Hello, I have a wireshark traffic file with AMQPS messages so encrypted with SSL/TLS. I have the private key in PEM format (RSA PRIVATE KEY) but I'm not able to create a new entry in the RSA key list because it warning me that dissector protocol 'amqp' on port 5671 isn't available. How can I decrypt AMQP traffic ? Thanks, Paolo asked 28 Aug '15, 07:27  ppatierno |
One Answer:
in the latest development release (1.99.x), the AMPQ dissector adds itself to the ssl dissector with port 5671 (see packet-ampq.c - ssl_dissector_add), so this should be possible if you try it with 1.99.x. BTW: Wireshark 1.12.x does not have that code, you it won't work with 1.12.x! What is your Wireshark version? See my answer to a similar question for some background information:
Regards answered 28 Aug '15, 07:48  Kurt Knochner ♦ edited 28 Aug '15, 08:14 |
I'm using 1.12.5
then it won't work. Please try 1.99.8
However I installed 1.99.8. I added the private key in the RSA key list without errors ... good. After loading the pcapng file with captured traffic I still see the encrypted traffic and not in clear ... it seems decryption isn't working. Do I need to execute some action ?
Thanks, Paolo
should work out of-the-box. Can you please provide the SSL debug file (see SSL preferences)? I guess you are using a cipher (DHE, DHCE), which cannot be decrypted with the RSA key.