Wireshark · Wireshark-users: Re: [Wireshark-users] ssl.handshake and ring buffer capture

Wireshark-users: Re: [Wireshark-users] ssl.handshake and ring buffer capture

From: Sake Blok <sake@xxxxxxxxxx>

Date: Thu, 15 Jul 2010 16:45:38 +0200

On 15 jul 2010, at 14:25, John Modlin wrote:

> I’ve setup tshark to do a nightly capture and include ssl traffic.  The decryption is working great.  The problem
> I have is I’m keeping files to a 50mb size so the files are manageable in wireshark to view and filter.  The captures
> Can be several hundred mb.  The decryption works great in the 1st capture file from the ring buffer where the
> Ssl.handshake info exists, but the subsequent files from the ring buffer don’t have that information in it of course,
> And consequently wireshark does not then decrypt the subsequent files.  
> Is there an eloquent way to handle this?

You could extract each individual SSL session (including sessions that reuse the negotiated keys) to a file of it's own and then do decryption on the new files. Of course you lose the depency between the sessions, but having both the unencrypted form next to the integral tracefiles will still give you a pretty good view on things.

The extraction can be automated with a script, but it is not trivial (because of the session reuse).

Cheers,

Sake

Follow-Ups:
- Re: [Wireshark-users] ssl.handshake and ring buffer capture
  - From: John@xxxxxxxxxxxxxx

References:
- [Wireshark-users] ssl.handshake and ring buffer capture
  - From: John Modlin

Prev by Date: Re: [Wireshark-users] begginer question , how to decode this response
Next by Date: [Wireshark-users] SSL vs TCP 443
Previous by thread: [Wireshark-users] ssl.handshake and ring buffer capture
Next by thread: Re: [Wireshark-users] ssl.handshake and ring buffer capture
Index(es):
- Date
- Thread