Wireshark-users: Re: [Wireshark-users] How to decode non-standard SSL traffic
From: lemons_terry@xxxxxxx
Date: Tue, 23 Jan 2007 09:51:02 -0500
Thanks for the reply. I have no idea why it isn't decoding. I've attached the whole ssl debug file. Any clues? What else can I do to help debug this? Thanks tl ssl_init keys string 192.168.11.114,4433,data,/tmp/server.key ssl_init found host entry 192.168.11.114,4433,data,/tmp/server.key ssl_init addr 192.168.11.114 port 4433 filename /tmp/server.key ssl_get_version: 1.0.8 ssl_load_key: swapping p and q parametes ssl_init private key file /tmp/server.key successfully loaded association_add TCP port 4433 protocol data handle 0x8288d08 association_find: TCP port 443 found 0x8507500 ssl_association_remove removing TCP 443 - http handle 0x82eb880 association_add TCP port 443 protocol http handle 0x82eb880 association_find: TCP port 636 found 0x8519388 ssl_association_remove removing TCP 636 - ldap handle 0x830f260 association_add TCP port 636 protocol ldap handle 0x830f260 association_find: TCP port 993 found 0x85193b0 ssl_association_remove removing TCP 993 - imap handle 0x82f9ec0 association_add TCP port 993 protocol imap handle 0x82f9ec0 association_find: TCP port 995 found 0x85193e8 ssl_association_remove removing TCP 995 - pop handle 0x8363088 association_add TCP port 995 protocol pop handle 0x8363088 dissect_ssl enter frame #254 ssl_session_init: initializing ptr 0x4235eae0 size 568 association_find: TCP port 24531 found (nil) packet_from_server: is from server 0 dissect_ssl server 192.168.11.114:4433 client random len: 32 padded to 32 dissect_ssl enter frame #262 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 74 ssl state 11 decrypt_ssl3_record: no session key dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 79 dissect_ssl3_hnd_hello_common found random state 13 dissect_ssl3_hnd_srv_hello can't find cipher suite 39 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 922 ssl state 13 decrypt_ssl3_record: no session key dissect_ssl3_handshake iteration 1 type 11 offset 84 length 918 bytes, remaining 1006 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 269 ssl state 13 decrypt_ssl3_record: no session key dissect_ssl3_handshake iteration 1 type 12 offset 1011 length 265 bytes, remaining 1280 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 4 ssl state 13 decrypt_ssl3_record: no session key dissect_ssl3_handshake iteration 1 type 14 offset 1285 length 0 bytes, remaining 1289 dissect_ssl enter frame #266 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 70 ssl state 13 decrypt_ssl3_record: no session key dissect_ssl3_handshake iteration 1 type 16 offset 5 length 66 bytes, remaining 75 dissect_ssl3_handshake found SSL_HND_CLIENT_KEY_EXCHG state 13 dissect_ssl3_handshake not enough data to generate key (required 17) dissect_ssl3_record: content_type 20 dissect_ssl3_change_cipher_spec dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 48 ssl state 13 decrypt_ssl3_record: no session key dissect_ssl3_handshake iteration 1 type 105 offset 86 length 4484948 bytes, remaining 134 dissect_ssl enter frame #267 dissect_ssl3_record: content_type 20 dissect_ssl3_change_cipher_spec dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 48 ssl state 13 decrypt_ssl3_record: no session key dissect_ssl3_handshake iteration 1 type 247 offset 11 length 11649299 bytes, remaining 59 dissect_ssl enter frame #312 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 32 ssl state 13 decrypt_ssl3_record: no session key association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 32 ssl state 13 decrypt_ssl3_record: no session key association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl enter frame #394 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 32 ssl state 13 decrypt_ssl3_record: no session key association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 32 ssl state 13 decrypt_ssl3_record: no session key association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl enter frame #510 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 32 ssl state 13 decrypt_ssl3_record: no session key association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 32 ssl state 13 decrypt_ssl3_record: no session key association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl enter frame #536 dissect_ssl3_record: content_type 21 decrypt_ssl3_record: app_data len 32 ssl state 13 decrypt_ssl3_record: no session key dissect_ssl enter frame #254 dissect_ssl enter frame #262 dissect_ssl3_record: content_type 22 dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 79 dissect_ssl3_record: content_type 22 dissect_ssl3_handshake iteration 1 type 11 offset 84 length 918 bytes, remaining 1006 dissect_ssl3_record: content_type 22 dissect_ssl3_handshake