Wireshark-users: Re: [Wireshark-users] Decrypting SSL traffic through tshark

From: sahaj pandey <sahaj_p@xxxxxxxxxxx>
Date: Fri, 12 Nov 2010 19:35:41 +0530 (IST)
Hi Sake,

thanks a lot for replying,

previously i had tried by giving server ip only but somehow missed to mention that.
this time i have used the "ssl.debug_file:debug.log",

tshark   -o "ssl.keys_list:<server ip>,443,http,server.key" -o "ssl.debug_file:debug.log" -T fields -E separator=":"  -e frame.number -e http.content_length -e tcp.len -e ssl.record -R "ip.src == <server_ip> && ip.dst == dest_ip && tcp.srcport == 443 && ! (tcp.analysis.out_of_order)  && ! (tcp.analysis.retransmission) "  -r sample.pcap 



again i am not able to get decrypted data. i am seeing a line as "no decoder available".

the log file have this kind of entries,

------
ssl_init keys string:
server_ip,http,server.key
ssl_init found host entry <serve_ip>,443,http,server.key
ssl_init addr '<server_ip>' port '443' filename 'server.key' password(only for p12 file) '(null)'
ssl_init private key file server.key successfully loaded
association_add TCP port 443 protocol http handle 0x90fcee0
association_find: TCP port 993 found 0x9597f78
ssl_association_remove removing TCP 993 - imap handle 0x910a500
association_add TCP port 993 protocol imap handle 0x910a500
association_find: TCP port 995 found 0x9597fb0
ssl_association_remove removing TCP 995 - pop handle 0x91ccf00
association_add TCP port 995 protocol pop handle 0x91ccf00

dissect_ssl enter frame #66 (first time)
  conversation = 0xb68257d0, ssl_session = 0xb68259a8
dissect_ssl3_record found version 0x0301 -> state 0x11
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 58 ssl, state 0x11
association_find: TCP port 443 found 0x9940730
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 54 bytes, remaining 63
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
dissect_ssl3_hnd_srv_hello found CIPHER 0x0004 -> state 0x17
dissect_ssl3_hnd_srv_hello not enough data to generate key (required 0x37)
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 758 ssl, state 0x17
association_find: TCP port 443 found 0x9940730
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 68 length 754 bytes, remaining 826
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 4 ssl, state 0x17
association_find: TCP port 443 found 0x9940730
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 14 offset 831 length 0 bytes, remaining 835
------

what can i do further to get it decrypted.?

thanks for help.
 
Regards,
sahaj




From: "wireshark-users-request@xxxxxxxxxxxxx" <wireshark-users-request@xxxxxxxxxxxxx>
To: wireshark-users@xxxxxxxxxxxxx
Sent: Fri, 12 November, 2010 1:30:03 AM
Subject: Wireshark-users Digest, Vol 54, Issue 10

Send Wireshark-users mailing list submissions to
    wireshark-users@xxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
    https://wireshark.org/mailman/listinfo/wireshark-users
or, via email, send a message with subject or body 'help' to
    wireshark-users-request@xxxxxxxxxxxxx

You can reach the person managing the list at
    wireshark-users-owner@xxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wireshark-users digest..."


Today's Topics:

  1. Crash when LTE dissector (over UDP framing)    enabled
      (Antriksh Pany)
  2. Re: Crash when LTE dissector (over UDP framing)    enabled
      (Martin Mathieson)
  3. Re: Crash when LTE dissector (over UDP framing)    enabled
      (Antriksh Pany)
  4. Re: Crash when LTE dissector (over UDP framing)    enabled
      (Martin Mathieson)
  5. Re: reassemble.c assertion tvb_bytes_exist in 1GB    trace file
      (Scheffenegger, Richard)
  6. "No fonts found" error Wireshark on Solaris 8 (Sai Prashant)
  7. Decrypting SSL traffic through tshark (Sahaj)
  8. Re: Decrypting SSL traffic through tshark (Sake Blok)
  9. Trouble converting .pcap file to XML (pdms) via    command line
      in Windows (Sean Sparacio)


----------------------------------------------------------------------

Message: 1
Date: Thu, 11 Nov 2010 12:22:29 +0530
From: Antriksh Pany <antriksh.pany@xxxxxxxxx>
Subject: [Wireshark-users] Crash when LTE dissector (over UDP framing)
    enabled
To: wireshark-users <wireshark-users@xxxxxxxxxxxxx>
Message-ID:
    <AANLkTik4i4Fd76jkYCAXznRQZcHf+tQx0BVg0wYnjcPK@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1

Hello

I am facing a crash when I enable the option
  'Try Heuristic LTE-MAC over UDP framing'
and load an appropriate pcap.

The crash does not occur when I turn off this option, and load the same pcap.

This is the log:
-----------------------
bash-3.2$ /opt/wireshark/bin/wireshark

(wireshark:10799): GLib-GObject-WARNING **: invalid (NULL) pointer instance

(wireshark:10799): GLib-GObject-CRITICAL **: g_signal_emit_by_name:
assertion `G_TYPE_CHECK_INSTANCE (instance)' failed
Segmentation fault
bash-3.2$
bash-3.2$ uname -a
Linux dennis 2.6.18-128.el5 #1 SMP Wed Dec 17 11:41:38 EST 2008 x86_64
x86_64 x86_64 GNU/Linux
bash-3.2$ /opt/wireshark/bin/wireshark -v
wireshark 1.4.1

Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.10.4, (64-bit) with GLib 2.12.3, with libpcap 0.9.4, with
libz 1.2.3, with POSIX capabilities (Linux), with libpcre (version unknown),
without SMI, without c-ares, without ADNS, without Lua, without Python, with
GnuTLS 1.4.1, with Gcrypt 1.2.4, with MIT Kerberos, without GeoIP, without
PortAudio, without AirPcap.

Running on Linux 2.6.18-128.el5, with libpcap version 0.9.4, with libz 1.2.3,
GnuTLS 1.4.1, Gcrypt 1.2.4.

