This is our old Q&A Site. Please post any new questions and answers at

No matter what I tried, the Follow SSL Stream is always greyed out, even though I can see and recognize some trace elements under Follow TCP Stream, e.g. parts of the certificate sent from client to server. I have server key.

I am running on a CentOS box, and wireshark -v gives me the following:

wireshark 1.10.8 (Git Rev Unknown from unknown)

Copyright 1998-2014 Gerald Combs [email protected] and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.20.1, with Cairo 1.8.8, with Pango 1.28.1, with GLib 2.26.1, with libpcap, with libz 1.2.3, without POSIX capabilities, without libnl, without SMI, without c-ares, without ADNS, without Lua, without Python, with GnuTLS 2.8.5, with Gcrypt 1.4.5, with MIT Kerberos, without GeoIP, without PortAudio, with AirPcap.

Running on Linux 2.6.32-431.29.2.el6.x86_64, with locale en_US.UTF-8, with libpcap version 1.4.0, with libz 1.2.3, GnuTLS 2.8.5, Gcrypt 1.4.5, without AirPcap. Intel(R) Pentium(R) CPU 2127U @ 1.90GHz

Built using gcc 4.4.7 20120313 (Red Hat 4.4.7-4).

My SSL debug log has following:

Wireshark SSL debug log

ssl_association_remove removing TCP 0 - http handle 0x1180450 Private key imported: KeyID 49:0f:97:17:a5:1d:a4:4d:a9:d7:a4:d3:58:5e:0f:e4:... ssl_load_key: swapping p and q parameters and recomputing u ssl_init IPv4 addr '' ( port '0' filename '/home/cemil/keytests/44DCCDD7.pem' password(only for p12 file) '' ssl_init private key file /home/cemil/keytests/44DCCDD7.pem successfully loaded. association_add TCP port 0 protocol http handle 0x1180450

So, it looks like key file is OK.

To ensure that I have the complete trace, I started wireshark capture before I started my server and browser (both on same machine).

BTW, I also tried port 443, but I read somewhere that port 0 can be used as a wildcard.

I can see what looks like the encrypted dialog in the captured logs, but the Follow SSL Stream is always greyed out, hence I cannot see the decrypted traffic.

What am I doing wrong?


asked 30 Oct '14, 10:37

CemilB's gravatar image

accept rate: 0%

hence I cannot see the decrypted traffic.

can you see the decrypted traffic in the debug log (search for GET or POST)?

(31 Oct '14, 01:42) Kurt Knochner ♦

What I could see so far, the "Follow SSL Stream" option is only greyed out if you selected a frame in the TCP stream that is not shown as SSL or TLS in the protocol column, like (SYN, SYN-ACK, ACKs). For all other frames (marked as SSL/TLS), the option is not greyed out, even if Wireshark failed to decrypt the session. In the later case, you will see no result, but the option is still there.

So, did you really click on a SSL/TLS frame, before you tried to use "Follow SSL Stream"?


permanent link

answered 31 Oct '14, 03:27

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

edited 31 Oct '14, 03:39

Thanks, Kurt. Eventually, I could see the "Follow SSL Stream", when I used the correct port address, which was 9031. While I am past that problem, I still have a related questions: I read somewhere that I could use "0" as a wild port address (I assume that all ports are assumed to be SSL on selected interface). So, that must be incorrect. Can you confirm and set record straight?

Also, I read somewhere else that one could use start_tls for protocol? Is that correct?

Thanks, again.

(31 Oct '14, 06:41) CemilB
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 30 Oct '14, 10:37

question was seen: 4,909 times

last updated: 31 Oct '14, 06:41

p​o​w​e​r​e​d by O​S​Q​A