Hi all: My wireshark version 1.12.5, I captured DTLS packets(pre-shared-key), Wireshark is able to show decrypted payload, but since the payload is another protocol, i'd like to export it into another pcap and use wireshark to analyze it. I've learned that i could use "Export PDUs" functionality to do that. as explained in here: https://www.wireshark.org/lists/wireshark-users/201407/msg00038.html However, after I select "export PDUs" ,with OSI Layer 7 option, no packets showing up. Does anyone knows why? Thanks Lei asked 18 Jun '15, 21:20  Lei Sun |
One Answer:
Wireshark 1.12 can only export deciphered packets for which a sub dissector handle (protocol in preference window) is configured. Presumable you did not fill any. Wireshark v1.99.8rc0-121-gcdc7d25 and later now also supports the export of captures using heuristic sub dissectors. It can be downloaded from https://www.wireshark.org/download/automated/ If your payload is for a protocol not currently supported by Wireshark, ensure to configure the "data" dissector as protocol so as to have the payload exported. answered 24 Jun '15, 17:27  Pascal Quantin |
I just tested the functionality with Wireshark 1.12.5 and the DTLS sample pcap found on the wiki https://wiki.wireshark.org/DTLS and it works fine. COuld you give a try with this example and confirms it works for you?
I tried it and didn't work with snakeoil-dtls.pcap. The procedure is: open snakeoid-dtls.pcap. select "File->export PDUs to file", and then select "OSI layer 7" in dialog box. Wirehshark shows no packet afterward.
Wireshark version: Version 1.12.5 (v1.12.5-0-g5819e5b from master-1.12)
Well, it definitely does work for me as long as I configure the decryption properly: you end up with 4 data packets in the new window.
Did you set RSA configuration to IP address:127.0.0.1, Port:4433, Protocol:data, Key File:/path/to/snakeoil-rsa.key as explained in the wiki?
Sorry I forgot to configure the decryption, I did and it worked with the sample capture. However it still doesn't work with my capture, which is pre-shared-key instead of RSA. I mean i can see the decrypted packet content in "decrypt DTLS record" tab of the wireshark, but exporting PDUs still gives me no packets.