Hi Sake,
Looking at the capture, I seem to have
plenty of out of order packets so that would seem a good place to start.
I don't think I am able to share the packet capture with you unfortunately.
I've just run editcap -d on my capture
and I seem to have a fully decoded conversation now. So you've already
provided some great help!
It surprised me a little that this worked
though since I don't believe I have any duplicate packets - do you think
editcap also re-sorts the packets to the order they should be in?
Is there no way to do this sorting of
packets within wireshark? It's a bit frustrating to have to save
every capture, convert it and reload it.
Thanks very much,
-Dominic
From:
| "Sake Blok" <sake@xxxxxxxxxx>
|
To:
| "Community support list for Wireshark"
<wireshark-users@xxxxxxxxxxxxx>
|
Date:
| 29/09/2009 17:06
|
Subject:
| Re: [Wireshark-users] Trouble with SSL
dissector - got it half working!
|
Sent by:
| wireshark-users-bounces@xxxxxxxxxxxxx |
Hi Dominic,
The fact that you got it working for one
of the two flows means that the key is ok, you are not using a DH cipher
and that all packets of the SSL handshake are present in the trace (those
are the 3 common problems with decrypting traffic). However, if the other
flow does not decrypt, that could be caused by:
- a missing packet in that flow (unable to
fix)
- the first tcp segment of the first SSL
record received out-of-order (could be fixed with editcap and mergecap,
but is not so trivial)
- duplicate packets in that flow (could be
fixed by using 'editcap -d <infile> <outfile>')
If those are not the case, are you able to
provide the capture file and the key? Or is this a production environment?
Cheers,
Sake
----- Original Message -----
From: Dominic
Tulley
To: wireshark-users@xxxxxxxxxxxxx
Sent: Tuesday, September 29, 2009 11:26 AM
Subject: [Wireshark-users] Trouble with SSL dissector
- got it half working!
After much trawling and experimentation I've almost managed to get the
SSL dissector working but strangely I can only decode my incoming http
requests (all the responses are still encrypted). I've tried using
the "decode as" option to make it decode for the client port
as well as the server port (although I didn't expect that to be necessary)
and I've tried added the client ip address and socket as a second "private
key" in the configuration. Neither helped.
I'd appreciate any suggestions - I'm happy to provide additional details
if that would help.
Thanks,
-Dominic
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
3AU
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
3AU