Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] 3rd time Posting -- Please help Regarding SSL decryption w

From: Gerald Combs <gerald@xxxxxxxxxxxxx>
Date: Wed, 25 Oct 2006 10:51:47 -0700
Vijay Sitaram wrote:
> Hi,
>  
>    I am not sure if this has been attempted before, but would really
> appreciate some help / guidance.  We are trying to decrypt SSL
> application data by using 'tshark' on RedHat Linux using the following
> command:
> tshark -V -r rsasnakeoil2.cap -R
> "127.0.0.1,443,/path/to/snakeoil2/rsasnakeoil2.key" > output.txt
>  
>     The Application Data always shows up encrypted.  Are there any logs
> that I can check to see the underlying problem?  How can I make progress
> with my goal?

The "-R" flag is used to specify a read (aka display) filter, e.g.

    ip.addr eq 172.17.2.172 and bgp

or

    tcp matches "ghwbush.*password(?i)"

You appear to be trying to feed it a key list for the SSL dissector.
You might try using the "-o" flag instead, along with the appropriate
SSL preference name:

    tshark -V -r rsasnakeoil2.cap \
      -o "ssl.keys_list: 127.0.0.1,443,/path/to/rsasnakeoil2.key"

For a complete list of preference items, check the "preferences" file in
Wireshark's configuration directory or run "tshark -G defaultprefs".