Wireshark-users: [Wireshark-users] How to decode non-standard SSL traffic

Date: Mon, 22 Jan 2007 14:20:41 -0500
Title: How to decode non-standard SSL traffic

Hi

I've successfully used the rsasnakeoil2 capture file, key file and instructions to decode the encrypted content of an SSL session using Wireshark.  Now, I'd like to do the same thing for several other sessions, including:

  • An openssl s_client/s_server session
  • A client/server session involving a proprietary product

I know that the way to decode the SSL traffic is to provide four items of information to Wireshark's Edit … Preferences … Protocols … SSL … 'RSA keys list' box:

<ip>,<port>,<protocol>,<key>

When I'm decoding a SSL-encrypted HTTP session, the values to put in 'port' and 'protocol' are obvious.  But what about an openssl s_client/s_server session?  I can see that the port is 4433 (which can be over-ridden).  But what would the 'protocol' value be for openssl s_server?  And, what 'protocol' value would I use for a proprietary client/server application?  Is there some generic 'just dump out the text' protocol I should use?

Thanks!
tl

Terry Lemons
CLARiiON Appliance Engineering
CLARiiON Application Solutions Integration

EMC²
where information lives
4400 Computer Drive, MS D239
Westboro MA 01580
Phone: 508 898 7312
Email: Lemons_Terry@xxxxxxx
Picture (Metafile) Picture (Metafile)