On 9/12/06, Andrew Schweitzer <a.schweitzer.grps@xxxxxxxxx> wrote:
Hello, I'm trying to decrypt some SSL traffic.
The connection initiator talk to port 37000. It talks a proprietary
protocol (one not present in wireshark). I have the keys of the
initiator and the listener. I am capturing on the listener. What should
my RSA keys list be?
Should it be:
127.0.0.1,3700,3700,e:\keys\initiator.key?
or maybe
>
I don't get decrypted data in either case. SSL log says, in second case:
===Begin SSL log===
ssl_init keys string 127.0.0.1,37000,37000,c:\keys\initiator.key
ssl_init found host entry 127.0.0.1,37000,37000,c:\keys\initiator.key
ssl_init addr 127.0.0.1 port 37000 filename c:\keys\initiator.key
ssl_get_version: 1.5.0
ssl_init private key file c:\keys\initiator.key successfully loaded
association_add port 37000 protocol 37000 handle 00000000
===End SSL log===
Can decryption only occur if the conversation is sniffed from its
beginning?
yes
Do I need both initiator and listener keys?
no the servers key should be sufficient
Why is there both a port and protocol specified? How would you
the protocol is used to tell wireshark what the next payload is, i.e.
what is inside the ssl wrapping
differentiate two protocols on the same port? What if the protocol is
unknown, (or at least there's no dissector for it?)
then you can probably specify "data" instead to use the "data" dissector
try:
127.0.0.1,3700,data,e:\keys\server.key
Thanks
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users
