Wireshark-users: Re: [Wireshark-users] How to decode non-standard SSL traffic
From: "Kukosa, Tomas" <tomas.kukosa@xxxxxxxxxxx>
Date: Mon, 22 Jan 2007 20:38:25 +0100
Hi,
 
you can use 'data' protocol. It just dumps block of bytes.
 
Regards,
  Tomas

________________________________

Od: wireshark-users-bounces@xxxxxxxxxxxxx za uživatele lemons_terry@xxxxxxx
Odesláno: po 22.1.2007 20:20
Komu: wireshark-users@xxxxxxxxxxxxx
Předmět: [Wireshark-users] How to decode non-standard SSL traffic



Hi 

I've successfully used the rsasnakeoil2 capture file, key file and instructions to decode the encrypted content of an SSL session using Wireshark.  Now, I'd like to do the same thing for several other sessions, including:

*	An openssl s_client/s_server session 
*	A client/server session involving a proprietary product 
	

I know that the way to decode the SSL traffic is to provide four items of information to Wireshark's Edit ... Preferences ... Protocols ... SSL ... 'RSA keys list' box:

<ip>,<port>,<protocol>,<key> 

When I'm decoding a SSL-encrypted HTTP session, the values to put in 'port' and 'protocol' are obvious.  But what about an openssl s_client/s_server session?  I can see that the port is 4433 (which can be over-ridden).  But what would the 'protocol' value be for openssl s_server?  And, what 'protocol' value would I use for a proprietary client/server application?  Is there some generic 'just dump out the text' protocol I should use?

Thanks! 
tl 

Terry Lemons
CLARiiON Appliance Engineering
CLARiiON Application Solutions Integration
EMC2
where information lives
4400 Computer Drive, MS D239
Westboro MA 01580
Phone: 508 898 7312
Email: Lemons_Terry@xxxxxxx <mailto:Lemons_Terry@xxxxxxx>  
    

<<winmail.dat>>