Built using gcc 4.1.2 20080704 (Red Hat 4.1.2-44).
bash-3.2$
-----------------------


Also, I had tried doing the same on Windows. It was able to open the
pcap correctly on the first few occassions. But it consistently
crashes on windows as well now.
These are the problem details shown by Windows (windows 7):
-----------------------
Problem signature:
  Problem Event Name:    APPCRASH
  Application Name:    wireshark.exe
  Application Version:    1.4.1.34476
  Application Timestamp:    4cb35037
  Fault Module Name:    libwireshark.dll
  Fault Module Version:    1.4.1.34476
  Fault Module Timestamp:    4cb34ea4
  Exception Code:    c0000005
  Exception Offset:    0001148f
  OS Version:    6.1.7600.2.0.0.256.4
  Locale ID:    1033
  Additional Information 1:    0a9e
  Additional Information 2:    0a9e372d3b4ad19135b953a78882e789
  Additional Information 3:    0a9e
  Additional Information 4:    0a9e372d3b4ad19135b953a78882e789
-----------------------
I have tried things such as restarting the system etc, but nothing works.

Any help/suggestions is appreciated.

Thanks
Antriksh Pany


------------------------------

Message: 2
Date: Thu, 11 Nov 2010 09:14:35 +0000
From: Martin Mathieson <martin.r.mathieson@xxxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] Crash when LTE dissector (over UDP
    framing)    enabled
To: Community support list for Wireshark
    <wireshark-users@xxxxxxxxxxxxx>
Message-ID:
    <AANLkTinYg50wPSA0iPbx7hAoExN+Gs07VDec5AhCduLr@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Hello Antriksh,

Could you possibly share the capture file the shows the problem?
Ideally you should file a bug at https://bugs.wireshark.org/bugzilla/ ...

Regards,
Martin

On Thu, Nov 11, 2010 at 6:52 AM, Antriksh Pany <antriksh.pany@xxxxxxxxx>wrote:

> Hello
>
> I am facing a crash when I enable the option
>  'Try Heuristic LTE-MAC over UDP framing'
> and load an appropriate pcap.
>
> The crash does not occur when I turn off this option, and load the same
> pcap.
>
> This is the log:
> -----------------------
> bash-3.2$ /opt/wireshark/bin/wireshark
>
> (wireshark:10799): GLib-GObject-WARNING **: invalid (NULL) pointer instance
>
> (wireshark:10799): GLib-GObject-CRITICAL **: g_signal_emit_by_name:
> assertion `G_TYPE_CHECK_INSTANCE (instance)' failed
> Segmentation fault
> bash-3.2$
> bash-3.2$ uname -a
> Linux dennis 2.6.18-128.el5 #1 SMP Wed Dec 17 11:41:38 EST 2008 x86_64
> x86_64 x86_64 GNU/Linux
> bash-3.2$ /opt/wireshark/bin/wireshark -v
> wireshark 1.4.1
>
> Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
> This is free software; see the source for copying conditions. There is NO
> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
>
> Compiled with GTK+ 2.10.4, (64-bit) with GLib 2.12.3, with libpcap 0.9.4,
> with
> libz 1.2.3, with POSIX capabilities (Linux), with libpcre (version
> unknown),
> without SMI, without c-ares, without ADNS, without Lua, without Python,
> with
> GnuTLS 1.4.1, with Gcrypt 1.2.4, with MIT Kerberos, without GeoIP, without
> PortAudio, without AirPcap.
>
> Running on Linux 2.6.18-128.el5, with libpcap version 0.9.4, with libz
> 1.2.3,
> GnuTLS 1.4.1, Gcrypt 1.2.4.
>
> Built using gcc 4.1.2 20080704 (Red Hat 4.1.2-44).
> bash-3.2$
> -----------------------
>
>
> Also, I had tried doing the same on Windows. It was able to open the
> pcap correctly on the first few occassions. But it consistently
> crashes on windows as well now.
> These are the problem details shown by Windows (windows 7):
> -----------------------
> Problem signature:
>  Problem Event Name:  APPCRASH
>  Application Name:    wireshark.exe
>  Application Version:  1.4.1.34476
>  Application Timestamp:        4cb35037
>  Fault Module Name:    libwireshark.dll
>  Fault Module Version: 1.4.1.34476
>  Fault Module Timestamp:      4cb34ea4
>  Exception Code:      c0000005
>  Exception Offset:    0001148f
>  OS Version:  6.1.7600.2.0.0.256.4
>  Locale ID:    1033
>  Additional Information 1:    0a9e
>  Additional Information 2:    0a9e372d3b4ad19135b953a78882e789
>  Additional Information 3:    0a9e
>  Additional Information 4:    0a9e372d3b4ad19135b953a78882e789
> -----------------------
> I have tried things such as restarting the system etc, but nothing works.
>
> Any help/suggestions is appreciated.
>
> Thanks
> Antriksh Pany
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>            mailto:wireshark-users-request@xxxxxxxxxxxxx
> ?subject=unsubscribe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wireshark.org/lists/wireshark-users/attachments/20101111/28c77d21/attachment.htm

------------------------------

Message: 3
Date: Thu, 11 Nov 2010 18:11:15 +0530
From: Antriksh Pany <antriksh.pany@xxxxxxxxx>
Subject: Re: [Wireshark-users] Crash when LTE dissector (over UDP
    framing)    enabled
To: wireshark-users <wireshark-users@xxxxxxxxxxxxx>
Message-ID:
    <AANLkTimMzcTYREJJUt2XcgguMUNV+H=tyHw0WY7OzVtf@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1

Hello

The crash was occurring due to incorrect rnti type being filled up. We
actually had broadcast information flowing. But the rnti type was 3
(C_RNTI). And this seemed to be causing wireshark to attempt to decode
the message as a dedicated UE message (noticed that during the couple
of times that it did not crash in Windows).

When I corrected the rnti type, the problem went away.

I think this should be a very good indicator of where in code the
problem would be. If there are some pointers as to where to look in
code, I could consider having a look myself!

Also, I guess wireshark could warn us when the RNTI is that of SI
(broadcast), but the rnti type is set differently.

Cheers
Antriksh



On Thu, Nov 11, 2010 at 12:22 PM, Antriksh Pany <antriksh.pany@xxxxxxxxx> wrote:
> Hello
>
> I am facing a crash when I enable the option
> ?'Try Heuristic LTE-MAC over UDP framing'
> and load an appropriate pcap.
>
> The crash does not occur when I turn off this option, and load the same pcap.
>
> This is the log:
> -----------------------
> bash-3.2$ /opt/wireshark/bin/wireshark
>
> (wireshark:10799): GLib-GObject-WARNING **: invalid (NULL) pointer instance
>
> (wireshark:10799): GLib-GObject-CRITICAL **: g_signal_emit_by_name:
> assertion `G_TYPE_CHECK_INSTANCE (instance)' failed
> Segmentation fault
> bash-3.2$
> bash-3.2$ uname -a
> Linux dennis 2.6.18-128.el5 #1 SMP Wed Dec 17 11:41:38 EST 2008 x86_64
> x86_64 x86_64 GNU/Linux
> bash-3.2$ /opt/wireshark/bin/wireshark -v
> wireshark 1.4.1
>
> Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
> This is free software; see the source for copying conditions. There is NO
> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
>
> Compiled with GTK+ 2.10.4, (64-bit) with GLib 2.12.3, with libpcap 0.9.4, with
> libz 1.2.3, with POSIX capabilities (Linux), with libpcre (version unknown),
> without SMI, without c-ares, without ADNS, without Lua, without Python, with
> GnuTLS 1.4.1, with Gcrypt 1.2.4, with MIT Kerberos, without GeoIP, without
> PortAudio, without AirPcap.
>
> Running on Linux 2.6.18-128.el5, with libpcap version 0.9.4, with libz 1.2.3,
> GnuTLS 1.4.1, Gcrypt 1.2.4.
>
> Built using gcc 4.1.2 20080704 (Red Hat 4.1.2-44).
> bash-3.2$
> -----------------------
>
>
> Also, I had tried doing the same on Windows. It was able to open the
> pcap correctly on the first few occassions. But it consistently
> crashes on windows as well now.
> These are the problem details shown by Windows (windows 7):
> -----------------------
> Problem signature:
> ?Problem Event Name: ? APPCRASH
> ?Application Name: ? ? wireshark.exe
> ?Application Version: ?1.4.1.34476
> ?Application Timestamp: ? ? ? ?4cb35037
> ?Fault Module Name: ? ?libwireshark.dll
> ?Fault Module Version: 1.4.1.34476
> ?Fault Module Timestamp: ? ? ? 4cb34ea4
> ?Exception Code: ? ? ? c0000005
> ?Exception Offset: ? ? 0001148f
> ?OS Version: ? 6.1.7600.2.0.0.256.4
> ?Locale ID: ? ?1033
> ?Additional Information 1: ? ? 0a9e
> ?Additional Information 2: ? ? 0a9e372d3b4ad19135b953a78882e789
> ?Additional Information 3: ? ? 0a9e
> ?Additional Information 4: ? ? 0a9e372d3b4ad19135b953a78882e789
> -----------------------
> I have tried things such as restarting the system etc, but nothing works.
>
> Any help/suggestions is appreciated.
>
> Thanks
> Antriksh Pany
>


------------------------------

Message: 4
Date: Thu, 11 Nov 2010 12:59:00 +0000
From: Martin Mathieson <martin.r.mathieson@xxxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] Crash when LTE dissector (over UDP
    framing)    enabled
To: Community support list for Wireshark
    <wireshark-users@xxxxxxxxxxxxx>
Message-ID:
    <AANLkTi=AMmi9fD7Wk1Qzxu17J9nvjXgXGdg_YLzRCyb6@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

On Thu, Nov 11, 2010 at 12:41 PM, Antriksh Pany <antriksh.pany@xxxxxxxxx>wrote:

> Hello
>
> The crash was occurring due to incorrect rnti type being filled up. We
> actually had broadcast information flowing. But the rnti type was 3
> (C_RNTI). And this seemed to be causing wireshark to attempt to decode
> the message as a dedicated UE message (noticed that during the couple
> of times that it did not crash in Windows).
>

It would still be good to make sure we didn't crash, so that users such as
yourself would see the problem more quickly.
Wireshark shouldn't crash - it should show the packet as malformed and
hopefully make the problem obvious.


>
> When I corrected the rnti type, the problem went away.
>
> I think this should be a very good indicator of where in code the
> problem would be. If there are some pointers as to where to look in
> code, I could consider having a look myself!
>
> Also, I guess wireshark could warn us when the RNTI is that of SI
> (broadcast), but the rnti type is set differently.
>

Yes, it probably should verify that the SI- and P- RNTI types have the
correct value.

Regards,
Martin


> Cheers
> Antriksh
>
>
>
> On Thu, Nov 11, 2010 at 12:22 PM, Antriksh Pany <antriksh.pany@xxxxxxxxx>
> wrote:
> > Hello
> >
> > I am facing a crash when I enable the option
> >  'Try Heuristic LTE-MAC over UDP framing'
> > and load an appropriate pcap.
> >
> > The crash does not occur when I turn off this option, and load the same
> pcap.
> >
> > This is the log:
> > -----------------------
> > bash-3.2$ /opt/wireshark/bin/wireshark
> >
> > (wireshark:10799): GLib-GObject-WARNING **: invalid (NULL) pointer
> instance
> >
> > (wireshark:10799): GLib-GObject-CRITICAL **: g_signal_emit_by_name:
> > assertion `G_TYPE_CHECK_INSTANCE (instance)' failed
> > Segmentation fault
> > bash-3.2$
> > bash-3.2$ uname -a
> > Linux dennis 2.6.18-128.el5 #1 SMP Wed Dec 17 11:41:38 EST 2008 x86_64
> > x86_64 x86_64 GNU/Linux
> > bash-3.2$ /opt/wireshark/bin/wireshark -v
> > wireshark 1.4.1
> >
> > Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and
> contributors.
> > This is free software; see the source for copying conditions. There is NO
> > warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
> PURPOSE.
> >
> > Compiled with GTK+ 2.10.4, (64-bit) with GLib 2.12.3, with libpcap 0.9.4,
> with
> > libz 1.2.3, with POSIX capabilities (Linux), with libpcre (version
> unknown),
> > without SMI, without c-ares, without ADNS, without Lua, without Python,
> with
> > GnuTLS 1.4.1, with Gcrypt 1.2.4, with MIT Kerberos, without GeoIP,
> without
> > PortAudio, without AirPcap.
> >
> > Running on Linux 2.6.18-128.el5, with libpcap version 0.9.4, with libz
> 1.2.3,
> > GnuTLS 1.4.1, Gcrypt 1.2.4.
> >
> > Built using gcc 4.1.2 20080704 (Red Hat 4.1.2-44).
> > bash-3.2$
> > -----------------------
> >
> >
> > Also, I had tried doing the same on Windows. It was able to open the
> > pcap correctly on the first few occassions. But it consistently
> > crashes on windows as well now.
> > These are the problem details shown by Windows (windows 7):
> > -----------------------
> > Problem signature:
> >  Problem Event Name:  APPCRASH
> >  Application Name:    wireshark.exe
> >  Application Version:  1.4.1.34476
> >  Application Timestamp:        4cb35037
> >  Fault Module Name:    libwireshark.dll
> >  Fault Module Version: 1.4.1.34476
> >  Fault Module Timestamp:      4cb34ea4
> >  Exception Code:      c0000005
> >  Exception Offset:    0001148f
> >  OS Version:  6.1.7600.2.0.0.256.4
> >  Locale ID:    1033
> >  Additional Information 1:    0a9e
> >  Additional Information 2:    0a9e372d3b4ad19135b953a78882e789
> >  Additional Information 3:    0a9e
> >  Additional Information 4:    0a9e372d3b4ad19135b953a78882e789
> > -----------------------
> > I have tried things such as restarting the system etc, but nothing works.
> >
> > Any help/suggestions is appreciated.
> >
> > Thanks
> > Antriksh Pany
> >
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>            mailto:wireshark-users-request@xxxxxxxxxxxxx
> ?subject=unsubscribe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wireshark.org/lists/wireshark-users/attachments/20101111/9f0f967a/attachment.htm

