Wireshark-users: Re: [Wireshark-users] How to decode non-standard SSL traffic
From: "Kukosa, Tomas" <tomas.kukosa@xxxxxxxxxxx>
Date: Tue, 23 Jan 2007 15:40:43 +0100
Hi,

more important for detecting why it is not decoded are packets from SSL
handshake

you should see e.g. following:

...
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01
...
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
dissect_ssl3_hnd_srv_hello found CIPHER 0x002F -> state 0x17
... 
dissect_ssl3_handshake found SSL_HND_CLIENT_KEY_EXCHG state 0x17
...
dissect_ssl3_handshake session keys succesfully generated



Mailcode: NdD2sKHg
-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of
lemons_terry@xxxxxxx
Sent: Tuesday, January 23, 2007 3:31 PM
To: wireshark-users@xxxxxxxxxxxxx
Subject: Re: [Wireshark-users] How to decode non-standard SSL traffic

Hi Tomas

Thanks for suggestions!  I did enable SSL debug, and learned a lot from
it.  I saw that Wireshark did not like my RSA-format key file, but liked
the self-signed SSL key file just fine.  And the log file does show that
SSL records are identified and processed.

But, I still can't see the data in the 'application data' packets.

I've included below part of the contents of the SSL debug file.  Frames
312, 394 and 510 are the application data frames.  Do you see any reason
why they weren't decoded?

I'll copy and try the latest Wireshark (0.99.5pre2) now.

Thanks!
tl

ssl_init keys string 192.168.11.114,4433,data,/tmp/server.key
ssl_init found host entry 192.168.11.114,4433,data,/tmp/server.key
ssl_init addr 192.168.11.114 port 4433 filename /tmp/server.key
ssl_get_version: 1.0.8
ssl_load_key: swapping p and q parametes
ssl_init private key file /tmp/server.key successfully loaded
.
.
.
dissect_ssl enter frame #312
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 32 ssl state 13
decrypt_ssl3_record: no session key
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 32 ssl state 13
decrypt_ssl3_record: no session key
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl enter frame #394
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 32 ssl state 13
decrypt_ssl3_record: no session key
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 32 ssl state 13
decrypt_ssl3_record: no session key
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl enter frame #510
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 32 ssl state 13
decrypt_ssl3_record: no session key
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 32 ssl state 13
decrypt_ssl3_record: no session key
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540


>Hi, 

>try to enable SSL debug output (with setting debug file in SSL
>preferences).
>Either you will see in the file what goes wrong or you can send it
here.
>
>BTW if it is possible skip to version 0.99.5pre2 which contains a
little
>bit better debug SSL output.
>
>Tomas

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users