On 11 nov 2010, at 07:34, Sahaj wrote:
> I need to decrypt SSL traffic to get content length.
>
> ./tshark -o "ssl.keys_list:,443,http,client.ky" -T fields -E separator=":" -e frame.time_relative -e frame.number -e tcp.len -e http.content_length -e tcp.flags.fin -e tcp.flags.push -R "ip.src == source_ip && ip.dst == destination_ip && tcp.srcport == 443 && ! (tcp.analysis.out_of_order) && ! (tcp.analysis.retransmission) " -r sample.pcap
> [...]
> the field for content length is empty.
>
> please help me out and suggest me if i am missing anything or doing wrong.
You should use the server IP address in the keys_list:
-o "ssl.keys_list:<SERVER-IP>,443,http,client.ky"
It also helps if you add:
-o "ssl.debuf_file:ssl-debug.log"
That way you can see in the logfile if the key is loaded OK in Wireshark and you can follow the decryption process.
Let's see how that goes first...
Cheers,
Sake
