Wireshark-users: Re: [Wireshark-users] Decrypting SSL traffic through tshark

From: Sake Blok <sake@xxxxxxxxxx>
Date: Thu, 11 Nov 2010 19:14:08 +0100
On 11 nov 2010, at 07:34, Sahaj wrote:

> I need to decrypt SSL traffic to get content length.
> ./tshark   -o "ssl.keys_list:,443,http,client.ky" -T fields -E separator=":"  -e frame.time_relative -e frame.number -e tcp.len -e http.content_length -e tcp.flags.fin -e tcp.flags.push  -R "ip.src == source_ip && ip.dst == destination_ip  && tcp.srcport == 443 && ! (tcp.analysis.out_of_order)  && ! (tcp.analysis.retransmission) "  -r sample.pcap
> [...]
> the field for content length is empty.
> please help me out and suggest me if i am missing anything or doing wrong.

You should use the server IP address in the keys_list:

 -o "ssl.keys_list:<SERVER-IP>,443,http,client.ky"

It also helps if you add:

-o "ssl.debuf_file:ssl-debug.log"

That way you can see in the logfile if the key is loaded OK in Wireshark and you can follow the decryption process.

Let's see how that goes first...

