This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decode with known PSK in DTLS

0

I have a wireshark capture of implementations of DTLS protocol.I have the PSK and I have converted it to corresponding hex.DTLS uses TLS_PSK_WITH_AES_128_CCM_8 cipher suite.

My question is hoe can I get the encrypted data from wieshark

asked 28 Oct '15, 02:33

kalu's gravatar image

kalu
6112
accept rate: 0%


One Answer:

0

To decrypt DTLS you don't need a PSK. What you need is the private key of the server, similar to SSL Decryption (actually it's technically the same).

Hare are some online resources to start with:

http://wiki.wireshark.org/SSL
http://blogs.technet.com/b/nettracer/archive/2010/10/01/how-to-decrypt-an-ssl-or-tls-session-by-using-wireshark.aspx
http://www.youtube.com/watch?v=vQtur8fqErI

After that, please use the following sample capture file (includes the private key) to make some tests and then apply that to your environment:

https://wiki.wireshark.org/SampleCaptures#DTLS_with_decryption_keys

BTW: You'll have to add the RAS key for DTLS under

Edit -> Preferences -> Protocols -> DTLS

The Protocol field defines the protocol within DTLS, like SPDY or similar. If your protocol is unknown to the DTLS dissector (it will be flagged red if you try), please choose 'data'.

alt text

Decryption will work, but Wireshark won't be able to dissect the payload. In that case you can only see the decrypted data bytes in the packet bytes pane.

alt text

Regards
Kurt

answered 28 Oct '15, 09:26

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 28 Oct '15, 10:03

Hauke has added support for DTLS decryption using PSKs since v1.11.3-rc1-417-g0f05597, the preference should be visible at Preferences -> Protocols -> DTLS for 1.12 and newer. Wouldn't that work here?

(29 Oct '15, 02:42) Lekensteyn

Ah, you're right. I completely missed that enhancement! Thanks for the hint.

(29 Oct '15, 03:54) Kurt Knochner ♦