This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

After capturing some SSL traffic (using tcpdump on an embedded linux system), I'm attempting to decrypt the traffic from the dumpfile using Wireshark (I've tried both v1.8.1 on linux and v1.8.2 on Win32).

The Session-ID was taken from the packet capture and the master secret was obtained from the memory of an application executing on the embedded system.

My file key file looks like

RSA Session-ID:D5407D99D48D4D094871F9938EF28F284C80ADA4F86EA96E75AB8E4E9374C7D6 Master-Key:26D5441D31A01A98C8C12140DE5312E3905E0619351D25A906152FAB9834ABC2CFBA14C11841447ECB175646185F3FB8

With the obligatory newline afterwards.

I've selected "data" as the protocol (as I'm not sure what protocol lies inside the session--though most likely XML), but when applied, I get an error of "Can't load private key from /root/dump.test.ms" on the console and "ssl_load_key: can't import pem data" in the ssl.debug file.

It almost seems as if wireshark is treating the keyfile as an RSA/X.509 key and not the session & master secret?

Furthermore, if the master secret were incorrect, I would still expect wireshark to "decrypt" the data and present that in the view as decrypted.

Any pointers or thoughts would be appreciated.

asked 08 Sep '12, 14:33

puffdaddy's gravatar image

puffdaddy
26111
accept rate: 100%

puffdaddy ... I need to Get Session-ID and Master-Secret for a win32 c++ application For Decrypting SSL/TLS trafic. How you get the Session-ID and Master-Secret. Witch Software did you used. Could you please point me to a right direction ?

(04 Aug '14, 09:30) izeid

To answer my own question, this was simple user error, as I didn't understand that the SSL Protocol dialog provided an input for RSA sever keys, and a separate method to input Session-IDs and Master-Secrets (i.e. Edit->Preferences->Protocols->SSL-> "(Pre)-Master-Secret log filename:", and the file that you specify there should contain separate lines with the RSA Session-ID:D5407D99D48D4D094871F9938EF28F284C80ADA4F86EA96E75AB8E4E9374C7D6 Master-Key:26D5441D31A01A98C8C12140DE5312E3905E0619351D25A906152FAB9834ABC2CFBA14C11841447ECB175646185F3FB8 syntax.

After adding my file in that fashion, I needed to restart wireshark, and then (after the restart--which seemed to perhaps allow wireshark to load and posses the secrets contained in that file) I was able to then select "Follow SSL stream" and view the decrypted stream.

Cheers!

permanent link

answered 11 Sep '12, 11:11

puffdaddy's gravatar image

puffdaddy
26111
accept rate: 100%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×319
×62
×5
×3
×1

question asked: 08 Sep '12, 14:33

question was seen: 5,149 times

last updated: 04 Aug '14, 09:31

p​o​w​e​r​e​d by O​S​Q​A