[prev in list] [next in list] [prev in thread] [next in thread]
List: wireshark-users
Subject: Re: [Wireshark-users] Trouble with SSL dissector - got
From: "Sake Blok" <sake () euronet ! nl>
Date: 2009-09-30 15:40:25
Message-ID: 227FF9EE65924C1A96CC20DCEE857A41 () local ! ionip ! nl
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Dominic,
Duplicate packets will be displayed as "ouf-of-order" at the tcp level, as there is \
no code (yet) to recognize these packets as duplicates. I bet you are capturing \
traffic to and from a VM on the host on which this VM runs. In VMware, this results \
in duplicates (I have no idea why, anyone?).
Editcap does not re-order packets, the -d option just removes the duplicates (you can \
vrify this by running capinfos on the infile and the outfile).
Wireshark is not able to recognize or delete duplicates at the moment, but it would \
be a nice feature. Do you mind filing an enhancement request for this at \
https://bugs.wireshark.org?
Cheers,
Sake
----- Original Message -----
From: Dominic Tulley
To: Community support list for Wireshark
Sent: Wednesday, September 30, 2009 10:42 AM
Subject: Re: [Wireshark-users] Trouble with SSL dissector - got ithalf working!
Hi Sake,
Looking at the capture, I seem to have plenty of out of order packets so that would \
seem a good place to start. I don't think I am able to share the packet capture with \
you unfortunately.
I've just run editcap -d on my capture and I seem to have a fully decoded \
conversation now. So you've already provided some great help! It surprised me a \
little that this worked though since I don't believe I have any duplicate packets - \
do you think editcap also re-sorts the packets to the order they should be in?
Is there no way to do this sorting of packets within wireshark? It's a bit \
frustrating to have to save every capture, convert it and reload it.
Thanks very much,
-Dominic
From: "Sake Blok" <sake@euronet.nl>
To: "Community support list for Wireshark" <wireshark-users@wireshark.org>
Date: 29/09/2009 17:06
Subject: Re: [Wireshark-users] Trouble with SSL dissector - got it half \
working! Sent by: wireshark-users-bounces@wireshark.org
------------------------------------------------------------------------------
Hi Dominic,
The fact that you got it working for one of the two flows means that the key is ok, \
you are not using a DH cipher and that all packets of the SSL handshake are present \
in the trace (those are the 3 common problems with decrypting traffic). However, if \
the other flow does not decrypt, that could be caused by:
- a missing packet in that flow (unable to fix)
- the first tcp segment of the first SSL record received out-of-order (could be \
fixed with editcap and mergecap, but is not so trivial)
- duplicate packets in that flow (could be fixed by using 'editcap -d <infile> \
<outfile>')
If those are not the case, are you able to provide the capture file and the key? Or \
is this a production environment?
Cheers,
Sake
----- Original Message -----
From: Dominic Tulley
To: wireshark-users@wireshark.org
Sent: Tuesday, September 29, 2009 11:26 AM
Subject: [Wireshark-users] Trouble with SSL dissector - got it half working!
After much trawling and experimentation I've almost managed to get the SSL \
dissector working but strangely I can only decode my incoming http requests (all the \
responses are still encrypted). I've tried using the "decode as" option to make it \
decode for the client port as well as the server port (although I didn't expect that \
to be necessary) and I've tried added the client ip address and socket as a second \
"private key" in the configuration. Neither helped.
I'd appreciate any suggestions - I'm happy to provide additional details if that \
would help.
