Wireshark mailing list archives
Re: wireshark and matlab (Doug Legge)
From: Doug Legge <Doug.Legge () BerkeleyGroup co uk>
Date: Thu, 5 Nov 2009 20:59:01 -0000
1. Have a look at the .pdlm export in Wireshark 2. Open the .pdlm as a .xml in Excel 3. Transpose as required 4. In matlab use the commands: data = []; opensource data such that you can copy & paste the data required into matlab Doug -----Original Message----- From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of wireshark-users-request () wireshark org Sent: 05 November 2009 19:44 To: wireshark-users () wireshark org Subject: Wireshark-users Digest, Vol 42, Issue 9 Send Wireshark-users mailing list submissions to wireshark-users () wireshark org To subscribe or unsubscribe via the World Wide Web, visit https://wireshark.org/mailman/listinfo/wireshark-users or, via email, send a message with subject or body 'help' to wireshark-users-request () wireshark org You can reach the person managing the list at wireshark-users-owner () wireshark org When replying, please edit your Subject line so it is more specific than "Re: Contents of Wireshark-users digest..." Today's Topics: 1. Re: need help to decrypt SSL packets (Sake Blok) 2. Re: wireshark and matlab (Jaap Keuter) 3. Re: need help to decrypt SSL packets (Arnold Wang) ---------------------------------------------------------------------- Message: 1 Date: Thu, 5 Nov 2009 20:20:16 +0100 From: "Sake Blok" <sake () euronet nl> Subject: Re: [Wireshark-users] need help to decrypt SSL packets To: "Community support list for Wireshark" <wireshark-users () wireshark org> Message-ID: <2BFF83D5C6824AA4B919FFF4144A9D40 () local ionip nl> Content-Type: text/plain; charset="iso-8859-1" Well, wireshark uses GnuTLS instead of OpenSSL, I'm not sure which version of GnuTLS was the first one to include 4K key support, but it must have been supporting it for a while as my tshark (1.3.0) is built with version 2.0.4 (which is 2 years old) and it is capable of importing 4K keys. If I look at your file size (3264 bytes) and compare it the the size of my 4K key file (3243 bytes), there must be some extra data in your file that OpenSSL can skip, but GnuTLS can't. It can't be an extra CR after each line, as that would have added 51 extra characters instead of 21. Could it be a paging message or maybe coloring escape codes? Try using "od -c /tmp/esd.key" to see whether there are escape codes in the file that "more" might use instead of display. I looked at the source code and the only place that this error message can be generated is when the function "gnutls_x509_privkey_import" fails. At this point in the code, the key has already been succesfully read from file. So it's definately not a permission or IO issue, it's a conversion issue. Hope this helps, Cheers, Sake ----- Original Message ----- From: Arnold Wang To: Community support list for Wireshark Sent: Thursday, November 05, 2009 6:39 PM Subject: Re: [Wireshark-users] need help to decrypt SSL packets I used ssl decryption before and this is the first time run into this particular problem, couldn't read the key file. This is the first time I tried to read a 4096-bit key. However since openssl seems have no problem reading it, I would assume wireshark should be able to as well. The permission seems ok. [awang@arnoldw tmp]$ ls -l /tmp/esd.key -rw-r--r--. 1 awang users 3264 2009-11-05 09:28 /tmp/esd.key [awang@arnoldw tmp]$ ls -l `which wireshark` lrwxrwxrwx. 1 root root 13 2009-11-04 14:23 /usr/bin/wireshark -> consolehelper [awang@arnoldw tmp]$ ls -l `which openssl` -rwxr-xr-x. 1 root root 444640 2009-05-21 09:47 /usr/bin/openssl BTW, the error happens before I even open the trace file so it has nothing to do with it. Unfortunately, I can't upload the whole private key since it's for one of our public production site. Thanks for the help. From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Sake Blok Sent: Wednesday, November 04, 2009 2:56 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] need help to decrypt SSL packets Seems you are doing the right thing. Are you able to decrypt ssl traffic in other tracefiles with other keys? Or was this your first try? Could you share the output of: ls -l /tmp/esd.key ls -l `which wireshark` ls -l `which openssl` .. to see whether it could be a permission problem? And are you able to share the tracefile and key or are they from a production environment? Cheers, Sake ----- Original Message ----- From: Arnold Wang To: 'wireshark-users () wireshark org' Sent: Tuesday, November 03, 2009 9:07 PM Subject: [Wireshark-users] need help to decrypt SSL packets I'm running Wireshark 1.1.3 comes with Fedora 11. When I tried to decode the captured FTPS traffics, I'm running into trouble to load the private key into Wireshark. I got the following error message when I started Wireshark: ssl_init keys string: 10.x.100.25,990,ftps,/tmp/esd.key ssl_init found host entry 10.x.100.25,990,ftps,/tmp/esd.key ssl_init addr '10.x.100.25' port '990' filename '/tmp/esd.key' password(only fo r p12 file) '(null)' ssl_load_key: can't import pem data As far as I can tell, the private key looks OK. [awang@mars tmp]$ more esd.key -----BEGIN PRIVATE KEY----- MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDuYd7gPiqjx/+pFfQ0QhHhUBR5 t8WDrji+N7QEmmULguE+MJiku4de35EjrlR5PkW6voZ+/xpKjNQvqpi6YI/IzBEgS4b61zreBM55 .. paDoKh7nJpUz+PlQ9YuOUtSXuadQMqsqipYY9CygeQD8xZMopfcrb+obifGZrgfP3KYpTT5mUxld z/qpPf+Cs+pvgBzzYu4AIaCMG+8lqeS2cD2z8jOavSonRcOfMw== -----END PRIVATE KEY----- [awang@mars tmp]$ openssl rsa -inform pem -in esd.key -noout -text Private-Key: (4096 bit) modulus: 00:ee:61:de:e0:3e:2a:a3:c7:ff:a9:15:f4:34:42: 11:e1:50:14:79:b7:c5:83:ae:38:be:37:b4:04:9a: .. What did I miss? Thanks. ---------------------------------------------------------------------------- ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe ---------------------------------------------------------------------------- -- ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.wireshark.org/lists/wireshark-users/attachments/20091105/3dd39866 /attachment.htm ------------------------------ Message: 2 Date: Thu, 05 Nov 2009 20:33:56 +0100 From: Jaap Keuter <jaap.keuter () xs4all nl> Subject: Re: [Wireshark-users] wireshark and matlab To: Community support list for Wireshark <wireshark-users () wireshark org> Message-ID: <4AF328A4.2050009 () xs4all nl> Content-Type: text/plain; charset=ISO-8859-1; format=flowed haneugen () yahoo de wrote:
Hi, is there a import or export available to further process data captured
using wireshark with matlab?
Cheers, hne
Hi,
That more or less depends on what kind of input matlab requires.
Wireshark has several export formats, as does tshark, or maybe even
rawshark.
Thanx,
Jaap
------------------------------
Message: 3
Date: Thu, 5 Nov 2009 11:43:43 -0800
From: Arnold Wang <arnold.wang () inovis com>
Subject: Re: [Wireshark-users] need help to decrypt SSL packets
To: Community support list for Wireshark
<wireshark-users () wireshark org>
Message-ID:
<BF551DA05F914444A738E58BF25FAC760FD325FE () CONMAILP01 itlogon com>
Content-Type: text/plain; charset="us-ascii"
Thanks for pointing out that the app is using GnuTLS. Let me confirm the key
using the GnuTLS utilities first.
From: wireshark-users-bounces () wireshark org
[mailto:wireshark-users-bounces () wireshark org] On Behalf Of Sake Blok
Sent: Thursday, November 05, 2009 11:20 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] need help to decrypt SSL packets
Well, wireshark uses GnuTLS instead of OpenSSL, I'm not sure which version
of GnuTLS was the first one to include 4K key support, but it must have been
supporting it for a while as my tshark (1.3.0) is built with version 2.0.4
(which is 2 years old) and it is capable of importing 4K keys.
If I look at your file size (3264 bytes) and compare it the the size of my
4K key file (3243 bytes), there must be some extra data in your file that
OpenSSL can skip, but GnuTLS can't. It can't be an extra CR after each line,
as that would have added 51 extra characters instead of 21.
Could it be a paging message or maybe coloring escape codes? Try using "od
-c /tmp/esd.key" to see whether there are escape codes in the file that
"more" might use instead of display.
I looked at the source code and the only place that this error message can
be generated is when the function "gnutls_x509_privkey_import" fails. At
this point in the code, the key has already been succesfully read from file.
So it's definately not a permission or IO issue, it's a conversion issue.
Hope this helps,
Cheers,
Sake
----- Original Message -----
From: Arnold Wang<mailto:arnold.wang () inovis com>
To: Community support list for
Wireshark<mailto:wireshark-users () wireshark org>
Sent: Thursday, November 05, 2009 6:39 PM
Subject: Re: [Wireshark-users] need help to decrypt SSL packets
I used ssl decryption before and this is the first time run into this
particular problem, couldn't read the key file. This is the first time I
tried to read a 4096-bit key. However since openssl seems have no problem
reading it, I would assume wireshark should be able to as well.
The permission seems ok.
[awang@arnoldw tmp]$ ls -l /tmp/esd.key
-rw-r--r--. 1 awang users 3264 2009-11-05 09:28 /tmp/esd.key
[awang@arnoldw tmp]$ ls -l `which wireshark`
lrwxrwxrwx. 1 root root 13 2009-11-04 14:23 /usr/bin/wireshark ->
consolehelper
[awang@arnoldw tmp]$ ls -l `which openssl`
-rwxr-xr-x. 1 root root 444640 2009-05-21 09:47 /usr/bin/openssl
BTW, the error happens before I even open the trace file so it has nothing
to do with it. Unfortunately, I can't upload the whole private key since
it's for one of our public production site.
Thanks for the help.
From: wireshark-users-bounces () wireshark org
[mailto:wireshark-users-bounces () wireshark org] On Behalf Of Sake Blok
Sent: Wednesday, November 04, 2009 2:56 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] need help to decrypt SSL packets
Seems you are doing the right thing.
Are you able to decrypt ssl traffic in other tracefiles with other keys? Or
was this your first try?
Could you share the output of:
ls -l /tmp/esd.key
ls -l `which wireshark`
ls -l `which openssl`
.. to see whether it could be a permission problem?
And are you able to share the tracefile and key or are they from a
production environment?
Cheers,
Sake
----- Original Message -----
From: Arnold Wang<mailto:arnold.wang () inovis com>
To: 'wireshark-users () wireshark org'<mailto:'wireshark-users () wireshark org'>
Sent: Tuesday, November 03, 2009 9:07 PM
Subject: [Wireshark-users] need help to decrypt SSL packets
I'm running Wireshark 1.1.3 comes with Fedora 11. When I tried to decode the
captured FTPS traffics, I'm running into trouble to load the private key
into Wireshark. I got the following error message when I started Wireshark:
ssl_init keys string:
10.x.100.25,990,ftps,/tmp/esd.key
ssl_init found host entry 10.x.100.25,990,ftps,/tmp/esd.key
ssl_init addr '10.x.100.25' port '990' filename '/tmp/esd.key' password(only
fo
r p12 file) '(null)'
ssl_load_key: can't import pem data
As far as I can tell, the private key looks OK.
[awang@mars tmp]$ more esd.key
-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDuYd7gPiqjx/+pFfQ0QhHhUBR5
t8WDrji+N7QEmmULguE+MJiku4de35EjrlR5PkW6voZ+/xpKjNQvqpi6YI/IzBEgS4b61zreBM55
....
paDoKh7nJpUz+PlQ9YuOUtSXuadQMqsqipYY9CygeQD8xZMopfcrb+obifGZrgfP3KYpTT5mUxld
z/qpPf+Cs+pvgBzzYu4AIaCMG+8lqeS2cD2z8jOavSonRcOfMw==
-----END PRIVATE KEY-----
[awang@mars tmp]$ openssl rsa -inform pem -in esd.key -noout -text
Private-Key: (4096 bit)
modulus:
00:ee:61:de:e0:3e:2a:a3:c7:ff:a9:15:f4:34:42:
11:e1:50:14:79:b7:c5:83:ae:38:be:37:b4:04:9a:
....
What did I miss?
Thanks.
________________________________
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request () wireshark org?subject=unsubscribe
________________________________
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request () wireshark org?subject=unsubscribe
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.wireshark.org/lists/wireshark-users/attachments/20091105/3b68ae58
/attachment.htm
------------------------------
_______________________________________________
Wireshark-users mailing list
Wireshark-users () wireshark org
https://wireshark.org/mailman/listinfo/wireshark-users
End of Wireshark-users Digest, Vol 42, Issue 9
**********************************************
Click
https://www.mailcontrol.com/sr/rNhNO5qR5yLTndxI!oX7UgSMDW1NL1iyu51VfCgMrBRaS
UfxLmCtNd20zjKPazQvWfO6TJwrdfzZM0Vr2cPI!w== to report this email as spam.
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Re: wireshark and matlab (Doug Legge) Doug Legge (Nov 06)