Wireshark-users: [Wireshark-users] wireshark ssl decryption for dummies
From: Andrew Schweitzer <[email protected]>
Date: Tue, 12 Sep 2006 10:23:14 -0400
Hello, I'm trying to decrypt some SSL traffic.

The connection initiator talk to port 37000. It talks a proprietary protocol (one not present in wireshark). I have the keys of the initiator and the listener. I am capturing on the listener. What should my RSA keys list be?
Should it be:
127.0.0.1,3700,3700,e:\keys\initiator.key?
or maybe
127.0.0.1,3700,3700,e:\keys\listener.key?

I don't get decrypted data in either case. SSL log says, in second case:

===Begin SSL log===
ssl_init keys string 127.0.0.1,37000,37000,c:\keys\initiator.key
ssl_init found host entry 127.0.0.1,37000,37000,c:\keys\initiator.key
ssl_init addr 127.0.0.1 port 37000 filename c:\keys\initiator.key
ssl_get_version: 1.5.0
ssl_init private key file c:\keys\initiator.key successfully loaded
association_add port 37000 protocol 37000 handle 00000000
===End SSL log===


Can decryption only occur if the conversation is sniffed from its beginning?
Do I need both initiator and listener keys?

Why is there both a port and protocol specified? How would you differentiate two protocols on the same port? What if the protocol is unknown, (or at least there's no dissector for it?)
Thanks