Wireshark-dev: [Wireshark-dev] packet-ssl bug(s)?
From: "Maynard, Chris" <[email protected]>
Date: Wed, 30 Aug 2006 01:18:31 -0400
Since SSL decryption is now supposed to be supported on the Windows
installer, I thought I would try out the "snakeoil2" example posted at

First, I set the RSA keys list as specified - well almost as specified.
The wiki says the file name is snakeoil2.key, but it actually extracts
as rsasnakeoil2.key.

Next, I opened the rsasnakeoil2.cap file.  At first glance, things look
pretty good.  For example, if you select Frame #11, Info column shows
"GET / HTTP/1.1", and the packet details pane contains a separate tree
for "Hypertext Transfer Protocol", which can be expanded to show the
decrypted details.  Nice. However if you look at Frame #31, for example,
the Info column displays "GET /icons/debian/openlogo-25.jpg HTTP/1.1",
but the packet details pane doesn't actually display the decrypted data.

Continuing, I then applied an ssl display filter.  At this point, things
seemed to go horribly wrong.  Frame #11 still seemed ok at this point,
but most frames, including Frame #31 now showed only "Application Data"
in the Info column where more useful text was once shown.  What's even
weirder to me is that when you clear the ssl display filter, the Info
column still displays just the "Application Data" rather than reverting
back to the original text.

It gets even worse.  If you merely close the file, reopen it, then look
at Frame #11, its Info column still displays the correct text, but now
the HTTP decrypted data no longer appears.  Applying the ssl filter and
then clearing it now affects Frame #11 the same as all the other frames.
Basically you have to exit Wireshark then restart it to ever have that
Frame decrypted again.

On the Windows PC, I tried the example using wireshark SVN version
19082.  I also tried this with Wireshark 0.99.3 running on Linux Fedora
Core 4 and had the same results.

This email may contain confidential and privileged material for the
sole use of the intended recipient(s). Any review, use, retention,
distribution or disclosure by others is strictly prohibited. If you
are not the intended recipient (or authorized to receive for the
recipient), please contact the sender by reply email and delete all
copies of this message. Also, email is susceptible to data
corruption, interception, tampering, unauthorized amendment and
viruses. We only send and receive emails on the basis that we are
not liable for any such corruption, interception, tampering,
amendment or viruses or any consequence thereof.