This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Private PC - need to decipher data

0

Hi, need help. I've been capturing data for a while now and need to analyse it but need to decrypt it. Could someone please show me where or explain the procedure step by step (dummy style) so that I will be able to read the data in a more english format. Is this possible? Have had IT experience but more in software development rather than this side. My internet activity shot up and that is why I am investigating.

TIA

asked 04 Dec '14, 11:59

Der's gravatar image

Der
1111
accept rate: 0%

There are several protocols that encrypt data: 802.11 encrypts it on "protected" networks (networks using WEP or WPA/WPA2), SSL encrypts it when used for services such as HTTP ("https") and mail, and so on. What form of encryption are you seeing?

(04 Dec '14, 17:34) Guy Harris ♦♦

will answer tomorrow with an example thanks

(06 Dec '14, 03:01) Der

can't upload image but this is typed copy TLSV1.2 Record layer: Handshake protocol: Encryted handshake message . . then follows a lot of hex chars on the left and other characters on right the only understandable characters on the right are http in this case. Many other examples as well including "application data". What I'd like is for all that data (left / right to be decoded if possible.

Basically if possible I'd like to see as much of my normal internet activity decoded and readable as I seem to have much more activity going on than I should have! Plain PC via wireless modem to a few web pages and a few product updates. In my IP stats I see sites that as far as my activity is concerned I shouldn't have gone near so I want to see what is happening if I can... Thinking of just blocking all these sites via host but would like to investigate if possible. Thanks, hope this help you help me :)

(06 Dec '14, 11:12) Der

One Answer:

1

OK, that's SSL/TLS encryption.

Wireshark can, in some cases, decrypt that; see the SSL page in the Wireshark Wiki for some information on how to do that.

It cannot, however, always decrypt it. You may have to use a proxy tool, such as Fiddler, to see some of it.

answered 06 Dec '14, 12:04

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

much appreciated thanks

(06 Dec '14, 16:33) Der