This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Follow SSL Stream always greyed out.

0

No matter what I tried, the Follow SSL Stream is always greyed out, even though I can see and recognize some trace elements under Follow TCP Stream, e.g. parts of the certificate sent from client to server. I have server key.

I am running on a CentOS box, and wireshark -v gives me the following:

wireshark 1.10.8 (Git Rev Unknown from unknown)

Copyright 1998-2014 Gerald Combs [email protected] and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.20.1, with Cairo 1.8.8, with Pango 1.28.1, with GLib 2.26.1, with libpcap, with libz 1.2.3, without POSIX capabilities, without libnl, without SMI, without c-ares, without ADNS, without Lua, without Python, with GnuTLS 2.8.5, with Gcrypt 1.4.5, with MIT Kerberos, without GeoIP, without PortAudio, with AirPcap.

Running on Linux 2.6.32-431.29.2.el6.x86_64, with locale en_US.UTF-8, with libpcap version 1.4.0, with libz 1.2.3, GnuTLS 2.8.5, Gcrypt 1.4.5, without AirPcap. Intel(R) Pentium(R) CPU 2127U @ 1.90GHz

Built using gcc 4.4.7 20120313 (Red Hat 4.4.7-4).

My SSL debug log has following:

Wireshark SSL debug log

ssl_association_remove removing TCP 0 - http handle 0x1180450 Private key imported: KeyID 49:0f:97:17:a5:1d:a4:4d:a9:d7:a4:d3:58:5e:0f:e4:... ssl_load_key: swapping p and q parameters and recomputing u ssl_init IPv4 addr '127.0.0.1' (127.0.0.1) port '0' filename '/home/cemil/keytests/44DCCDD7.pem' password(only for p12 file) '' ssl_init private key file /home/cemil/keytests/44DCCDD7.pem successfully loaded. association_add TCP port 0 protocol http handle 0x1180450

So, it looks like key file is OK.

To ensure that I have the complete trace, I started wireshark capture before I started my server and browser (both on same machine).

BTW, I also tried port 443, but I read somewhere that port 0 can be used as a wildcard.

I can see what looks like the encrypted dialog in the captured logs, but the Follow SSL Stream is always greyed out, hence I cannot see the decrypted traffic.

What am I doing wrong?

Thanks.

asked 30 Oct '14, 10:37

CemilB's gravatar image

CemilB
11223
accept rate: 0%

hence I cannot see the decrypted traffic.

can you see the decrypted traffic in the debug log (search for GET or POST)?

(31 Oct '14, 01:42) Kurt Knochner ♦

One Answer:

0

What I could see so far, the "Follow SSL Stream" option is only greyed out if you selected a frame in the TCP stream that is not shown as SSL or TLS in the protocol column, like (SYN, SYN-ACK, ACKs). For all other frames (marked as SSL/TLS), the option is not greyed out, even if Wireshark failed to decrypt the session. In the later case, you will see no result, but the option is still there.

So, did you really click on a SSL/TLS frame, before you tried to use "Follow SSL Stream"?

Regards
Kurt

answered 31 Oct '14, 03:27

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 31 Oct '14, 03:39

Thanks, Kurt. Eventually, I could see the "Follow SSL Stream", when I used the correct port address, which was 9031. While I am past that problem, I still have a related questions: I read somewhere that I could use "0" as a wild port address (I assume that all ports are assumed to be SSL on selected interface). So, that must be incorrect. Can you confirm and set record straight?

Also, I read somewhere else that one could use start_tls for protocol? Is that correct?

Thanks, again.

(31 Oct '14, 06:41) CemilB