Thanks,
-Dominic
------------------------------------------------------------------------------
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
------------------------------------------------------------------------------
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@wireshark.org?subject=unsubscribe___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
------------------------------------------------------------------------------
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
------------------------------------------------------------------------------
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
[Attachment #5 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16890" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Hi Dominic,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Duplicate packets will be displayed as
"ouf-of-order" at the tcp level, as there is no code (yet) to recognize these
packets as duplicates. I bet you are capturing traffic to and from a VM on the
host on which this VM runs. In VMware, this results in duplicates (I have no
idea why, anyone?).</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Editcap does not re-order packets, the -d option
just removes the duplicates (you can vrify this by running capinfos on the
infile and the outfile).</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Wireshark is not able to recognize or delete
duplicates at the moment, but it would be a nice feature. Do you mind
filing an enhancement request for this at <A
href="https://bugs.wireshark.org">https://bugs.wireshark.org</A>?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Cheers,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Sake</FONT></DIV>
<DIV> </DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 \
2px solid; MARGIN-RIGHT: 0px"> <DIV style="FONT: 10pt arial">----- Original Message \
----- </DIV> <DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=dominic.tulley@uk.ibm.com
href="mailto:dominic.tulley@uk.ibm.com">Dominic Tulley</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A
title=wireshark-users@wireshark.org
href="mailto:wireshark-users@wireshark.org">Community support list for
Wireshark</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Wednesday, September 30, 2009 10:42
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: [Wireshark-users] Trouble
with SSL dissector - got ithalf working!</DIV>
<DIV><BR></DIV><BR><FONT face=sans-serif size=2>Hi Sake,</FONT> <BR><FONT
face=sans-serif size=2>Looking at the capture, I seem to have plenty of out of
order packets so that would seem a good place to start. I don't think I
am able to share the packet capture with you unfortunately.</FONT>
<BR><BR><FONT face=sans-serif size=2>I've just run editcap -d on my capture
and I seem to have a fully decoded conversation now. So you've already
provided some great help!</FONT> <BR><FONT face=sans-serif size=2>It surprised
me a little that this worked though since I don't believe I have any duplicate
packets - do you think editcap also re-sorts the packets to the order they
should be in?</FONT> <BR><BR><FONT face=sans-serif size=2>Is there no way to
do this sorting of packets within wireshark? It's a bit frustrating to
have to save every capture, convert it and reload it.</FONT> <BR><BR><FONT
face=sans-serif size=2>Thanks very much,</FONT> <BR><BR><FONT face=sans-serif
size=2>-Dominic</FONT> <BR><BR><BR>
<TABLE width="100%">
<TBODY>
<TR vAlign=top>
<TD><FONT face=sans-serif color=#5f5f5f size=1>From:</FONT>
<TD><FONT face=sans-serif size=1>"Sake Blok"
<sake@euronet.nl></FONT>
<TR vAlign=top>
<TD><FONT face=sans-serif color=#5f5f5f size=1>To:</FONT>
<TD><FONT face=sans-serif size=1>"Community support list for Wireshark"
<wireshark-users@wireshark.org></FONT>
<TR vAlign=top>
<TD><FONT face=sans-serif color=#5f5f5f size=1>Date:</FONT>
<TD><FONT face=sans-serif size=1>29/09/2009 17:06</FONT>
<TR vAlign=top>
<TD><FONT face=sans-serif color=#5f5f5f size=1>Subject:</FONT>
<TD><FONT face=sans-serif size=1>Re: [Wireshark-users] Trouble with SSL
dissector - got it half working!</FONT>
<TR vAlign=top>
<TD><FONT face=sans-serif color=#5f5f5f size=1>Sent by:</FONT>
<TD><FONT face=sans-serif
size=1>wireshark-users-bounces@wireshark.org</FONT></TR></TBODY></TABLE><BR>
<HR noShade>
<BR><BR><BR><FONT face=Arial size=2>Hi Dominic,</FONT> <BR><FONT
size=3> </FONT> <BR><FONT face=Arial size=2>The fact that you got it
working for one of the two flows means that the key is ok, you are not using a
DH cipher and that all packets of the SSL handshake are present in the trace
(those are the 3 common problems with decrypting traffic). However, if the
other flow does not decrypt, that could be caused by:</FONT> <BR><FONT
size=3> </FONT> <BR><FONT face=Arial size=2>- a missing packet in that
flow (unable to fix)</FONT> <BR><FONT face=Arial size=2>- the first tcp
segment of the first SSL record received out-of-order (could be fixed with
editcap and mergecap, but is not so trivial)</FONT> <BR><FONT face=Arial
size=2>- duplicate packets in that flow (could be fixed by using 'editcap -d
<infile> <outfile>')</FONT> <BR><FONT size=3> </FONT>
<BR><FONT face=Arial size=2>If those are not the case, are you able to provide
the capture file and the key? Or is this a production environment?</FONT>
<BR><FONT size=3> </FONT> <BR><FONT face=Arial size=2>Cheers,</FONT>
<BR><FONT size=3> </FONT> <BR><FONT size=3> </FONT> <BR><FONT
face=Arial size=2>Sake</FONT> <BR><FONT size=3> </FONT> <BR><FONT
size=3> </FONT> <BR><FONT size=3>----- Original Message -----
</FONT><BR><FONT size=3><B>From:</B> </FONT><A
href="mailto:dominic.tulley@uk.ibm.com"><FONT color=blue size=3><U>Dominic
Tulley</U></FONT></A><FONT size=3> </FONT><BR><FONT size=3><B>To:</B>
</FONT><A href="mailto:wireshark-users@wireshark.org"><FONT color=blue
size=3><U>wireshark-users@wireshark.org</U></FONT></A><FONT size=3>
</FONT><BR><FONT size=3><B>Sent:</B> Tuesday, September 29, 2009 11:26
AM</FONT> <BR><FONT size=3><B>Subject:</B> [Wireshark-users] Trouble with SSL
dissector - got it half working!</FONT> <BR><BR><FONT face=sans-serif
size=2><BR>After much trawling and experimentation I've almost managed to get
the SSL dissector working but strangely I can only decode my incoming http
requests (all the responses are still encrypted). I've tried using the
"decode as" option to make it decode for the client port as well as the server
port (although I didn't expect that to be necessary) and I've tried added the
client ip address and socket as a second "private key" in the configuration.
