Wireshark mailing list archives
Re: Need help with decrypting wireshark data....
From: Al <shaselai () yahoo com>
Date: Thu, 14 Oct 2010 13:24:02 -0700 (PDT)
Ok, i found this message: decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 4690 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 dissect_ssl3_hnd_srv_hello found CIPHER 0x0004 -> state 0x17 dissect_ssl3_hnd_srv_hello trying to generate keys ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57) dissect_ssl3_hnd_srv_hello can't generate keyring material It seems the server decoder isn't available - how do i make it available or select some other decoder? i am kinda stuck on this... thanks! --- On Thu, 10/14/10, Al <shaselai () yahoo com> wrote:
From: Al <shaselai () yahoo com> Subject: Re: [Wireshark-dev] Need help with decrypting wireshark data.... To: wireshark-dev () wireshark org Date: Thursday, October 14, 2010, 3:11 PM I am pretty sure i am on the right server since the key is loaded and i checked netstat and found the ip of the webservice... but still from wire shark the client basically does handshake and cert check with server and then afterwards server just sends "fin" and ends it.... really not sure whats going on here... --- On Wed, 10/13/10, Al <shaselai () yahoo com> wrote:From: Al <shaselai () yahoo com> Subject: Need help with decrypting wireshark data.... To: wireshark-dev () wireshark org Date: Wednesday, October 13, 2010, 5:13 PM I followed a guide where I extracted my private key and insert it into the SSL fromwiresharkpreferences like: 123.456.55.678,443,http,C:\testkey.pem I tried both http and https - i thought since i amtalkingto server in https it might be https? Anyway, bothfailed todecrypt (still see jargon raw data when i view TCPstream.The debug log gives me: ssl_association_remove removing TCP 443 - http handle 03164D48 ssl_init keys string: 123.456.55.678,443,http,C:\testkey.pem ssl_init found host entry 123.456.55.678,443,http,C:\testkey.pem ssl_init addr '123.456.55.678' port '443' filename 'C:\testkey.pem' password(only for p12 file) '(null)' Private key imported: KeyID 01:31:a7:9e:fc:94:8b:08:2f:17:65:13:20:f9:d3:81:... ssl_init private key file C:\testkey.pem successfully loaded association_add TCP port 443 protocol http handle03164D48dissect_ssl enter frame #4 (first time) ssl_session_init: initializing ptr 04E41BAC size 584 conversation = 04E41868, ssl_session = 04E41BAC record: offset = 0, reported_length_remaining =100packet_from_server: is from server - FALSE ssl_find_private_key server 123.456.55.678:443 client random len: 32 padded to 32 dissect_ssl2_hnd_client_hello found CLIENT RANDOM->state 0x01 ........ So it seems the key has been found and loaded BUT whenicheck the STOPPED TCP stream it is still all jargon...whatam i doing wrong here? thanks___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Need help with decrypting wireshark data.... Al (Oct 13)
- <Possible follow-ups>
- Re: Need help with decrypting wireshark data.... Al (Oct 14)
- Re: Need help with decrypting wireshark data.... Al (Oct 14)