Wireshark mailing list archives
Re: Trying to decode sshv2 traffic
From: Luis EG Ontanon <luis () ontanon org>
Date: Tue, 17 Jun 2014 16:28:19 -0500
To handle Diffie-Hellman exchanges what should be implemented is a credentials-leaking protocol. Two components, one in the ssh library that somehow leaks the credentials, and one in Wireshark that uses the leaked info to configure decryption. IMHO using TCP OOB would be excellent as it would match the same tcp filter, but it has the problem that it goes all the way so is visible in the entire path. Other alternative would be targeting UDP packets towards the sniffer... Both create a major risk, but they can be very helpful for development. On Tue, Jun 17, 2014 at 4:17 PM, M Holt <m.iostreams () gmail com> wrote:
SSH uses Diffie-Hellman key exchange, which creates a shared 'ephemeral' key for encryption. As such, there is no current method of decrypting this type of traffic. For more info, take a look here: http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange On Tue, Jun 17, 2014 at 1:41 PM, Ahmed Zaki <ahmed.mahmoudzaki () gmail com> wrote:Thank you Jeff. Do you think we can submit it as a future enhancement? On Tue, Jun 17, 2014 at 8:16 PM, Jeff Morriss <jeff.morriss.ws () gmail com> wrote:On 06/17/14 12:59, Ahmed Zaki wrote:Dear All, I captured SSHV2 trace file between two servers, I want to see the decrypted packets. Any ideas about how I can decrypt the packets? I believe it is possible to collect the public keys from both servers, Is this going to help?Unfortunately, no. The SSH dissector in Wireshark is not able to decrypt SSH packets. See: http://wiki.wireshark.org/SSH ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
-- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Trying to decode sshv2 traffic Ahmed Zaki (Jun 17)
- Re: Trying to decode sshv2 traffic Jeff Morriss (Jun 17)
- Re: Trying to decode sshv2 traffic Ahmed Zaki (Jun 17)
- Re: Trying to decode sshv2 traffic M Holt (Jun 17)
- Re: Trying to decode sshv2 traffic Luis EG Ontanon (Jun 17)
- Re: Trying to decode sshv2 traffic Evan Huus (Jun 17)
- Re: Trying to decode sshv2 traffic Ahmed Zaki (Jun 17)
- Re: Trying to decode sshv2 traffic Jeff Morriss (Jun 17)