Wireshark-users: Re: [Wireshark-users] tshark option to decrypt SSL?
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: James Hozier <guitarscn1@xxxxxxxxx>
Date: Thu, 9 Sep 2010 09:47:11 -0700 (PDT)
> From: James Hozier <guitarscn1@xxxxxxxxx>
> Subject: Re: [Wireshark-users] tshark option to decrypt SSL?
> To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
> Date: Thursday, September 9, 2010, 4:13 PM
> > From: Sake Blok <sake@xxxxxxxxxx>
> > Subject: Re: [Wireshark-users] tshark option to
> decrypt SSL?
> > To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
> > Date: Thursday, September 9, 2010, 4:03 PM
> > On 9 sep 2010, at 17:51, James Hozier
> > wrote:
> > 
> > > I get the error: can't load private key from
> > /home/unreal/Unreal3.2/server.key.pem
> > > 
> > > Inside server.key.pem is:
> > > -----BEGIN PRIVATE KEY-----
> > > -----END PRIVATE KEY-----
> > > 
> > > And between those lines is the private key. There
> is
> > nothing else.
> > > 
> > > Why can it not load? 
> > 
> > It should read:
> > 
> > -----BEGIN RSA PRIVATE KEY-----
> > 
> > You can use openssl to convert your key from PKCS#8
> to
> > PKCS#1.
> > 
> > See:  http://www.wireshark.org/lists/wireshark-users/200911/msg00033.html
> > 
> > Cheers,
> > 
> > 
> > Sake
> > 
> 
> Hmmm...I did: $ openssl pkcs8 -in server.key.pem -out
> newserver.key.pem -nocrypt
> 
> And it ran with no errors or warnings, yet when I checked
> the newserver.key.pem file, it is exactly the same as the
> original server.key.pem and Wireshark cannot read it.
> Strange...
> 

Okay, so I ran:
$ openssl rsa -in server.key.pem -out newserver.key.pem

And it seems to have done the job (but I'm not quite sure) because I ran
Wireshark and it started capturing successfully without any error.

But, it's not capturing at all...0 packets even though I am creating
traffic on IRC on the SSL port. I tried different combinations of
options:

$ tshark -V -tad -lnx -o ssl.keys_list:127.0.0.1,4040,irc,/home/unreal/Unreal3.2/newserver.key.pem -R 'irc'

$ tshark -V -i en1 -tad -lnx -o ssl.keys_list:127.0.0.1,4040,irc,/home/unreal/Unreal3.2/newserver.key.pem -d tcp.port==4040,irc -R 'irc' -f 'tcp port 4040'

And a whole bunch of other combinations thereof. Maybe the key was not
properly converted?