This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I'm attempting to analyze a TLS capture containing numerous TCP sessions. It seems that I do have the correct certificate configured, considering that Wireshark is successfully decrypting at least some sessions not containing TLS session ticket replacements ("TLSv1: New Session Ticket, Change Cipher Spec, Finished"). I haven't yet figured out how to follow a TLS session containing a session ticket replacement. I've tried Wireshark v1.10.6 (Linux) and v1.12.1 (Linux and Windows 7).

I have the my pem configured under Edit -> Preferences -> Protocols -> SSL -> RSA keys list. I've used editcap to remove duplicate packets. I've tried using a custom compiled version containing every option that might be relevant.

Bug 5963 indicates that this capability is at least present in Wireshark 1.6.x for Windows 7. Is this capability not in Wireshark v1.10.6 or v1.12.1 for Linux? If so, how do I enable this feature? If not, are there other tools that are (ssldump doesn't seem to have that ability)?

Thank you in advance for any help any of you can provide,

Andrew

asked 27 Oct '14, 20:07

Andrew%20Immerman's gravatar image

Andrew Immerman
11113
accept rate: 0%

edited 27 Oct '14, 20:41


I did a brief test with 1.12.1 on Win7, with the capture file attached to bug 5963. While using the file tls_session_ticket_enabled.pcap with the included keying material, I can see in the SSL debug file, that Wireshark is able to decrypt the session. Using "Follow SSL Stream" on TCP stream 4, which is using a session ticket, shows the decrypted data. So, decrypting the data works, but there seems to be a problem to view the decrypted data as HTTP in the GUI. Whether that's a bug or not: I don't know. Please update the bug with your findings and possibly a link to your question.

Output of "Follow SSL Stream"

GET /gb/images/b_8d5afc09.png HTTP/1.1
Host: ssl.gstatic.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: https://www.google.com/

HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Wed, 28 Sep 2011 03:00:23 GMT

Regards
Kurt

permanent link

answered 28 Oct '14, 02:40

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×319
×75
×62
×24
×1

question asked: 27 Oct '14, 20:07

question was seen: 6,872 times

last updated: 28 Oct '14, 02:40

p​o​w​e​r​e​d by O​S​Q​A