On 9/12/06, Andrew Schweitzer <[EMAIL PROTECTED]> wrote: > Hello, I'm trying to decrypt some SSL traffic. > > The connection initiator talk to port 37000. It talks a proprietary > protocol (one not present in wireshark). I have the keys of the > initiator and the listener. I am capturing on the listener. What should > my RSA keys list be? > > Should it be: > 127.0.0.1,3700,3700,e:\keys\initiator.key? > or maybe > > > I don't get decrypted data in either case. SSL log says, in second case: > > ===Begin SSL log=== > ssl_init keys string 127.0.0.1,37000,37000,c:\keys\initiator.key > ssl_init found host entry 127.0.0.1,37000,37000,c:\keys\initiator.key > ssl_init addr 127.0.0.1 port 37000 filename c:\keys\initiator.key > ssl_get_version: 1.5.0 > ssl_init private key file c:\keys\initiator.key successfully loaded > association_add port 37000 protocol 37000 handle 00000000 > ===End SSL log=== > > > Can decryption only occur if the conversation is sniffed from its > beginning?
yes > > Do I need both initiator and listener keys? no the servers key should be sufficient > > Why is there both a port and protocol specified? How would you the protocol is used to tell wireshark what the next payload is, i.e. what is inside the ssl wrapping > differentiate two protocols on the same port? What if the protocol is > unknown, (or at least there's no dissector for it?) then you can probably specify "data" instead to use the "data" dissector try: 127.0.0.1,3700,data,e:\keys\server.key > > Thanks > > _______________________________________________ > Wireshark-users mailing list > [email protected] > http://www.wireshark.org/mailman/listinfo/wireshark-users > _______________________________________________ Wireshark-users mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-users
