Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-users: Re: [Wireshark-users] The SSL tcp stream decoding in Users' Manual?

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: miro.rovis@xxxxxxxxxxxxxxxxx
Date: Sun, 4 Oct 2015 13:35:32 +0200
On 150923-13:17+0200, miro.rovis@xxxxxxxxxxxxxxxxx wrote:

Hi!

Thanks to the fine page at:

https://wiki.wireshark.org/SSL

I learned to decrypt SSL/TLS streams.

Since I expect that other readers of this thread, who need to decrypt
traffic, will be coming to the same conclusions as me, for a number of
years into the future, I am not starting a new topic about it.

And it is that problems arise in understanding the traffic dumps
containing conversations with, apparently, still a number of hosts
worldwide (until, that is, the SPDY is completely withdrawn, which
hasn't happened not even with all of its maker's, Google's hosts), when
these are encountered:

SPDY

HTTP2

I have searched in http://www.duckduckgo.com (I don't use google, to put
it nicely) and found nothing in depth (well, really little, as you can
see from my research on SPDY and HTTP2 which starts from this post (of
the already linked Gentoo Forums topic:

TLS (SSL) tcp stream decoding in your traffic dumps?
https://forums.gentoo.org/viewtopic-t-1029408.html#7823392

)

I am sure the big boys of Wireshark can all decrypt SPDY and HTTP2. Pls.
can you give us, there is already a queue of wishful readers of that
Gentoo Forums' topic that have this same healthy curiosity that I am
hereby expressing...

Pls.  can you give us hints on how to arrive at decryption of SPDY and
HTTP2?

There are a number of pcapng traffic dumps that I posted, esp. in:

http://www.croatiafidelis.hr/foss/cap/cap-151001-legalis-login/ 

and which I reached to understand some of what is there, frozen-in-time,
shown to have been going on the day earlier, in screencasts and in traffic
dumps...

[and which I reached to understand] only [some], that is, I stumbled
upon the inability to decrypt/decompress/other-action-that-it-be the
SPDY and HTTP2 packets, and you can read my then-understanding at:

< same topic as already given above, different post >
https://forums.gentoo.org/viewtopic-t-1029408.html#7822806
NOTE: In the meantime I made some progress from what I posted in that post, as you can see in the #7823392 post some twenty lines above here linked.

I did: Preferences > Protocols > HTTP2 and in the changed content, of
the pane on the right, that appeared, I selected, I'm showing the whole
line, the sole in the pane:

Enable HTTP2 heuristic (disabled by default) |v|

But still, if I look up the "tcp.stream eq 16" of the
http://www.croatiafidelis.hr/foss/cap/cap-151001-legalis-login/dump_151001_1358_g0n.pcap

I decrypt nothing more than what I explained in the Gentoo Forums post
#7823392 of the topic, linked some thirty lines above here. nothing but
'PRI * HTTP/2' is really humanly legible.

Also if I use the sample and key found at:

[Wireshark-bugs] [Bug 9821] New: Add support for SPDY protocol 
https://www.wireshark.org/lists/wireshark-bugs/201403/msg00007.html

and the rest of the thread, and talked about in this StackOverfow page:

Why are the headers of this SPDY SYN_STREAM sample apparently
uncompressed? 
http://stackoverflow.com/questions/27454189/why-are-the-headers-of-this-spdy-syn-stream-sample-apparently-uncompressed 

I can decrypt that sample, but I can not decrypt when I find SPDY in the
my own samples (or is it that nothing human readable is to be found?
what then is it?).

E.g. 
http://www.croatiafidelis.hr/foss/cap/cap-151001-legalis-login/dump_151001_1358_g0n.pcap
has a few of thoes. I put 'spdy' in the filter and can see exactly 10
that match the spdy filter.

I have the SPDY Preferences available in my Wireshark (1.12.7)
(
right click on any of them, and
Protocol Preferences opens:

|v| Assemble SPDY bodies that consist of multiple DATA frames
|v| Uncompress SPDY headers
|v| Uncompress entity bodies
)
but I haven't managed to see the human readable, or viewable if it is,
say, image, content of any of the 10 packets...

All the SPDY packets get the tab "Decrypted SSL data (xx bytes)" but... the
decrypted content, it is not clear what it is.

Any more information will be appreciated.

Thank you for your kind consideration! I took pains to check every link
and to write clearly... Can't renounce the mentioning of the big picture
view, though (you can read it in the forums): because it's all about the
fight for privacy for me.

Regards!
-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

Attachment: signature.asc
Description: PGP signature

Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube