Wireshark-users: Re: [Wireshark-users] Decrypting SSL traffic through tshark
From: sahaj pandey <sahaj_p@xxxxxxxxxxx>
Date: Fri, 12 Nov 2010 19:41:11 +0530 (IST)

Removing other message and posting it again.
sorry for spam.


Hi Sake,

thanks a lot for replying,

previously i had tried by giving server ip only but somehow missed to mention that.
this time i have used the "ssl.debug_file:debug.log",

tshark   -o "ssl.keys_list:<server ip>,443,http,server.key" -o "ssl.debug_file:debug.log" -T fields -E separator=":"  -e frame.number -e http.content_length -e tcp.len -e ssl.record -R "ip.src == <server_ip> && ip.dst == dest_ip && tcp.srcport == 443 && ! (tcp.analysis.out_of_order)  && ! (tcp.analysis.retransmission) "  -r sample.pcap 



again i am not able to get decrypted data. i am seeing a line as "no decoder available".

the log file have this kind of entries,

------
ssl_init keys string:
server_ip,http,server.key
ssl_init found host entry <serve_ip>,443,http,server.key
ssl_init addr '<server_ip>' port '443' filename 'server.key' password(only for p12 file) '(null)'
ssl_init private key file server.key successfully loaded
association_add TCP port 443 protocol http handle 0x90fcee0
association_find: TCP port 993 found 0x9597f78
ssl_association_remove removing TCP 993 - imap handle 0x910a500
association_add TCP port 993 protocol imap handle 0x910a500
association_find: TCP port 995 found 0x9597fb0
ssl_association_remove removing TCP 995 - pop handle 0x91ccf00
association_add TCP port 995 protocol pop handle 0x91ccf00

dissect_ssl enter frame #66 (first time)
  conversation = 0xb68257d0, ssl_session = 0xb68259a8
dissect_ssl3_record found version 0x0301 -> state 0x11
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 58 ssl, state 0x11
association_find: TCP port 443 found 0x9940730
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 54 bytes, remaining 63
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
dissect_ssl3_hnd_srv_hello found CIPHER 0x0004 -> state 0x17
dissect_ssl3_hnd_srv_hello not enough data to generate key (required 0x37)
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 758 ssl, state 0x17
association_find: TCP port 443 found 0x9940730
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 68 length 754 bytes, remaining 826
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 4 ssl, state 0x17
association_find: TCP port 443 found 0x9940730
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 14 offset 831 length 0 bytes, remaining 835
------

what can i do further to get it decrypted.?

thanks for help.
 
Regards,
sahaj




From: "wireshark-users-request@xxxxxxxxxxxxx" <wireshark-users-request@xxxxxxxxxxxxx>
To: wireshark-users@xxxxxxxxxxxxx
Sent: Fri, 12 November, 2010 1:30:03 AM
Subject: Wireshark-users Digest, Vol 54, Issue 10

------------------------------

Message: 7
Date: Thu, 11 Nov 2010 12:04:20 +0530
From: Sahaj <sahaj85@xxxxxxxxx>
Subject: [Wireshark-users] Decrypting SSL traffic through tshark
To: wireshark-users@xxxxxxxxxxxxx
Message-ID:
    <AANLkTinmwpPZc3VMFyCWGHh2Xy_TT7ZcCHNu2sL3K3vu@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Hi All,

I am new to wireshark,

I need to decrypt SSL traffic to get content length.

./tshark  -o "ssl.keys_list:,443,http,client.ky" -T fields -E separator=":"
-e frame.time_relative -e frame.number -e tcp.len -e http.content_length -e
tcp.flags.fin -e tcp.flags.push  -R "ip.src == source_ip && ip.dst ==
destination_ip  && tcp.srcport == 443 && ! (tcp.analysis.out_of_order)  && !
(tcp.analysis.retransmission) "  -r sample.pcap

here the result is,

2.765700000:35:0::0:0
2.765990000:37:0::0:0
2.925676000:39:0::0:0
2.925967000:41:0::0:0
5.766952000:66:835::0:1
5.767578000:70:0::0:0
5.767648000:71:0::0:0
5.927948000:72:835::0:1
5.928435000:76:0::0:0
5.928609000:77:0::0:0
5.970891000:78:43::0:1
6.131897000:80:43::0:1
6.132293000:83:0::0:0
6.133199000:84:1460::0:0
6.134092000:85:1460::0:0
6.236042000:90:1280::1:1

the field for content length is empty.

please help me out and suggest me if i am missing anything or doing wrong.

thanks.

--
Regards,
Sahaj
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wireshark.org/lists/wireshark-users/attachments/20101111/eb68831b/attachment.htm

------------------------------

Message: 8
Date: Thu, 11 Nov 2010 19:14:08 +0100
From: Sake Blok <sake@xxxxxxxxxx>
Subject: Re: [Wireshark-users] Decrypting SSL traffic through tshark
To: Community support list for Wireshark
    <wireshark-users@xxxxxxxxxxxxx>
Message-ID: <95BA2989-BC0E-4F1E-9569-8922039B49F0@xxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii

On 11 nov 2010, at 07:34, Sahaj wrote:

> I need to decrypt SSL traffic to get content length.
>
> ./tshark  -o "ssl.keys_list:,443,http,client.ky" -T fields -E separator=":"  -e frame.time_relative -e frame.number -e tcp.len -e http.content_length -e tcp.flags.fin -e tcp.flags.push  -R "ip.src == source_ip && ip.dst == destination_ip  && tcp.srcport == 443 && ! (tcp.analysis.out_of_order)  && ! (tcp.analysis.retransmission) "  -r sample.pcap
> [...]
> the field for content length is empty.
>
> please help me out and suggest me if i am missing anything or doing wrong.

You should use the server IP address in the keys_list:

-o "ssl.keys_list:<SERVER-IP>,443,http,client.ky"

It also helps if you add:

-o "ssl.debuf_file:ssl-debug.log"

That way you can see in the logfile if the key is loaded OK in Wireshark and you can follow the decryption process.

Let's see how that goes first...

Cheers,


Sake



------------------------------


_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users


End of Wireshark-users Digest, Vol 54, Issue 10
***********************************************