Wireshark-dev: Re: [Wireshark-dev] Plugin for Lawful Interception of SSL/TLS messages ...
From: Brian Vandenberg <[email protected]>
Date: Fri, 03 Nov 2006 10:08:46 -0700
Krishna,

It is true that there is a way to decrypt SSL/TLS in wireshark, and to write a dissector that can handle a protocol that's tunneled through SSL/TLS. If you're writing a dissector that will look at the voip traffic, here's generally what you'd do:
* One of the two connections in the SSL tunnel needs to be using a 
static key, and you need a copy of this key.
* In wireshark, click Edit -> Preferences -> Protocols -> SSL
* A field on this screen (name escapes me) takes a parameter formatted like this:
<ip>,<port>,<protocol>,<path>
... where <ip> and <port> are the ip of the server whose private keyfile you have, <port> is the port you want to dissect on, <protocol> is the protocol you expect to get out of the SSL/TLS traffic (for example, if the traffic you're wanting to examine rides on top of http, you'd want to put the string http in place of <protocol>, then have your dissector look at http traffic to determine whether your dissector can handle it. Alternatively, you'd put the protocol name of your dissector if you want to directly handle the unencrypted payload). Finally, <path> is the path to your keyfile. In *nix, I believe the field seperator is ; instead of , * Once you have it working, you'd then need a dissector to handle the traffic you want to examine. This is where your own coding skills come into play. There may be a voip dissector already, but I don't have the latest wireshark build on this computer to check.
-Brian

[email protected] wrote:
Hi,

I’m doing a study project on Voip security using TLS. We can send H.323 messages in an encrypted TLS tunnel. To debug these messages we need a plug-in in Wireshark which actually decrypts the TLS and the tunneled messages. However, I guess it is not so easy to decrypt the data sent in the TLS tunnel.
I heard that there is Lawful Interception services with which can 
get/trace the keys exchanged during TLS handshake and use the keys for 
further decryption of data may be by feeding the key to TLS plug-in or 
so.
Does Wireshark have support for this kind of functionality?

Can any one help me in giving more details and information in this area?

Regards,

Krishna .


The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient 
should check this email and any attachments for the presence of 
viruses. The company accepts no liability for any damage caused by any 
virus transmitted by this email.
www.wipro.com

------------------------------------------------------------------------

_______________________________________________
Wireshark-dev mailing list
[email protected]
http://www.wireshark.org/mailman/listinfo/wireshark-dev