------------------------------

Message: 5
Date: Tue, 9 Nov 2010 01:13:55 -0000
From: "Scheffenegger, Richard" <rs@xxxxxxxxxx>
Subject: Re: [Wireshark-users] reassemble.c assertion tvb_bytes_exist
    in 1GB    trace file
To: <wireshark-users@xxxxxxxxxxxxx>
Cc: steve@xxxxxxxxxxxxx
Message-ID:
    <5FDC413D5FA246468C200652D63E627A0B54D645@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="us-ascii"


Hi Steve,

Thanks again for your quick reply!

Actually, there was nothing attached to the mail. Must have been some
RTF format of the same content or something. (now trying with
plaintext).

Anyway, if I try to slice the trc file into something smaller using
tshark, the resulting file seems to be missing a few frames, and doesn't
show the error any more... I could try splitting the original trc
somewhere around file offset 21000000 to have the first few instances in
it, but that would still be  too much for an email attachment.

Are there any other methods to low-level slice a (tcpdump) trace? Or any
place where i could put the full, undoctored file (only the initial 200
bytes were captured, and i guess NFS ESX traffic is not all that
interesting, when it comes in too many chunks of unknown vmdk offsets ;)
).

Thanks a lot,


Richard Scheffenegger


From: Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx>
Date: Mon, 8 Nov 2010 11:28:18 -0700

On Sat, Nov 06, 2010 at 01:57:03PM -0000, Scheffenegger, Richard wrote:

> ** (tshark.exe:1920): WARNING **: Dissector bug, protocol TCP, in
> packet 84634: reassemble.c:929: failed assertion "tvb_bytes_exist(tvb,

> offset, frag_data_len)"

That is a bug in Wireshark.  Please re-send the packet capture (just one

or two packets which are causing the problem), since this time it came
through as a WINMAIL.DAT file to us non-Microsoft e-mail users.



________________________________

    From: Scheffenegger, Richard
    Sent: Samstag, 06. November 2010 13:04
    To: 'wireshark-users@xxxxxxxxxxxxx'
    Subject: reassemble.c assertion tvb_bytes_exist in 1GB trace
file
   
   
   
    Hi,
   
    I'm using wireshark-1.5.0-34789, and wanted to analyse a 1GB
trace file.
   
    Tshark complains with
   
    ** (tshark.exe:1920): WARNING **: Dissector bug, protocol TCP,
in packet 84634: reassemble.c:929: failed assertion
"tvb_bytes_exist(tvb, offset, frag_data_len)"
   
    on numerous occasions. The trace was captured with a limit of
200 bytes per packet; should be enough to always contain the complete
TCP header. IP fragmentation shouldn't happen, as the trace was taken
off a network with MTU 1500 on all ends...
   
    Last time I tried the GUI version, it seems to load the file
nearly to completion, until it crashes too.
   
   
    I don't know if slicing the trace file will do any good, as that
might remove the evidence as to why the dissector fails. Any hints as to
how to provide the raw data in order to fix this would be very much
appreciated!
   
    The error doesn't occur evenly distributed - attached a list of
packets tshark complains about.
   
