> I think the problem I am having is I am trying to use it for ssh
> traffic which I thought used ssl.
> Has anyone successfully used the ssl filter to filter out ssh traffic?
> Here is what I tried.
>
> In the prefferences I went down to the ssl protocal and in
> RSA key lists: 127.0.0.1,22,ssl,/etc/ssh/ssh_host_rsa_key
> SSL debug file: /root/ssldebug.txt
>
> Then I start my capture on lo
> and I start an ssh session to 127.0.0.1
>
> Then I select the part of the ssh traffic one that says Continuation Data
>
> Then in the Analyze menu I select "decode as"
> Then I select both ports then SSL
>
> Then under Analyze menu I have an option to Follow SSL Stream
> (I suspect under normal ssl I would see text going across, I'll start
> an ssl page later and try this)
>
> But it always comes up empty Below I'll post the error log from ssldebug.txt
>
> association_remove_handle removing ptr 0x9b31f08 handle 0x98ab4e0
> association_remove_handle removing ptr 0x9b31ca0 handle 0x98c90e0
> association_remove_handle removing ptr 0x9b31be0 handle 0x989c2e8
> association_remove_handle removing ptr 0x9b319a0 handle 0x992c9b0
> ssl_init keys string 172.24.0.21,22,ssl,/root/www.ssh_host_rsa_key
> ssl_init found host entry 172.24.0.21,22,ssl,/root/www.ssh_host_rsa_key
> ssl_init addr 172.24.0.21 port 22 filename /root/www.ssh_host_rsa_key
> ssl_get_version: 1.2.10
> ssl_init private key file /root/www.ssh_host_rsa_key successfully loaded
> association_add port 22 protocol ssl handle 0x9a3e170
> association_add port 443 protocol http handle 0x98ab4e0
> association_add port 636 protocol ldap handle 0x98c90e0
> association_add port 993 protocol imap handle 0x989c2e8
> association_add port 995 protocol pop handle 0x992c9b0
> ssl_session_init: initializing ptr 0xb2bda978 size 568
> association_find: port 22 found 0x9b7a410
> packet_from_server: is from server 1
> dissect_ssl server 127.0.0.1:22
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
>