which version of the Wireshark will decrypt an ssh session asked 03 Apr '16, 19:56 srinu_bel edited 05 Apr '16, 02:39 sindy |
2 Answers:
No version of Wireshark will do that. answered 04 Apr '16, 04:50 Jaap ♦ |
If "decoding SSH section" means "decrypting SSH", that is not possible at the moment. See the SSH - Wireshark Wiki page. For decryption of SSH traffic to be possible, the key material must first be extracted from a SSH client or server. The private keyfiles are insufficient, the actual symmetric encryption keys are derived from a shared secret based on the DH key exchange. Note that unlike SSL, SSH does not define a RSA key exchange method, so in the case of SSH the RSA private key file will never be useful for traffic decryption. The private key file is used only for authentication purposes, not encryption. Note that only the SSH payload (commands, passwords, file transfers, ...) are encrypted. Upper layers (TCP, IP, Ethernet, ...) are not suddenly encrypted so you can still analyze TCP port numbers, sequence numbers, etc. Besides that you also have timing and size information which (for example) can be used to guess when a large file transfer has started. answered 04 Apr '16, 12:39 Lekensteyn edited 05 Apr '16, 01:38 Both server and client hosts are with me & required key files are also available... Even then can't we decrypt the section by importing key info to wireshark? If your reply is know why it is like so??? what is the challenge after having keys also with us? If we want to trouble shoot the performance of the TCP link on SSH, How we can do it, As port numbers / window size info in encrypted format??? (04 Apr '16, 19:41) srinu_bel Pl. read above line " If your reply is know why it is like so???" As ... If your reply is no why it is like so??? Sorry i am not good at English... (04 Apr '16, 19:44) srinu_bel The key file is only used for authentication, not encryption. See the updated answer. (05 Apr '16, 01:38) Lekensteyn @srinu_bel, if I understand your problem properly, you actually need to analyse a tcp session tunnelled through ssh, because the tcp headers (port numbers, window size etc.) of the tcp session carrying the ssh session itself are not encrypted. If I am mistaken and you only cannot see "TCP" and its summary information in the "Info" column in packet list, simply disable SSH dissection ( If my guess is correct, you'll have to capture on the loopback interface. ssh allows you to make a local port N represent a remote socket X:Y, you then tell your application to connect to localhost:N instead of X:Y (which is inaccessible directly), and you have to capture at the loopback interface to analyze the tcp session using the tunnel. If your client application runs on Windows, you'll have to use npcap instead of WinPcap to be able to capture at loopback interface, because the loopback normally does not exist as an interface in Windows; npcap creates it for you. (05 Apr '16, 02:08) sindy |
Both server and client hosts are with me & required key files are also available... Even then, can't we decrypt the section by importing key info to wireshark?
If your reply is no, why it is like so??? what is the challenge after having keys also with us?
If we want to trouble shoot the performance of the TCP link on SSH, How we can do it, As port numbers / window size info in encrypted format???