iteration 1 type 12 offset 1011 length 265 bytes, remaining 1280 dissect_ssl3_record: content_type 22 dissect_ssl3_handshake iteration 1 type 14 offset 1285 length 0 bytes, remaining 1289 dissect_ssl enter frame #266 dissect_ssl3_record: content_type 22 dissect_ssl3_handshake iteration 1 type 16 offset 5 length 66 bytes, remaining 75 dissect_ssl3_record: content_type 20 dissect_ssl3_change_cipher_spec dissect_ssl3_record: content_type 22 dissect_ssl3_handshake iteration 1 type 105 offset 86 length 4484948 bytes, remaining 134 dissect_ssl enter frame #267 dissect_ssl3_record: content_type 20 dissect_ssl3_change_cipher_spec dissect_ssl3_record: content_type 22 dissect_ssl3_handshake iteration 1 type 247 offset 11 length 11649299 bytes, remaining 59 dissect_ssl enter frame #312 dissect_ssl3_record: content_type 23 association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl3_record: content_type 23 association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl enter frame #394 dissect_ssl3_record: content_type 23 association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl3_record: content_type 23 association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl enter frame #510 dissect_ssl3_record: content_type 23 association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl3_record: content_type 23 association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl enter frame #536 dissect_ssl3_record: content_type 21 dissect_ssl enter frame #312 dissect_ssl3_record: content_type 23 association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl3_record: content_type 23 association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl enter frame #312 dissect_ssl3_record: content_type 23 association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl3_record: content_type 23 association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl enter frame #394 dissect_ssl3_record: content_type 23 association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl3_record: content_type 23 association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl enter frame #394 dissect_ssl3_record: content_type 23 association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl3_record: content_type 23 association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl enter frame #510 dissect_ssl3_record: content_type 23 association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl3_record: content_type 23 association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl enter frame #510 dissect_ssl3_record: content_type 23 association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl3_record: content_type 23 association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl enter frame #312 dissect_ssl3_record: content_type 23 association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl3_record: content_type 23 association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl enter frame #312 dissect_ssl3_record: content_type 23 association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl3_record: content_type 23 association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl enter frame #394 dissect_ssl3_record: content_type 23 association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl3_record: content_type 23 association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl enter frame #510 dissect_ssl3_record: content_type 23 association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 dissect_ssl3_record: content_type 23 association_find: TCP port 24531 found (nil) association_find: TCP port 4433 found 0x8554540 >Hi, > >more important for detecting why it is not decoded are packets from SSL >handshake > >you should see e.g. following: > >... >dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01 >... >dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 >dissect_ssl3_hnd_srv_hello found CIPHER 0x002F -> state 0x17 >... >dissect_ssl3_handshake found SSL_HND_CLIENT_KEY_EXCHG state 0x17 >... >dissect_ssl3_handshake session keys succesfully generated
- Follow-Ups:
- Re: [Wireshark-users] How to decode non-standard SSL traffic
- From: Kukosa, Tomas
- Re: [Wireshark-users] How to decode non-standard SSL traffic
- References:
- Re: [Wireshark-users] How to decode non-standard SSL traffic
- From: lemons_terry
- Re: [Wireshark-users] How to decode non-standard SSL traffic
- From: Kukosa, Tomas
- Re: [Wireshark-users] How to decode non-standard SSL traffic
- Prev by Date: Re: [Wireshark-users] How to decode non-standard SSL traffic
- Next by Date: Re: [Wireshark-users] How to decode non-standard SSL traffic
- Previous by thread: Re: [Wireshark-users] How to decode non-standard SSL traffic
- Next by thread: Re: [Wireshark-users] How to decode non-standard SSL traffic
- Index(es):