       
    Thanks a lot,
   

    Richard Scheffenegger

       
    packet 84634:
    packet 84754:
    packet 84763:
    packet 84815:
    packet 85044:
    packet 202436:
    packet 202647:
    packet 202857:
    packet 203054:
    packet 203260:
    packet 468451:
    packet 541519:
    packet 541536:
    packet 541567:
    packet 541570:
    packet 541576:
    packet 541580:
    packet 541585:
    packet 541708:
    packet 541750:
    packet 541780:
    packet 541929:
    packet 542095:
    packet 880683:
    packet 1110473:
    packet 1160392:
    packet 1160416:
    packet 1160454:
    packet 1160456:
    packet 1160464:
    packet 1160468:
    packet 1160491:
    packet 1160508:
    packet 1160554:
    packet 1160615:
    packet 1160923:
    packet 1161058:
    packet 1278454:
    packet 1278601:
    packet 1278881:
    packet 1279040:
    packet 1279251:
    packet 1279348:
    packet 1279574:
    packet 1279676:
    packet 1279861:
    packet 1279995:
    packet 1280171:
    packet 1280202:
    packet 1280355:
    packet 1280517:
    packet 1280594:
    packet 1280756:
    packet 1280880:
    packet 1281025:
    packet 1281127:
    packet 1281246:
    packet 1281327:
    packet 1281532:
    packet 1281667:
    packet 1281914:
    packet 1282021:
    packet 1282193:
    packet 1282302:
    packet 1282504:
    packet 1282621:
    packet 1282840:
    packet 1283036:
    packet 1283306:
    packet 1283458:
    packet 1283643:
    packet 1283800:
    packet 1283976:
    packet 1284119:
    packet 1284198:
    packet 1284325:
    packet 1284501:
    packet 1284775:
    packet 1284912:
    packet 1285054:
    packet 1285185:
    packet 1285415:
    packet 1285607:
    packet 1285724:
    packet 1285889:
    packet 1285986:
    packet 1286071:
    packet 1286249:
    packet 1286401:
    packet 1286584:
    packet 1286722:
    packet 1286810:
    packet 1286925:
    packet 1287095:
    packet 1287144:
    packet 1287184:
    packet 1287331:
    packet 1287475:
    packet 1287564:
    packet 1287619:
    packet 1287787:
    packet 1287830:
    packet 1287968:
    packet 1288115:
    packet 1288246:
    packet 1288310:
    packet 1288548:
    packet 1288602:
    packet 1288752:
    packet 1288891:
    packet 1289140:
    packet 1289230:
    packet 1289510:
    packet 1289638:
    packet 1289773:
    packet 1289899:
    packet 1289996:
    packet 1290177:
    packet 1290306:
    packet 1290451:
    packet 1290512:
    packet 1290728:
    packet 1290903:
    packet 1291045:
    packet 1291152:
    packet 1291369:
    packet 1291672:
    packet 1291779:
    packet 1291874:
    packet 1291962:
    packet 1292098:
    packet 1292168:
    packet 1292306:
    packet 1292371:
    packet 1292715:
    packet 1292868:
    packet 1293121:
    packet 1293227:
    packet 1293387:
    packet 1293869:
    packet 1293940:
    packet 1293950:
    packet 1293967:
    packet 1294208:
    packet 1294485:
    packet 1294660:
    packet 1294968:
    packet 1295034:
    packet 1295151:
    packet 1295170:
    packet 1295562:
    packet 1295703:
    packet 1296117:
    packet 1296425:
    packet 1296530:
    packet 1296701:
    packet 1296871:
    packet 1297289:
    packet 1297363:
    packet 1297511:
    packet 1297822:
    packet 1298054:
    packet 1298188:
    packet 1298320:
    packet 1298427:
    packet 1298636:
    packet 1298719:
    packet 1298887:
    packet 1298975:
    packet 1299307:
    packet 1299468:
    packet 1299691:
    packet 1299798:
    packet 1300167:
    packet 1300271:
    packet 1300511:
    packet 1300630:
    packet 1300959:
    packet 1301161:
    packet 1301342:
    packet 1301867:
    packet 1302043:
    packet 1303079:
    packet 1303243:
    packet 1303524:
    packet 1304535:
    packet 1306134:
    packet 1306478:
    packet 1306851:
    packet 1307334:
    packet 1307424:
    packet 1307487:
    packet 1307603:
    packet 1307944:
    packet 1308002:
    packet 1308162:
    packet 1308334:
    packet 1308394:
    packet 1308478:
    packet 1308685:
    packet 1308812:
    packet 1308996:
    packet 1309075:
    packet 1309238:
    packet 1309317:
    packet 1309461:
    packet 1309499:
    packet 1309644:
    packet 1309733:
    packet 1310106:
    packet 1310261:
    packet 1310519:
    packet 1310737:
    packet 1310837:
    packet 1310924:
    packet 1311093:
    packet 1312686:
    packet 1312842:
    packet 1312973:
    packet 1313074:
    packet 1313614:
    packet 1313804:
    packet 1314070:
    packet 1314373:
    packet 1315139:
    packet 1315663:
    packet 1315961:
    packet 1316002:
    packet 1316154:
    packet 1316339:
    packet 1316512:
    packet 1316599:
    packet 1316676:
    packet 1316761:
    packet 1316969:
    packet 1317003:
    packet 1317078:
    packet 1317159:
    packet 1317288:
    packet 1317396:
    packet 1317571:
    packet 1317672:
    packet 1317762:
    packet 1317993:
    packet 1318142:
    packet 1318349:
    packet 1318567:
    packet 1318846:
    packet 1319028:
    packet 1319315:
    packet 1319572:
    packet 1319906:
    packet 1320090:
    packet 1320395:
    packet 1320506:
    packet 1320536:
    packet 1320844:
    packet 1320956:
    packet 1321051:
    packet 1321176:
    packet 1321264:
    packet 1321401:
    packet 1321443:
    packet 1321599:
    packet 1321685:
    packet 1321939:
    packet 1322206:
    packet 1322327:
    packet 1322428:
    packet 1322741:
    packet 1322831:
    packet 1322979:
    packet 1323064:
    packet 1323326:
    packet 1323461:
    packet 1323680:
    packet 1323933:
    packet 1324196:
    packet 1324333:
    packet 1324484:
    packet 1324694:
    packet 1324799:
    packet 1325105:
    packet 1325247:
    packet 1325379:
    packet 1325546:
    packet 1325675:
    packet 1325741:
    packet 1325882:
    packet 1326024:
    packet 1326164:
    packet 1326242:
    packet 1326521:
    packet 1326619:
    packet 1326789:
    packet 1326909:
    packet 1327138:
    packet 1327330:
    packet 1327593:
    packet 1327742:
    packet 1327944:
    packet 1328079:
    packet 1328307:
    packet 1328492:
    packet 1328643:
    packet 1328765:
    packet 1328962:
    packet 1329152:
    packet 1329212:
    packet 1329345:
    packet 1329524:
    packet 1329649:
    packet 1329785:
    packet 1330130:
    packet 1330257:
    packet 1330397:
    packet 1330515:
    packet 1330607:
    packet 1330843:
    packet 1330971:
    packet 1331090:
    packet 1331125:
    packet 1331310:
    packet 1331347:
    packet 1331782:
    packet 1331865:
    packet 1332073:
    packet 1332311:
    packet 1332501:
    packet 1333249:
    packet 1333312:
    packet 1333428:
    packet 1333497:
    packet 1333916:
    packet 1334037:
    packet 1334240:
    packet 1334338:
    packet 1334527:
    packet 1334745:
    packet 1334804:
    packet 1335069:
    packet 1335284:
    packet 1335549:
    packet 1335710:
    packet 1335796:
    packet 1335862:
    packet 1336001:
    packet 1336094:
    packet 1336156:
    packet 1336234:
    packet 1336327:
    packet 1336676:
    packet 1336736:
    packet 1336917:
    packet 1337054:
    packet 1337109:
    packet 1337147:
    packet 1337205:
    packet 1337380:
    packet 1337467:
    packet 1337578:
    packet 1337627:
    packet 1337765:
    packet 1337877:
    packet 1338049:
    packet 1338177:
    packet 1338363:
    packet 1338452:
    packet 1338657:
    packet 1338716:
    packet 1338768:
    packet 1338923:
    packet 1339060:
    packet 1339181:
    packet 1339345:
    packet 1339481:
    packet 1339657:
    packet 1339811:
    packet 1339995:
    packet 1340157:
    packet 1340353:
    packet 1340439:
    packet 1340648:
    packet 1340805:
    packet 1340960:
    packet 1340998:
    packet 1341887:
    packet 1341998:
    packet 1342065:
    packet 1342083:
    packet 1342230:
    packet 1342317:
    packet 1342411:
    packet 1342681:
    packet 1342894:
    packet 1343061:
    packet 1343261:
    packet 1343406:
    packet 1343529:
    packet 1343611:
    packet 1343707:
    packet 1343850:
    packet 1344169:
    packet 1344282:
    packet 1344547:
    packet 1344668:
    packet 1344805:
    packet 1344861:
    packet 1344969:
    packet 1345014:
    packet 1345213:
    packet 1345347:
    packet 1345471:
    packet 1345854:
    packet 1346056:
    packet 1346244:
    packet 1346342:
    packet 1346378:
    packet 1346402:
    packet 1346450:
    packet 1346459:
    packet 1346579:
    packet 1346721:
    packet 1346943:
    packet 1347003:
    packet 1347151:
    packet 1347270:
    packet 1347516:
    packet 1347647:
    packet 1347886:
    packet 1348272:
    packet 1348719:
    packet 1348887:
    packet 1349086:
    packet 1349279:
    packet 1349519:
    packet 1349690:
    packet 1349909:
    packet 1349987:
    packet 1350192:
    packet 1350296:
    packet 1350453:
    packet 1350518:
    packet 1350654:
    packet 1350738:
    packet 1350907:
    packet 1350956:
    packet 1351116:
    packet 1351161:
    packet 1351327:
    packet 1351404:
    packet 1351526:
    packet 1351611:
    packet 1351788:
    packet 1351835:
    packet 1352054:
    packet 1352100:
    packet 1352197:
    packet 1352358:
    packet 1352389:
    packet 1352567:
    packet 1352641:
    packet 1352877:
    packet 1352925:
    packet 1353104:
    packet 1353240:
    packet 1353422:
    packet 1353563:
    packet 1353659:
    packet 1353751:
    packet 1353867:
    packet 1353968:
    packet 1354088:
    packet 1354194:
    packet 1354313:
    packet 1354425:
    packet 1354533:
    packet 1354668:
    packet 1355048:
    packet 1355271:
    packet 1355455:
    packet 1355609:
    packet 1355812:
    packet 1355841:
    packet 1355983:
    packet 1356116:
    packet 1356261:
    packet 1356548:
    packet 1356768:
    packet 1356914:
    packet 1357358:
    packet 1357524:
    packet 1357758:
    packet 1357843:
    packet 1357972:
    packet 1358116:
    packet 1358369:
    packet 1358427:
    packet 1358513:
    packet 1358563:
    packet 1358671:
    packet 1358859:
    packet 1358899:
    packet 1358993:
    packet 1359092:
    packet 1359176:
    packet 1359305:
    packet 1359529:
    packet 1359643:
    packet 1359711:
    packet 1359769:
    packet 1359871:
    packet 1360168:
    packet 1360307:
    packet 1360587:
    packet 1360785:
    packet 1361127:
    packet 1361280:
    packet 1361475:
    packet 1361738:
    packet 1362087:
    packet 1362257:
    packet 1362470:
    packet 1362724:
    packet 1362941:
    packet 1363213:
    packet 1363363:
    packet 1363601:
    packet 1363805:
    packet 1364066:
    packet 1364200:
    packet 1364391:
    packet 1364520:
    packet 1364603:
    packet 1364656:
    packet 1364847:
    packet 1365078:
    packet 1365237:
    packet 1365414:
    packet 1365655:
    packet 1365841:
    packet 1366031:
    packet 1366353:
    packet 1366451:
    packet 1366589:
    packet 1366730:
    packet 1366997:
    packet 1367062:
    packet 1367231:
    packet 1367322:
    packet 1367604:
    packet 1367745:
    packet 1367961:
    packet 1368093:
    packet 1368219:
    packet 1368286:
    packet 1368399:
    packet 1368493:
    packet 1368686:
    packet 1368849:
    packet 1368994:
    packet 1369197:
    packet 1369394:
    packet 1369677:
    packet 1369789:
    packet 1369981:
    packet 1370140:
    packet 1370324:
    packet 1370404:
    packet 1370591:
    packet 1370738:
    packet 1370919:
    packet 1370981:
    packet 1371169:
    packet 1371303:
    packet 1371472:
    packet 1371547:
    packet 1371653:
    packet 1371703:
    packet 1371949:
    packet 1372077:
    packet 1372229:
    packet 1372398:
    packet 1372572:
    packet 1372670:
    packet 1372814:
    packet 1373020:
    packet 1373210:
    packet 1373438:
    packet 1373486:
    packet 1373628:
    packet 1373763:
    packet 1373925:
    packet 1374046:
    packet 1374200:
    packet 1374399:
    packet 1374596:
    packet 1374719:
    packet 1374897:
    packet 1375025:
    packet 1375241:
    packet 1375322:
    packet 1375449:
    packet 1375535:
    packet 1375765:
    packet 1375956:
    packet 1376139:
    packet 1376329:
    packet 1376510:
    packet 1376589:
    packet 1376632:
    packet 1376778:
    packet 1376883:
    packet 1376929:
    packet 1377061:
    packet 1377176:
    packet 1377373:
    packet 1377501:
    packet 1377661:
    packet 1377827:
    packet 1377944:
