Wireshark mailing list archives
Re: Decrypting SSL traffic through tshark
From: sahaj pandey <sahaj_p () yahoo co in>
Date: Fri, 12 Nov 2010 19:41:11 +0530 (IST)
Removing other message and posting it again. sorry for spam. Hi Sake, thanks a lot for replying, previously i had tried by giving server ip only but somehow missed to mention that. this time i have used the "ssl.debug_file:debug.log", tshark -o "ssl.keys_list:<server ip>,443,http,server.key" -o "ssl.debug_file:debug.log" -T fields -E separator=":" -e frame.number -e http.content_length -e tcp.len -e ssl.record -R "ip.src == <server_ip> && ip.dst == dest_ip && tcp.srcport == 443 && ! (tcp.analysis.out_of_order) && ! (tcp.analysis.retransmission) " -r sample.pcap again i am not able to get decrypted data. i am seeing a line as "no decoder available". the log file have this kind of entries, ------ ssl_init keys string: server_ip,http,server.key ssl_init found host entry <serve_ip>,443,http,server.key ssl_init addr '<server_ip>' port '443' filename 'server.key' password(only for p12 file) '(null)' ssl_init private key file server.key successfully loaded association_add TCP port 443 protocol http handle 0x90fcee0 association_find: TCP port 993 found 0x9597f78 ssl_association_remove removing TCP 993 - imap handle 0x910a500 association_add TCP port 993 protocol imap handle 0x910a500 association_find: TCP port 995 found 0x9597fb0 ssl_association_remove removing TCP 995 - pop handle 0x91ccf00 association_add TCP port 995 protocol pop handle 0x91ccf00 dissect_ssl enter frame #66 (first time) conversation = 0xb68257d0, ssl_session = 0xb68259a8 dissect_ssl3_record found version 0x0301 -> state 0x11 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 58 ssl, state 0x11 association_find: TCP port 443 found 0x9940730 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 54 bytes, remaining 63 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 dissect_ssl3_hnd_srv_hello found CIPHER 0x0004 -> state 0x17 dissect_ssl3_hnd_srv_hello not enough data to generate key (required 0x37) dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 758 ssl, state 0x17 association_find: TCP port 443 found 0x9940730 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 11 offset 68 length 754 bytes, remaining 826 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 4 ssl, state 0x17 association_find: TCP port 443 found 0x9940730 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 14 offset 831 length 0 bytes, remaining 835 ------ what can i do further to get it decrypted.? thanks for help. Regards, sahaj ________________________________ From: "wireshark-users-request () wireshark org" <wireshark-users-request () wireshark org> To: wireshark-users () wireshark org Sent: Fri, 12 November, 2010 1:30:03 AM Subject: Wireshark-users Digest, Vol 54, Issue 10 ------------------------------ Message: 7 Date: Thu, 11 Nov 2010 12:04:20 +0530 From: Sahaj <sahaj85 () gmail com> Subject: [Wireshark-users] Decrypting SSL traffic through tshark To: wireshark-users () wireshark org Message-ID: <AANLkTinmwpPZc3VMFyCWGHh2Xy_TT7ZcCHNu2sL3K3vu () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" Hi All, I am new to wireshark, I need to decrypt SSL traffic to get content length. ./tshark -o "ssl.keys_list:,443,http,client.ky" -T fields -E separator=":" -e frame.time_relative -e frame.number -e tcp.len -e http.content_length -e tcp.flags.fin -e tcp.flags.push -R "ip.src == source_ip && ip.dst == destination_ip && tcp.srcport == 443 && ! (tcp.analysis.out_of_order) && ! (tcp.analysis.retransmission) " -r sample.pcap here the result is, 2.765700000:35:0::0:0 2.765990000:37:0::0:0 2.925676000:39:0::0:0 2.925967000:41:0::0:0 5.766952000:66:835::0:1 5.767578000:70:0::0:0 5.767648000:71:0::0:0 5.927948000:72:835::0:1 5.928435000:76:0::0:0 5.928609000:77:0::0:0 5.970891000:78:43::0:1 6.131897000:80:43::0:1 6.132293000:83:0::0:0 6.133199000:84:1460::0:0 6.134092000:85:1460::0:0 6.236042000:90:1280::1:1 the field for content length is empty. please help me out and suggest me if i am missing anything or doing wrong. thanks. -- Regards, Sahaj -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.wireshark.org/lists/wireshark-users/attachments/20101111/eb68831b/attachment.htm ------------------------------ Message: 8 Date: Thu, 11 Nov 2010 19:14:08 +0100 From: Sake Blok <sake () euronet nl> Subject: Re: [Wireshark-users] Decrypting SSL traffic through tshark To: Community support list for Wireshark <wireshark-users () wireshark org> Message-ID: <95BA2989-BC0E-4F1E-9569-8922039B49F0 () euronet nl> Content-Type: text/plain; charset=us-ascii On 11 nov 2010, at 07:34, Sahaj wrote:
I need to decrypt SSL traffic to get content length. ./tshark -o "ssl.keys_list:,443,http,client.ky" -T fields -E separator=":" -e frame.time_relative -e frame.number -e tcp.len -e http.content_length -e tcp.flags.fin -e tcp.flags.push -R "ip.src == source_ip && ip.dst == destination_ip && tcp.srcport == 443 && ! (tcp.analysis.out_of_order) && ! (tcp.analysis.retransmission) " -r sample.pcap [...] the field for content length is empty. please help me out and suggest me if i am missing anything or doing wrong.
You should use the server IP address in the keys_list: -o "ssl.keys_list:<SERVER-IP>,443,http,client.ky" It also helps if you add: -o "ssl.debuf_file:ssl-debug.log" That way you can see in the logfile if the key is loaded OK in Wireshark and you can follow the decryption process. Let's see how that goes first... Cheers, Sake ------------------------------ _______________________________________________ Wireshark-users mailing list Wireshark-users () wireshark org https://wireshark.org/mailman/listinfo/wireshark-users End of Wireshark-users Digest, Vol 54, Issue 10 ***********************************************
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Decrypting SSL traffic through tshark Sahaj (Nov 11)
- Re: Decrypting SSL traffic through tshark Sake Blok (Nov 11)
- <Possible follow-ups>
- Re: Decrypting SSL traffic through tshark sahaj pandey (Nov 12)
- Re: Decrypting SSL traffic through tshark sahaj pandey (Nov 12)
- Re: Decrypting SSL traffic through tshark Sake Blok (Nov 12)