This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am attempting to decrypt SSL and have the pem file included but I am not able to see the decrypted application data.

dissect_ssl enter frame #15 (first time)
  conversation = 0000000007C268B8, ssl_session = 0000000007C26EC8
  record: offset = 0, reported_length_remaining = 458
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 453, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 34543 found 0000000000000000
association_find: TCP port 443 found 0000000006CF10C0

asked 09 Sep '13, 09:31

davidmoody's gravatar image

davidmoody
11112
accept rate: 0%

edited 09 Sep '13, 09:33

grahamb's gravatar image

grahamb ♦
19.8k330206


There are three things you need to make sure of to make decryption work in Wireshark:

  • Provide the proper private key (check the ssl-debug log to see if it actually loaded OK)
  • Make sure the whole SSL handshake for this SSL session is in the tracefile (make sure you see the "Certificate" message from the server)
  • Check whether you're not using a DiffieHellman cipher (the cipher in the ServerHello message should not contain DHE or DH)

If that does not get you started, have a look at my Sharkfest presentation on troubleshooting SSL

permanent link

answered 09 Sep '13, 22:00

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×319

question asked: 09 Sep '13, 09:31

question was seen: 1,870 times

last updated: 09 Sep '13, 22:00

p​o​w​e​r​e​d by O​S​Q​A