Wireshark-users: Re: [Wireshark-users] wireshark ssl decryption for dummies
From: Ulf Lamping <[email protected]>
Date: Tue, 12 Sep 2006 23:40:29 +0200
ronnie sahlberg wrote:
On 9/12/06, Andrew Schweitzer <[email protected]> wrote:
Hello, I'm trying to decrypt some SSL traffic.

The connection initiator talk to port 37000. It talks a proprietary
protocol (one not present in wireshark). I have the keys of the
initiator and the listener. I am capturing on the listener. What should
my RSA keys list be?

Should it be:,3700,3700,e:\keys\initiator.key?
or maybe
I don't get decrypted data in either case. SSL log says, in second case:
===Begin SSL log===
ssl_init keys string,37000,37000,c:\keys\initiator.key
ssl_init found host entry,37000,37000,c:\keys\initiator.key
ssl_init addr port 37000 filename c:\keys\initiator.key
ssl_get_version: 1.5.0
ssl_init private key file c:\keys\initiator.key successfully loaded
association_add port 37000 protocol 37000 handle 00000000
===End SSL log===

Can decryption only occur if the conversation is sniffed from its

Do I need both initiator and listener keys?
no the servers key should be sufficient

Why is there both a port and protocol specified? How would you
the protocol is used to tell wireshark what the next payload is, i.e.
what is inside the ssl wrapping

differentiate two protocols on the same port? What if the protocol is
unknown, (or at least there's no dissector for it?)
then you can probably specify "data" instead to use the "data" dissector


Wireshark-users mailing list
[email protected]

Wireshark-users mailing list
[email protected]

Hi Ronnie!

As you seem to be the one with some knowledge about the SSL stuff, is there a place where all this is explained?
I get the feeling that a lot of current stuff will only be usable to the 
developers, as no one else get a clue how it's working (including me :-).
Could you start a Wiki page about how to use the SSL stuff?

Regards, ULFL