'Re: [Wireshark-users] Problem deciphering an openssl stream'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wireshark-users
Subject:    Re: [Wireshark-users] Problem deciphering an openssl stream
From:       Philippe Fremy <phil () freehackers ! org>
Date:       2010-10-14 15:48:12
Message-ID: 4CB7263C.3090803 () freehackers ! org
[Download RAW message or body]

[Attachment #2 (text/html)]

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
  <title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<a class="moz-txt-link-abbreviated" href="mailto:kolos_ws@ural2.hu">kolos_ws@ural2.hu</a> wrote:
<blockquote cite="mid:alpine.DEB.2.00.1010111433020.29287@robin.fene.hu"
 type="cite">
  <pre wrap="">Hi Philippe,

  </pre>
  <blockquote type="cite">
    <pre wrap="">Handshake Protocol: Server Hello
[...]
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

I don't see any DH here, so maybe that's not the problem.
    </pre>
  </blockquote>
  <pre wrap=""><!---->
I agree, it doesn't look like it's using DH. What would be interesting to 
see if you see a "Client key exchange" or a "Server key exchange" at the 
beginning of the SSL session in your capture when you look at it in 
Wireshark.

Also, you might want to use "-s 0" when running tcpdump, that just 
captures everything.
  </pre>
</blockquote>
That's what I did initially, but the wiki of wireshark recommends -s
65535 .<br>
<br>
I did several screenshots of my session, to show the different SSL
packets. If anything explains why I can't decode it, that would be
great. All are attached to this email (hoping the ML will let it
through).<br>
<br>
cheers,<br>
<br>
Philippe<br>
</body>
</html>

["ssl-session.png" (image/png)]
["frame-169.png" (image/png)]
["frame-170.png" (image/png)]
["frame-171.png" (image/png)]
["frame-166.png" (image/png)]
["frame-167.png" (image/png)]

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@wireshark.org?subject=unsubscribe

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic