This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi - I've been trying to decrypt an SSL stream from a single client to one of our servers. Since I was unable to decode it, I thought it may have been as a result of DH key negotiation, but the trace I took just seemed too odd.

You can see that packet 11 is summarized by Wireshark (1.4.6) as 'Ignored Unknown Record' at the point where I would expect 'Server Hello'

The capture was taken on the Linux box which acts as a load balancer in our network, so it's right bang in the middle of the data path between client and server. Commandline:

tcpdump -i bond0.397 -n host 46.51.172.223 and port 443 -s 1500 -w out.cap

Here is the capture: http://194.24.251.10/oddssl.cap

asked 01 Jun '11, 15:03

gdhgdh's gravatar image

gdhgdh
6113
accept rate: 0%

edited 01 Jun '11, 15:09


You used a snaplength of 1500, while packets can be 1514 bytes (or 1518 when the FCS is not stripped by the NIC). As you can see in the frame-header, 14 bytes were lost, so Wireshark is not able to do reassembly.

permanent link

answered 01 Jun '11, 22:51

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

<blush> I feel very silly. Thank you for pointing the snaplen out.

FWIW my theory about DH key exchange was right, and now I have the proof. Trebles all round =)

(02 Jun '11, 10:58) gdhgdh

No Worries, we all have our less ingenious moments ;-)

About the DH key exchange, you are indeed not able to decrypt them with the server key. However, Chrome and Firefox can now be built with SSL debugging on, so that it saves the pre-master secrets to file and you can import them in Wireshark.

Another possibility is to (temporarily) disable all DH cipers on the server side so that a non-DH gets chosen so you can do your troubleshooting on the decrypted traffic.

(02 Jun '11, 13:03) SYN-bit ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×319
×62
×2

question asked: 01 Jun '11, 15:03

question was seen: 18,489 times

last updated: 02 Jun '11, 13:03

p​o​w​e​r​e​d by O​S​Q​A