Wireshark-users: [Wireshark-users] Decrypt a SSH communication ?
From: "Jan Chaloupecky" <[email protected]>
Date: Sun, 29 Jun 2008 09:48:06 +0200
I wanted to have a look at what a SSH communication looks like when it
is not encrypted so I would like to decrypt my SSH session between my
computer and my server with the private key. I had a look at that wiki

But Im not sure which "protocol" do I have to use. The wiki gives
examples about https, ftps ... but what do I need to specify for a SSH
communication ?
I put the following in the SSL/RSA Key Option:,22,ssl,d:\private.pem
But it doesn't seem to work. I start the capture, connect to my SSH
server using a key authentication but Wireshark prints nothing. In the
ssl debug file, I can see the following:

ssl_association_remove removing TCP 22 - sslv3 handle 02994938
ssl_init keys string:,22,ssl,d:\private.pem
ssl_init found host entry,22,ssl,d:\private.pem
ssl_init addr '' port '22' filename 'd:\private.pem'
password(only for p12 file) '(null)'
ssl_init private key file d:\private.pem successfully loaded
association_add TCP port 22 protocol ssl handle 03C64AF8
association_find: TCP port 993 found 03F14838
ssl_association_remove removing TCP 993 - imap handle 02D44940
association_add TCP port 993 protocol imap handle 02D44940
association_find: TCP port 995 found 03F14878
ssl_association_remove removing TCP 995 - pop handle 03A3F550
association_add TCP port 995 protocol pop handle 03A3F550

Could you direct me to some more information about how to decrypt a
SSH session ?

Thanks in advance,