    packet 1378093:
    packet 1378188:
    packet 1378300:
    packet 1378380:
    packet 1378546:
    packet 1378661:
    packet 1378751:
    packet 1378839:
    packet 1378983:
    packet 1378994:
    packet 1379082:
    packet 1379207:
    packet 1379381:
    packet 1379480:
    packet 1379721:
    packet 1379966:
    packet 1380253:
    packet 1380496:
    packet 1380821:
    packet 1381154:
    packet 1381455:
    packet 1381663:
    packet 1381952:
    packet 1382192:
    packet 1382445:
    packet 1382645:
    packet 1382801:
    packet 1382880:
    packet 1383071:
    packet 1383162:
    packet 1383300:
    packet 1383476:
    packet 1383704:
    packet 1383792:
    packet 1383974:
    packet 1384152:
    packet 1384373:
    packet 1384608:
    packet 1384735:
    packet 1384874:
    packet 1384946:
    packet 1385152:
    packet 1385297:
    packet 1385429:
    packet 1385581:
    packet 1385738:
    packet 1385849:
    packet 1385983:
    packet 1386113:
    packet 1386252:
    packet 1386283:
    packet 1386479:
    packet 1386670:
    packet 1386848:
    packet 1386987:
    packet 1387108:
    packet 1387338:
    packet 1400503:
    packet 1599500:
    packet 1674305:
    packet 1674318:
    packet 1674351:
    packet 1674354:
    packet 1674362:
    packet 1674364:
    packet 1674378:
    packet 1674388:
    packet 1674500:
    packet 1674577:
    packet 1674690:
    packet 1674881:
    packet 1873583:
    packet 1984224:
    packet 2247406:
    packet 2305559:
    packet 2305568:
    packet 2305569:
    packet 2305571:
    packet 2305572:
    packet 2305597:
    packet 2305659:
    packet 2305664:
    packet 2305667:
    packet 2305684:
    packet 2305685:
    packet 2305868:
    packet 2570125:
    packet 2807898:
    packet 2873202:
    packet 2873219:
    packet 2873263:
    packet 2873265:
    packet 2873272:
    packet 2873275:
    packet 2873283:
    packet 2873291:
    packet 2873478:
    packet 2874318:
    packet 2874763:
    packet 2875758:
    packet 3161385:
    packet 3401443:
    packet 3430747:
    packet 3430756:
    packet 3430764:
    packet 3430779:
    packet 3430797:
    packet 3430798:
    packet 3430814:
    packet 3430829:
    packet 3430839:
    packet 3430931:
    packet 3431044:
    packet 3431320:
    packet 3459025:
    packet 3459123:
    packet 3716574:
    packet 3978493:
    packet 4071144:
    packet 4071159:
    packet 4071340:
    packet 4071345:
    packet 4071354:
    packet 4071391:
    packet 4071431:
    packet 4071447:
    packet 4071452:
    packet 4071477:
    packet 4071614:
    packet 4072257:
    packet 4103226:
    packet 4103394:
    packet 4103585:
    packet 4103867:
    packet 4103951:
    packet 4104129:
    packet 4104314:
    packet 4104498:
    packet 4104641:
    packet 4104823:
    packet 4105036:
    packet 4105318:
    packet 4327471:
    packet 4327650:
    packet 4327831:
    packet 4328014:
    packet 4328199:
    packet 4328378:
    packet 4328555:
    packet 4328738:
    packet 4328807:
    packet 4328850:
    packet 4328904:
    packet 4329079:
    packet 4329254:
    packet 4329435:
    packet 4329609:
    packet 4329783:
    packet 4329966:
    packet 4330145:
    packet 4330328:
    packet 4330689:
    packet 4330860:
    packet 4331039:
    packet 4331218:
    packet 4331399:
    packet 4331572:
    packet 4331747:
    packet 4331926:
    packet 4332106:
    packet 4332287:
    packet 4332466:
    packet 4332653:
    packet 4332836:
    packet 4333013:
    packet 4333192:
    packet 4333581:
    packet 4333722:
    packet 4333899:
    packet 4334082:
    packet 4334256:
    packet 4334440:
    packet 4334621:
    packet 4335138:
    packet 4335321:
    packet 4335498:
    packet 4335676:
    packet 4335850:
    packet 4336029:
    packet 4336076:
    packet 4336103:
    packet 4336130:
    packet 4336159:
    packet 4336187:
    packet 4336219:
    packet 4336246:
    packet 4336273:
    packet 4336302:
    packet 4336331:
    packet 4336360:
    packet 4336387:
    packet 4336414:
    packet 4336443:
    packet 4336470:
    packet 4336497:
    packet 4336526:
    packet 4336553:
    packet 4336580:
    packet 4336607:
    packet 4336642:
    packet 4336675:
    packet 4336702:
    packet 4336731:
    packet 4336768:
    packet 4336796:
    packet 4336826:
    packet 4336855:
    packet 4336882:
    packet 4336909:
    packet 4336936:
    packet 4336963:
    packet 4336991:
    packet 4337019:
    packet 4337048:
    packet 4337079:
    packet 4337106:
    packet 4337133:
    packet 4337160:
    packet 4337189:
    packet 4337220:
    packet 4337252:
    packet 4337280:
    packet 4337307:
    packet 4337336:
    packet 4337441:
    packet 4337628:
    packet 4341014:
    packet 4341191:
    packet 4341368:
    packet 4341547:
    packet 4341725:
    packet 4341915:
    packet 4342090:
    packet 4342273:
    packet 4342468:
    packet 4342649:
    packet 4342833:
    packet 4343016:
    packet 4343191:
    packet 4343366:
    packet 4343549:
    packet 4343629:
    packet 4343667:
    packet 4343689:
    packet 4343734:
    packet 4343915:
    packet 4344094:
    packet 4344273:
    packet 4344456:
    packet 4344637:
    packet 4344858:
    packet 4344997:
    packet 4345182:
    packet 4345361:
    packet 4345534:
    packet 4345711:
    packet 4345862:
    packet 4346037:
    packet 4346212:
    packet 4346397:
    packet 4346587:
    packet 4346772:
    packet 4346947:
    packet 4347104:
    packet 4347285:
    packet 4347464:
    packet 4347699:
    packet 4347878:
    packet 4348058:
    packet 4348240:
    packet 4348419:
    packet 4348602:
    packet 4348767:
    packet 4348955:
    packet 4349130:
    packet 4349311:
    packet 4349503:
    packet 4349731:
    packet 4349885:
    packet 4350066:
    packet 4350253:
    packet 4350428:
    packet 4350639:
    packet 4350792:
    packet 4350985:
    packet 4351162:
    packet 4351369:
    packet 4351532:
    packet 4351715:
    packet 4351913:
    packet 4352091:
    packet 4399599:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 9565 bytes
Desc: not available
Url : http://www.wireshark.org/lists/wireshark-users/attachments/20101109/2f03f424/attachment.bin

