Wireshark mailing list archives

Re: ssl.handshake and ring buffer capture

From: "John () johnmodlin com" <john () johnmodlin com>
Date: Thu, 15 Jul 2010 14:39:09 -0400

That's what I was considering but was hoping I wouldn't have to. Thank  
you for tour suggestion

John Modlin
John () johnmodlin com
(859)324-1560 cell

On Jul 15, 2010, at 10:45 AM, Sake Blok <sake () euronet nl> wrote:

On 15 jul 2010, at 14:25, John Modlin wrote:

I’ve setup tshark to do a nightly capture and include ssl traffic. 
  The decryption is working great.  The problem
I have is I’m keeping files to a 50mb size so the files are manage 
able in wireshark to view and filter.  The captures
Can be several hundred mb.  The decryption works great in the 1st  
capture file from the ring buffer where the
Ssl.handshake info exists, but the subsequent files from the ring  
buffer don’t have that information in it of course,
And consequently wireshark does not then decrypt the subsequent  
files.
Is there an eloquent way to handle this?


You could extract each individual SSL session (including sessions  
that reuse the negotiated keys) to a file of it's own and then do  
decryption on the new files. Of course you lose the depency between  
the sessions, but having both the unencrypted form next to the  
integral tracefiles will still give you a pretty good view on things.

The extraction can be automated with a script, but it is not trivial  
(because of the session reuse).

Cheers,


Sake


___________________________________________________________________________

Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org

Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

ssl.handshake and ring buffer capture John Modlin (Jul 15)
- Re: ssl.handshake and ring buffer capture Sake Blok (Jul 15)
  - Re: ssl.handshake and ring buffer capture John () johnmodlin com (Jul 15)