Wireshark-dev: Re: [Wireshark-dev] Need help with decrypting wireshark data....
From: Al <shaselai@xxxxxxxxx>
Date: Thu, 14 Oct 2010 13:24:02 -0700 (PDT)
Ok, i found this message: decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 4690 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 dissect_ssl3_hnd_srv_hello found CIPHER 0x0004 -> state 0x17 dissect_ssl3_hnd_srv_hello trying to generate keys ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57) dissect_ssl3_hnd_srv_hello can't generate keyring material It seems the server decoder isn't available - how do i make it available or select some other decoder? i am kinda stuck on this... thanks! --- On Thu, 10/14/10, Al <shaselai@xxxxxxxxx> wrote: > From: Al <shaselai@xxxxxxxxx> > Subject: Re: [Wireshark-dev] Need help with decrypting wireshark data.... > To: wireshark-dev@xxxxxxxxxxxxx > Date: Thursday, October 14, 2010, 3:11 PM > I am pretty sure i am on the right > server since the key is loaded and i checked netstat and > found the ip of the webservice... but still from wire shark > the client basically does handshake and cert check with > server and then afterwards server just sends "fin" and ends > it.... really not sure whats going on here... > > --- On Wed, 10/13/10, Al <shaselai@xxxxxxxxx> > wrote: > > > From: Al <shaselai@xxxxxxxxx> > > Subject: Need help with decrypting wireshark data.... > > To: wireshark-dev@xxxxxxxxxxxxx > > Date: Wednesday, October 13, 2010, 5:13 PM > > I followed a guide where I extracted > > my private key and insert it into the SSL from > wireshark > > preferences like: > > > > 123.456.55.678,443,http,C:\testkey.pem > > > > I tried both http and https - i thought since i am > talking > > to server in https it might be https? Anyway, both > failed to > > decrypt (still see jargon raw data when i view TCP > stream. > > The debug log gives me: > > > > > > ssl_association_remove removing TCP 443 - http handle > > 03164D48 > > ssl_init keys string: > > 123.456.55.678,443,http,C:\testkey.pem > > ssl_init found host entry > > 123.456.55.678,443,http,C:\testkey.pem > > ssl_init addr '123.456.55.678' port '443' filename > > 'C:\testkey.pem' password(only for p12 file) '(null)' > > Private key imported: KeyID > > 01:31:a7:9e:fc:94:8b:08:2f:17:65:13:20:f9:d3:81:... > > ssl_init private key file C:\testkey.pem successfully > > loaded > > association_add TCP port 443 protocol http handle > 03164D48 > > > > dissect_ssl enter frame #4 (first time) > > ssl_session_init: initializing ptr 04E41BAC size 584 > > conversation = 04E41868, ssl_session = 04E41BAC > > record: offset = 0, reported_length_remaining = > 100 > > packet_from_server: is from server - FALSE > > ssl_find_private_key server 123.456.55.678:443 > > client random len: 32 padded to 32 > > dissect_ssl2_hnd_client_hello found CLIENT RANDOM > -> > > state 0x01 > > ........ > > > > > > So it seems the key has been found and loaded BUT when > i > > check the STOPPED TCP stream it is still all jargon... > what > > am i doing wrong here? thanks > > > > > > > > > > > > > > > > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > > mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe >
- References:
- Prev by Date: Re: [Wireshark-dev] Need help with decrypting wireshark data....
- Next by Date: [Wireshark-dev] buildbot failure in Wireshark (development) on Solaris-10-SPARC
- Previous by thread: Re: [Wireshark-dev] Need help with decrypting wireshark data....
- Next by thread: [Wireshark-dev] Problem with a flag in a 32 bit field
- Index(es):