------------------------------

Message: 6
Date: Wed, 10 Nov 2010 17:29:04 -0500
From: Sai Prashant <y.saiprashant@xxxxxxxxx>
Subject: [Wireshark-users] "No fonts found" error Wireshark on Solaris
    8
To: wireshark-users@xxxxxxxxxxxxx
Message-ID:
    <AANLkTi=ho=hu4=oTcjHnFNBbA1yDsbSUwrqeejJCipG0@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Hi All,

I am facing the below error after installing Wireshark on Solaris 8. Please
help me in resolving this error.

Thanks & Regards,
#usr/local/bin/wireshark -f
No fonts found; this probably means that the fontconfig library is not
correctly configured. You may need to edit the fonts.conf configuration
file. More information about fontconfig can be found in the fontconfig(3)
manual page and on http://fontconfig.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wireshark.org/lists/wireshark-users/attachments/20101110/56871391/attachment.htm

------------------------------

Message: 7
Date: Thu, 11 Nov 2010 12:04:20 +0530
From: Sahaj <sahaj85@xxxxxxxxx>
Subject: [Wireshark-users] Decrypting SSL traffic through tshark
To: wireshark-users@xxxxxxxxxxxxx
Message-ID:
    <AANLkTinmwpPZc3VMFyCWGHh2Xy_TT7ZcCHNu2sL3K3vu@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Hi All,

I am new to wireshark,

I need to decrypt SSL traffic to get content length.

./tshark  -o "ssl.keys_list:,443,http,client.ky" -T fields -E separator=":"
-e frame.time_relative -e frame.number -e tcp.len -e http.content_length -e
tcp.flags.fin -e tcp.flags.push  -R "ip.src == source_ip && ip.dst ==
destination_ip  && tcp.srcport == 443 && ! (tcp.analysis.out_of_order)  && !
(tcp.analysis.retransmission) "  -r sample.pcap

here the result is,

2.765700000:35:0::0:0
2.765990000:37:0::0:0
2.925676000:39:0::0:0
2.925967000:41:0::0:0
5.766952000:66:835::0:1
5.767578000:70:0::0:0
5.767648000:71:0::0:0
5.927948000:72:835::0:1
5.928435000:76:0::0:0
5.928609000:77:0::0:0
5.970891000:78:43::0:1
6.131897000:80:43::0:1
6.132293000:83:0::0:0
6.133199000:84:1460::0:0
6.134092000:85:1460::0:0
6.236042000:90:1280::1:1

the field for content length is empty.

please help me out and suggest me if i am missing anything or doing wrong.

thanks.

--
Regards,
Sahaj
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wireshark.org/lists/wireshark-users/attachments/20101111/eb68831b/attachment.htm

------------------------------

Message: 8
Date: Thu, 11 Nov 2010 19:14:08 +0100
From: Sake Blok <sake@xxxxxxxxxx>
Subject: Re: [Wireshark-users] Decrypting SSL traffic through tshark
To: Community support list for Wireshark
    <wireshark-users@xxxxxxxxxxxxx>
Message-ID: <95BA2989-BC0E-4F1E-9569-8922039B49F0@xxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii

On 11 nov 2010, at 07:34, Sahaj wrote:

> I need to decrypt SSL traffic to get content length.
>
> ./tshark  -o "ssl.keys_list:,443,http,client.ky" -T fields -E separator=":"  -e frame.time_relative -e frame.number -e tcp.len -e http.content_length -e tcp.flags.fin -e tcp.flags.push  -R "ip.src == source_ip && ip.dst == destination_ip  && tcp.srcport == 443 && ! (tcp.analysis.out_of_order)  && ! (tcp.analysis.retransmission) "  -r sample.pcap
> [...]
> the field for content length is empty.
>
> please help me out and suggest me if i am missing anything or doing wrong.

You should use the server IP address in the keys_list:

-o "ssl.keys_list:<SERVER-IP>,443,http,client.ky"

It also helps if you add:

-o "ssl.debuf_file:ssl-debug.log"

That way you can see in the logfile if the key is loaded OK in Wireshark and you can follow the decryption process.

Let's see how that goes first...

Cheers,


Sake



------------------------------

Message: 9
Date: Thu, 11 Nov 2010 14:37:27 -0500
From: Sean Sparacio <seansparacio@xxxxxxxxx>
Subject: [Wireshark-users] Trouble converting .pcap file to XML (pdms)
    via    command line in Windows
To: wireshark-users@xxxxxxxxxxxxx
Message-ID:
    <AANLkTik8yM=8YCfRseQr1RTuC3i6vsdwqo84jFKEf_aw@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Guys,

I've tried every possible combination of command line parameters that I can
think of to convert a given .pcap file to XML in pdms format.  None of them
work, at all.  In addition, I can't seem to successfully redirect the
standard output to a file at all, no matter what.  Here are a few examples
of what I've tried:

tshark -r c:\capture.pcap -T pdml > c:\capture.xml
tshark -V -r c:\capture.pcap > capture.txt
tshark -r "C:\capture.pcap" -t pdml>"C:\capture.xml"

I've studied the command-line parameters a great deal - am I missing
something simple?

Thanks in advance,

Sean Sparacio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wireshark.org/lists/wireshark-users/attachments/20101111/08f87d7d/attachment.htm

------------------------------

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users


End of Wireshark-users Digest, Vol 54, Issue 10
***********************************************