Neither helped.</FONT><FONT size=3> <BR></FONT><FONT face=sans-serif
size=2><BR>I'd appreciate any suggestions - I'm happy to provide additional
details if that would help.</FONT><FONT size=3> <BR></FONT><FONT
face=sans-serif size=2><BR>Thanks,</FONT><FONT size=3> <BR></FONT><FONT
face=sans-serif size=2><BR>-Dominic</FONT><FONT size=3><BR></FONT><FONT
face=sans-serif size=2><BR></FONT><FONT size=3><BR></FONT>
<HR>
<FONT face=sans-serif size=2><I><BR></I></FONT>
<P><FONT face=sans-serif size=2><I>Unless stated otherwise above:<BR>IBM
United Kingdom Limited - Registered in England and Wales with number 741598.
<BR>Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
3AU</I></FONT><FONT size=3> </FONT>
<P><FONT face=sans-serif size=2><BR></FONT><FONT size=3><BR><BR></FONT><FONT
face=sans-serif size=2><BR></FONT>
<P>
<HR>
<P><FONT
size=3>___________________________________________________________________________<BR>Sent \
via: Wireshark-users mailing list
<wireshark-users@wireshark.org><BR>Archives: </FONT><A
href="http://www.wireshark.org/lists/wireshark-users"><FONT
size=3>http://www.wireshark.org/lists/wireshark-users</FONT></A><FONT
size=3><BR>Unsubscribe: </FONT><A
href="https://wireshark.org/mailman/options/wireshark-users"><FONT
size=3>https://wireshark.org/mailman/options/wireshark-users</FONT></A><FONT
size=3><BR> </FONT><A
href="mailto:wireshark-users-request@wireshark.org?subject=unsubscribe"><FONT
size=3>mailto:wireshark-users-request@wireshark.org?subject=unsubscribe</FONT></A><TT><FONT \
size=2>___________________________________________________________________________<BR>Sent \
via: Wireshark-users mailing list
<wireshark-users@wireshark.org><BR>Archives: </FONT></TT><A
href="http://www.wireshark.org/lists/wireshark-users"><TT><FONT
size=2>http://www.wireshark.org/lists/wireshark-users</FONT></TT></A><TT><FONT
size=2><BR>Unsubscribe: </FONT></TT><A
href="https://wireshark.org/mailman/options/wireshark-users"><TT><FONT
size=2>https://wireshark.org/mailman/options/wireshark-users</FONT></TT></A><TT><FONT \
size=2><BR> </FONT></TT><A
href="mailto:wireshark-users-request@wireshark.org?subject=unsubscribe"><TT><FONT
size=2>mailto:wireshark-users-request@wireshark.org?subject=unsubscribe</FONT></TT></A> \
<P><BR><FONT face=sans-serif size=2><BR></FONT><BR><FONT face=sans-serif
size=2><BR></FONT>
<HR>
<FONT face=sans-serif size=2><BR><I><BR></I></FONT>
<P><FONT face=sans-serif size=2><I>Unless stated otherwise above:<BR>IBM
United Kingdom Limited - Registered in England and Wales with number 741598.
<BR>Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
3AU</I></FONT>
<P><FONT face=sans-serif size=2><BR><BR></FONT><BR><BR><FONT face=sans-serif
size=2><BR></FONT>
<P>
<HR>
<P></P>___________________________________________________________________________<BR>Sent \
via: Wireshark-users mailing list
<wireshark-users@wireshark.org><BR>Archives:
http://www.wireshark.org/lists/wireshark-users<BR>Unsubscribe:
https://wireshark.org/mailman/options/wireshark-users<BR> \
mailto:wireshark-users-request@wireshark.org?subject=unsubscribe</BLOCKQUOTE></BODY></HTML>
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic