Wireshark-dev: Re: [Wireshark-dev] Plugin for Lawful Interception of SSL/TLS messages ...
Krishna,
It is true that there is a way to decrypt SSL/TLS in wireshark, and to
write a dissector that can handle a protocol that's tunneled through
SSL/TLS. If you're writing a dissector that will look at the voip
traffic, here's generally what you'd do:
* One of the two connections in the SSL tunnel needs to be using a
static key, and you need a copy of this key.
* In wireshark, click Edit -> Preferences -> Protocols -> SSL
* A field on this screen (name escapes me) takes a parameter formatted
like this:
<ip>,<port>,<protocol>,<path>
... where <ip> and <port> are the ip of the server whose private keyfile
you have, <port> is the port you want to dissect on, <protocol> is the
protocol you expect to get out of the SSL/TLS traffic (for example, if
the traffic you're wanting to examine rides on top of http, you'd want
to put the string http in place of <protocol>, then have your dissector
look at http traffic to determine whether your dissector can handle it.
Alternatively, you'd put the protocol name of your dissector if you want
to directly handle the unencrypted payload). Finally, <path> is the path
to your keyfile. In *nix, I believe the field seperator is ; instead of ,
* Once you have it working, you'd then need a dissector to handle the
traffic you want to examine. This is where your own coding skills come
into play. There may be a voip dissector already, but I don't have the
latest wireshark build on this computer to check.
-Brian
phanivenkata.krishna@xxxxxxxxx wrote:
Hi,
I’m doing a study project on Voip security using TLS. We can send
H.323 messages in an encrypted TLS tunnel. To debug these messages we
need a plug-in in Wireshark which actually decrypts the TLS and the
tunneled messages. However, I guess it is not so easy to decrypt the
data sent in the TLS tunnel.
I heard that there is Lawful Interception services with which can
get/trace the keys exchanged during TLS handshake and use the keys for
further decryption of data may be by feeding the key to TLS plug-in or
so.
Does Wireshark have support for this kind of functionality?
Can any one help me in giving more details and information in this area?
Regards,
Krishna .
The information contained in this electronic message and any
attachments to this message are intended for the exclusive use of the
addressee(s) and may contain proprietary, confidential or privileged
information. If you are not the intended recipient, you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately and destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient
should check this email and any attachments for the presence of
viruses. The company accepts no liability for any damage caused by any
virus transmitted by this email.
www.wipro.com
------------------------------------------------------------------------
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev
