Wireshark-users: Re: [Wireshark-users] Decrypt SSL Windows sample trace
On Tue, May 13, 2008 at 04:01:52PM -0700, Lakshman Hariharan wrote:
> --- Sake Blok <[email protected]> wrote:
> > On Tue, May 13, 2008 at 12:20:39PM -0700, Lakshman
> > Hariharan wrote:
> > > Is there a sample trace available that would open
> > on
> > > Windows Wireshark that can be used to see
> > decryption
> > > of SSL traffic? The snakeoil2_070531 trace deos
> > not
> > > open on Windows Wireshark. I am running version
> > 1.0.
> > 
> > That's because the file is a so called compressed
> > tar archive.
> > You should be able to open the archive with your
> > favorite
> > archiving program (WinZIP, ZipGenius, etc). In it
> > you will find
> > a README, a capture file and the private key.
> Of course, I didn't open the .tar file with Wireshark.
> It is when I try to open the extracted file that
> Wireshark won't open it. I extracted it and there is
> only one file when extracted.

If there is only one file after you extract the .tgz file, it
will probably be the file snakeoil2_070531.tar . This is the 
actual archive with the three files in it, so you need to 
open that file again in your archiver. Some archivers do
this in one go, others need two runs.

Here's some more info on the files:

[email protected] /cygdrive/c/temp
$ file snakeoil2_070531.tgz
snakeoil2_070531.tgz: gzip compressed data, from Unix, last modified: Thu May 31 16:47:03 2007

[email protected] /cygdrive/c/temp
$ gzip -d snakeoil2_070531.tgz

[email protected] /cygdrive/c/temp
$ file snakeoil2_070531.tar
snakeoil2_070531.tar: POSIX tar archive (GNU)

[email protected] /cygdrive/c/temp
$ tar xvf snakeoil2_070531.tar

[email protected] /cygdrive/c/temp
$ file rsasnakeoil2.*
rsasnakeoil2.README: ASCII text, with CRLF line terminators
rsasnakeoil2.cap:    tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)
rsasnakeoil2.key:    ASCII text, with CRLF line terminators

[email protected] /cygdrive/c/temp

Hope this helps,