Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Need help with decrypting wireshark data....

From: Al <shaselai () yahoo com>
Date: Thu, 14 Oct 2010 12:11:51 -0700 (PDT)
I am pretty sure i am on the right server since the key is loaded and i checked netstat and found the ip of the 
webservice... but still from wire shark the client basically does handshake and cert check with server and then 
afterwards server just sends "fin" and ends it.... really not sure whats going on here...

--- On Wed, 10/13/10, Al <shaselai () yahoo com> wrote:


From: Al <shaselai () yahoo com>
Subject: Need help with decrypting wireshark data....
To: wireshark-dev () wireshark org
Date: Wednesday, October 13, 2010, 5:13 PM
I followed a guide where I extracted
my private key and insert it into the SSL from wireshark
preferences like:

123.456.55.678,443,http,C:\testkey.pem

I tried both http and https - i thought since i am talking
to server in https it might be https? Anyway, both failed to
decrypt (still see jargon raw data when i view TCP stream.
The debug log gives me:


ssl_association_remove removing TCP 443 - http handle
03164D48
ssl_init keys string:
123.456.55.678,443,http,C:\testkey.pem
ssl_init found host entry
123.456.55.678,443,http,C:\testkey.pem
ssl_init addr '123.456.55.678' port '443' filename
'C:\testkey.pem' password(only for p12 file) '(null)'
Private key imported: KeyID
01:31:a7:9e:fc:94:8b:08:2f:17:65:13:20:f9:d3:81:...
ssl_init private key file C:\testkey.pem successfully
loaded
association_add TCP port 443 protocol http handle 03164D48

dissect_ssl enter frame #4 (first time)
ssl_session_init: initializing ptr 04E41BAC size 584
  conversation = 04E41868, ssl_session = 04E41BAC
  record: offset = 0, reported_length_remaining = 100
packet_from_server: is from server - FALSE
ssl_find_private_key server 123.456.55.678:443
client random len: 32 padded to 32
dissect_ssl2_hnd_client_hello found CLIENT RANDOM ->
state 0x01
........


So it seems the key has been found and loaded BUT when i
check the STOPPED TCP stream it is still all jargon... what
am i doing wrong here? thanks




      




      
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: