Wireshark-users: Re: [Wireshark-users] How to decode non-standard SSL traffic
From: "Kukosa, Tomas" <tomas.kukosa@xxxxxxxxxxx>
Date: Tue, 23 Jan 2007 16:25:57 +0100
It seems that some unknown cipher suite is used:

dissect_ssl3_hnd_srv_hello can't find cipher suite 39 

39 looks like TLS1_CK_DHE_RSA_WITH_AES_256_SHA 
is it possible?


Mailcode: NdD2sKHg
-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of
lemons_terry@xxxxxxx
Sent: Tuesday, January 23, 2007 3:51 PM
To: wireshark-users@xxxxxxxxxxxxx
Subject: Re: [Wireshark-users] How to decode non-standard SSL traffic

Thanks for the reply.  I have no idea why it isn't decoding.  I've
attached the whole ssl debug file.  Any clues?  What else can I do to
help debug this?

Thanks
tl

ssl_init keys string 192.168.11.114,4433,data,/tmp/server.key
ssl_init found host entry 192.168.11.114,4433,data,/tmp/server.key
ssl_init addr 192.168.11.114 port 4433 filename /tmp/server.key
ssl_get_version: 1.0.8
ssl_load_key: swapping p and q parametes
ssl_init private key file /tmp/server.key successfully loaded
association_add TCP port 4433 protocol data handle 0x8288d08
association_find: TCP port 443 found 0x8507500
ssl_association_remove removing TCP 443 - http handle 0x82eb880
association_add TCP port 443 protocol http handle 0x82eb880
association_find: TCP port 636 found 0x8519388
ssl_association_remove removing TCP 636 - ldap handle 0x830f260
association_add TCP port 636 protocol ldap handle 0x830f260
association_find: TCP port 993 found 0x85193b0
ssl_association_remove removing TCP 993 - imap handle 0x82f9ec0
association_add TCP port 993 protocol imap handle 0x82f9ec0
association_find: TCP port 995 found 0x85193e8
ssl_association_remove removing TCP 995 - pop handle 0x8363088
association_add TCP port 995 protocol pop handle 0x8363088
dissect_ssl enter frame #254
ssl_session_init: initializing ptr 0x4235eae0 size 568
association_find: TCP port 24531 found (nil)
packet_from_server: is from server 0
dissect_ssl server 192.168.11.114:4433
client random len: 32 padded to 32
dissect_ssl enter frame #262
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 74 ssl state 11
decrypt_ssl3_record: no session key
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes,
remaining 79 
dissect_ssl3_hnd_hello_common found random state 13
dissect_ssl3_hnd_srv_hello can't find cipher suite 39
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 922 ssl state 13
decrypt_ssl3_record: no session key
dissect_ssl3_handshake iteration 1 type 11 offset 84 length 918 bytes,
remaining 1006 
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 269 ssl state 13
decrypt_ssl3_record: no session key
dissect_ssl3_handshake iteration 1 type 12 offset 1011 length 265 bytes,
remaining 1280 
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 4 ssl state 13
decrypt_ssl3_record: no session key
dissect_ssl3_handshake iteration 1 type 14 offset 1285 length 0 bytes,
remaining 1289 
dissect_ssl enter frame #266
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 70 ssl state 13
decrypt_ssl3_record: no session key
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 66 bytes,
remaining 75 
dissect_ssl3_handshake found SSL_HND_CLIENT_KEY_EXCHG state 13
dissect_ssl3_handshake not enough data to generate key (required 17)
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 48 ssl state 13
decrypt_ssl3_record: no session key
dissect_ssl3_handshake iteration 1 type 105 offset 86 length 4484948
bytes, remaining 134 
dissect_ssl enter frame #267
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 48 ssl state 13
decrypt_ssl3_record: no session key
dissect_ssl3_handshake iteration 1 type 247 offset 11 length 11649299
bytes, remaining 59 
dissect_ssl enter frame #312
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 32 ssl state 13
decrypt_ssl3_record: no session key
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 32 ssl state 13
decrypt_ssl3_record: no session key
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl enter frame #394
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 32 ssl state 13
decrypt_ssl3_record: no session key
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 32 ssl state 13
decrypt_ssl3_record: no session key
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl enter frame #510
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 32 ssl state 13
decrypt_ssl3_record: no session key
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 32 ssl state 13
decrypt_ssl3_record: no session key
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl enter frame #536
dissect_ssl3_record: content_type 21
decrypt_ssl3_record: app_data len 32 ssl state 13
decrypt_ssl3_record: no session key
dissect_ssl enter frame #254
dissect_ssl enter frame #262
dissect_ssl3_record: content_type 22
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes,
remaining 79 
dissect_ssl3_record: content_type 22
dissect_ssl3_handshake iteration 1 type 11 offset 84 length 918 bytes,
remaining 1006 
dissect_ssl3_record: content_type 22
dissect_ssl3_handshake iteration 1 type 12 offset 1011 length 265 bytes,
remaining 1280 
dissect_ssl3_record: content_type 22
dissect_ssl3_handshake iteration 1 type 14 offset 1285 length 0 bytes,
remaining 1289 
dissect_ssl enter frame #266
dissect_ssl3_record: content_type 22
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 66 bytes,
remaining 75 
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
dissect_ssl3_record: content_type 22
dissect_ssl3_handshake iteration 1 type 105 offset 86 length 4484948
bytes, remaining 134 
dissect_ssl enter frame #267
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
dissect_ssl3_record: content_type 22
dissect_ssl3_handshake iteration 1 type 247 offset 11 length 11649299
bytes, remaining 59 
dissect_ssl enter frame #312
dissect_ssl3_record: content_type 23
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl3_record: content_type 23
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl enter frame #394
dissect_ssl3_record: content_type 23
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl3_record: content_type 23
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl enter frame #510
dissect_ssl3_record: content_type 23
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl3_record: content_type 23
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl enter frame #536
dissect_ssl3_record: content_type 21
dissect_ssl enter frame #312
dissect_ssl3_record: content_type 23
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl3_record: content_type 23
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl enter frame #312
dissect_ssl3_record: content_type 23
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl3_record: content_type 23
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl enter frame #394
dissect_ssl3_record: content_type 23
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl3_record: content_type 23
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl enter frame #394
dissect_ssl3_record: content_type 23
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl3_record: content_type 23
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl enter frame #510
dissect_ssl3_record: content_type 23
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl3_record: content_type 23
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl enter frame #510
dissect_ssl3_record: content_type 23
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl3_record: content_type 23
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl enter frame #312
dissect_ssl3_record: content_type 23
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl3_record: content_type 23
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl enter frame #312
dissect_ssl3_record: content_type 23
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl3_record: content_type 23
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl enter frame #394
dissect_ssl3_record: content_type 23
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl3_record: content_type 23
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl enter frame #510
dissect_ssl3_record: content_type 23
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540
dissect_ssl3_record: content_type 23
association_find: TCP port 24531 found (nil)
association_find: TCP port 4433 found 0x8554540



>Hi,
>
>more important for detecting why it is not decoded are packets from SSL
>handshake
>
>you should see e.g. following:
>
>...
>dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01
>...
>dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
>dissect_ssl3_hnd_srv_hello found CIPHER 0x002F -> state 0x17
>... 
>dissect_ssl3_handshake found SSL_HND_CLIENT_KEY_EXCHG state 0x17
>...
>dissect_ssl3_handshake session keys succesfully generated

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users