Wireshark · Wireshark-users: [Wireshark-users] wireshark ssl decryption for dummies

Wireshark-users: [Wireshark-users] wireshark ssl decryption for dummies

From: Andrew Schweitzer <a.schweitzer.grps@xxxxxxxxx>

Date: Tue, 12 Sep 2006 10:23:14 -0400

Hello, I'm trying to decrypt some SSL traffic.

The connection initiator talk to port 37000. It talks a proprietaryprotocol (one not present in wireshark). I have the keys of theinitiator and the listener. I am capturing on the listener. What shouldmy RSA keys list be?


Should it be:
127.0.0.1,3700,3700,e:\keys\initiator.key?
or maybe
127.0.0.1,3700,3700,e:\keys\listener.key?

I don't get decrypted data in either case. SSL log says, in second case:

===Begin SSL log===
ssl_init keys string 127.0.0.1,37000,37000,c:\keys\initiator.key
ssl_init found host entry 127.0.0.1,37000,37000,c:\keys\initiator.key
ssl_init addr 127.0.0.1 port 37000 filename c:\keys\initiator.key
ssl_get_version: 1.5.0
ssl_init private key file c:\keys\initiator.key successfully loaded
association_add port 37000 protocol 37000 handle 00000000
===End SSL log===

Can decryption only occur if the conversation is sniffed from itsbeginning?


Do I need both initiator and listener keys?

Why is there both a port and protocol specified? How would youdifferentiate two protocols on the same port? What if the protocol isunknown, (or at least there's no dissector for it?)


Thanks

Follow-Ups:
- Re: [Wireshark-users] wireshark ssl decryption for dummies
  - From: ronnie sahlberg

Prev by Date: [Wireshark-users] Wireshark will not launch
Next by Date: [Wireshark-users] Intel 3945ABG promiscuous mode
Previous by thread: [Wireshark-users] Wireshark will not launch
Next by thread: Re: [Wireshark-users] wireshark ssl decryption for dummies
Index(es):
- Date
- Thread