Wireshark-users: Re: [Wireshark-users] The SSL tcp stream decoding in Users' Manual?
From: [email protected]
Date: Sun, 4 Oct 2015 13:35:32 +0200
On 150923-13:17+0200, [email protected] wrote: Hi! Thanks to the fine page at: https://wiki.wireshark.org/SSL I learned to decrypt SSL/TLS streams. Since I expect that other readers of this thread, who need to decrypt traffic, will be coming to the same conclusions as me, for a number of years into the future, I am not starting a new topic about it. And it is that problems arise in understanding the traffic dumps containing conversations with, apparently, still a number of hosts worldwide (until, that is, the SPDY is completely withdrawn, which hasn't happened not even with all of its maker's, Google's hosts), when these are encountered: SPDY HTTP2 I have searched in http://www.duckduckgo.com (I don't use google, to put it nicely) and found nothing in depth (well, really little, as you can see from my research on SPDY and HTTP2 which starts from this post (of the already linked Gentoo Forums topic: TLS (SSL) tcp stream decoding in your traffic dumps? https://forums.gentoo.org/viewtopic-t-1029408.html#7823392 ) I am sure the big boys of Wireshark can all decrypt SPDY and HTTP2. Pls. can you give us, there is already a queue of wishful readers of that Gentoo Forums' topic that have this same healthy curiosity that I am hereby expressing... Pls. can you give us hints on how to arrive at decryption of SPDY and HTTP2? There are a number of pcapng traffic dumps that I posted, esp. in: http://www.croatiafidelis.hr/foss/cap/cap-151001-legalis-login/ and which I reached to understand some of what is there, frozen-in-time, shown to have been going on the day earlier, in screencasts and in traffic dumps... [and which I reached to understand] only [some], that is, I stumbled upon the inability to decrypt/decompress/other-action-that-it-be the SPDY and HTTP2 packets, and you can read my then-understanding at: < same topic as already given above, different post > https://forums.gentoo.org/viewtopic-t-1029408.html#7822806 NOTE: In the meantime I made some progress from what I posted in that post, as you can see in the #7823392 post some twenty lines above here linked. I did: Preferences > Protocols > HTTP2 and in the changed content, of the pane on the right, that appeared, I selected, I'm showing the whole line, the sole in the pane: Enable HTTP2 heuristic (disabled by default) |v| But still, if I look up the "tcp.stream eq 16" of the http://www.croatiafidelis.hr/foss/cap/cap-151001-legalis-login/dump_151001_1358_g0n.pcap I decrypt nothing more than what I explained in the Gentoo Forums post #7823392 of the topic, linked some thirty lines above here. nothing but 'PRI * HTTP/2' is really humanly legible. Also if I use the sample and key found at: [Wireshark-bugs] [Bug 9821] New: Add support for SPDY protocol https://www.wireshark.org/lists/wireshark-bugs/201403/msg00007.html and the rest of the thread, and talked about in this StackOverfow page: Why are the headers of this SPDY SYN_STREAM sample apparently uncompressed? http://stackoverflow.com/questions/27454189/why-are-the-headers-of-this-spdy-syn-stream-sample-apparently-uncompressed I can decrypt that sample, but I can not decrypt when I find SPDY in the my own samples (or is it that nothing human readable is to be found? what then is it?). E.g. http://www.croatiafidelis.hr/foss/cap/cap-151001-legalis-login/dump_151001_1358_g0n.pcap has a few of thoes. I put 'spdy' in the filter and can see exactly 10 that match the spdy filter. I have the SPDY Preferences available in my Wireshark (1.12.7) ( right click on any of them, and Protocol Preferences opens: |v| Assemble SPDY bodies that consist of multiple DATA frames |v| Uncompress SPDY headers |v| Uncompress entity bodies ) but I haven't managed to see the human readable, or viewable if it is, say, image, content of any of the 10 packets... All the SPDY packets get the tab "Decrypted SSL data (xx bytes)" but... the decrypted content, it is not clear what it is. Any more information will be appreciated. Thank you for your kind consideration! I took pains to check every link and to write clearly... Can't renounce the mentioning of the big picture view, though (you can read it in the forums): because it's all about the fight for privacy for me. Regards! -- Miroslav Rovis Zagreb, Croatia http://www.CroatiaFidelis.hr
Description: PGP signature
- Next by Date: [Wireshark-users] ADTS - AAC audio header supported ?
- Next by thread: [Wireshark-users] ADTS - AAC audio header supported ?