Is it possable to use the ssl filter for ssh traffic?
I was trying to use it I think I figured out how to use the ssl filter
and after I eperiment with it I'd like to write about it on the wiki.
I think the problem I am having is I am trying to use it for ssh
traffic which I thought used ssl.
Has anyone successfully used the ssl filter to filter out ssh traffic?
Here is what I tried.
In the prefferences I went down to the ssl protocal and in
RSA key lists: 127.0.0.1,22,ssl,/etc/ssh/ssh_host_rsa_key
SSL debug file: /root/ssldebug.txt
Then I start my capture on lo
and I start an ssh session to 127.0.0.1
Then I select the part of the ssh traffic one that says Continuation Data
Then in the Analyze menu I select "decode as"
Then I select both ports then SSL
Then under Analyze menu I have an option to Follow SSL Stream
(I suspect under normal ssl I would see text going across, I'll start
an ssl page later and try this)
But it always comes up empty Below I'll post the error log from ssldebug.txt
association_remove_handle removing ptr 0x9b31f08 handle 0x98ab4e0
association_remove_handle removing ptr 0x9b31ca0 handle 0x98c90e0
association_remove_handle removing ptr 0x9b31be0 handle 0x989c2e8
association_remove_handle removing ptr 0x9b319a0 handle 0x992c9b0
ssl_init keys string 172.24.0.21,22,ssl,/root/www.ssh_host_rsa_key
ssl_init found host entry 172.24.0.21,22,ssl,/root/www.ssh_host_rsa_key
ssl_init addr 172.24.0.21 port 22 filename /root/www.ssh_host_rsa_key
ssl_get_version: 1.2.10
ssl_init private key file /root/www.ssh_host_rsa_key successfully loaded
association_add port 22 protocol ssl handle 0x9a3e170
association_add port 443 protocol http handle 0x98ab4e0
association_add port 636 protocol ldap handle 0x98c90e0
association_add port 993 protocol imap handle 0x989c2e8
association_add port 995 protocol pop handle 0x992c9b0
ssl_session_init: initializing ptr 0xb2bda978 size 568
association_find: port 22 found 0x9b7a410
packet_from_server: is from server 1
dissect_ssl server 127.0.0.1:22