This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi everyone,

in my client/server application I'm sending some MMS packets ecnrypted in the TLS session. I'm able to decrypt the TLS data, and take a look at the plain text in the segments with the "Follow SSL stream" function (according to the instructions in https://ask.wireshark.org/questions/4229/follow-ssl-stream-using-master-key-and-session-id).

I'm looking for a way to present the MMS data properly, with the common protocol structure visualization, not only a textual presentation.

alt text

I would like to see the MMS protocol menu instead of "Encrypted Application Data"

I've already tried with no success what has been write here: https://ask.wireshark.org/questions/6298/wireshark-cannot-dissect-mms-packets-that-dont-begin-with-initiate

I'm using Wireshark 1.12.

Marc

asked 03 Nov '14, 07:34

Marc184's gravatar image

Marc184
31114
accept rate: 100%

edited 04 Nov '14, 06:20

Update

I've tried the rsa private key approach to decrypt the TLS session, by giving to wireshark the rsa private keys in .pem files, plus ip address and tcp port of the sniffed machines, and the indication of the application protocol used, MMS.

I've also mantained the previous SSL settings (tls session id and rsa pre master secret in .log files)

In the picture you can see what I've obtained:

alt text

In the SSL stream I can see the decrypted session correctly, but wireshark can't reconstruct the MMS pdu.

Any ideas?

(04 Nov '14, 05:02) Marc184

I converted your Answer to a Comment since it doesn't appear to be an answer to your question. (Remember that this is a Q&A site, not a forum.)

(05 Nov '14, 07:50) JeffMorriss ♦

Tahnks, you're right, I'm sorry for the mistake.

(06 Nov '14, 00:16) Marc184

I found the solution!

In the SSL protocol preferences -> RSA keys list -> Edit the protocol I choosed was wrong. The correct one is tpkt, not mms. Now I can see all the decrypted MMS structured payload.

alt text

SOLUTION RECAP

  • create a .log file with SSL session id and pre master secret key. Use the format:

    RSA Session-ID:xxxx Master-Key:xxxx
    

don't forget the CRLF at the end of the line. You should obtain something like:

    RSA Session-ID:B5AEB800F43F96A9BAD007A5D26423E43479B904166FA72A4789DEA15A830E26 Master-Key:454AD3030F0AE8234508DF959EF533675E225BBB388EE5F80A20A007BAB63E1ABB972F39401796FB02F27AF95AB083A4

(one line only)

Go to SSL protocol preferences.

  • Link the .log file you've created in the (Pre)-master secret log filename form

  • For this step we need the private keys of machines involved in the SSL session.

The .pem file with the private key should look like this:

    -----BEGIN RSA PRIVATE KEY-----
    MIIEpAIBAAKCAQEAtIvaDmeOGleYuxT01GfAmgugHVlqCOFfGYqy3gxMWt/fxO/7
    s7BJzqnhAFOWBjmBAdj7hHmPyCoJM7/MdCDJt1y7d20BJAGxD0ZQ4kxzGZDCjc5z
    ....... some 20-100 lines of base64 encoded data ...............
    Jh2kZkKoVG3Qr+66IlBDuVllIbwQU0F1fYy2FTjZL4vbmdupwHUyTnPK57vP8RJ7
    cpc1qwLZxfurxZfhI9gxXOO5eUg1WBupw029SSoSafYBqO4a9wg1OA==
    -----END RSA PRIVATE KEY-----

If the .pem file format is:

    -----BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: DES-EDE3-CBC,CB7BE7B5A318ACE6

    ScuaEtGA1xy7iVvvntc4hZ9Kl0VOKmA9sOcfP1CnrUVpAuLoHPEXTsc10smlXwsl
     [...]
    yy7ANfGCZTWaWP89uOIwlXK0n8hHZjTjw5axBuWXvgWHNbvein7tsg==
    -----END RSA PRIVATE KEY-----

the key is protected with a passphrase, and wireshark can't decipher it. We have to create a plain text key file. We can use openssl:

    openssl rsa -in < old-keyfile > -out < new-keyfile >

when asked, insert the passphrase you used to create the original .pem file.

Now go to RSA keys list->Edit and create 2 rules, one for each "way" of the SSL communication. Insert the Ip address of the sender, the TCP port, the application protocol used (TKPT in this case) and the private key plain text .pem file

At this point you will be able to see corretly the decrypted MMS structured pdu, not only the deciphered data in the Follow SSL stream function .

References:

permanent link

answered 06 Nov '14, 03:08

Marc184's gravatar image

Marc184
31114
accept rate: 100%

edited 06 Nov '14, 03:16

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×319
×75
×34
×12

question asked: 03 Nov '14, 07:34

question was seen: 2,790 times

last updated: 06 Nov '14, 03:16

p​o​w​e​r​e​d by O​S​Q​A