This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

which version of Wireshark will decrypt an ssh session?

0

which version of the Wireshark will decrypt an ssh session

asked 03 Apr '16, 19:56

srinu_bel's gravatar image

srinu_bel
20151620
accept rate: 0%

edited 05 Apr '16, 02:39

sindy's gravatar image

sindy
6.0k4851


2 Answers:

0

No version of Wireshark will do that.

answered 04 Apr '16, 04:50

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Both server and client hosts are with me & required key files are also available... Even then, can't we decrypt the section by importing key info to wireshark?

If your reply is no, why it is like so??? what is the challenge after having keys also with us?

If we want to trouble shoot the performance of the TCP link on SSH, How we can do it, As port numbers / window size info in encrypted format???

(04 Apr '16, 19:42) srinu_bel

0

If "decoding SSH section" means "decrypting SSH", that is not possible at the moment. See the SSH - Wireshark Wiki page.

For decryption of SSH traffic to be possible, the key material must first be extracted from a SSH client or server. The private keyfiles are insufficient, the actual symmetric encryption keys are derived from a shared secret based on the DH key exchange. Note that unlike SSL, SSH does not define a RSA key exchange method, so in the case of SSH the RSA private key file will never be useful for traffic decryption. The private key file is used only for authentication purposes, not encryption.

Note that only the SSH payload (commands, passwords, file transfers, ...) are encrypted. Upper layers (TCP, IP, Ethernet, ...) are not suddenly encrypted so you can still analyze TCP port numbers, sequence numbers, etc. Besides that you also have timing and size information which (for example) can be used to guess when a large file transfer has started.

answered 04 Apr '16, 12:39

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

edited 05 Apr '16, 01:38

Both server and client hosts are with me & required key files are also available... Even then can't we decrypt the section by importing key info to wireshark?

If your reply is know why it is like so??? what is the challenge after having keys also with us?

If we want to trouble shoot the performance of the TCP link on SSH, How we can do it, As port numbers / window size info in encrypted format???

(04 Apr '16, 19:41) srinu_bel

Pl. read above line " If your reply is know why it is like so???" As ... If your reply is no why it is like so???

Sorry i am not good at English...

(04 Apr '16, 19:44) srinu_bel

The key file is only used for authentication, not encryption. See the updated answer.

(05 Apr '16, 01:38) Lekensteyn

@srinu_bel, if I understand your problem properly, you actually need to analyse a tcp session tunnelled through ssh, because the tcp headers (port numbers, window size etc.) of the tcp session carrying the ssh session itself are not encrypted.

If I am mistaken and you only cannot see "TCP" and its summary information in the "Info" column in packet list, simply disable SSH dissection (Analyze -> Enabled Protocols, write "ssh" into the search field at the bottom left of the window which pops up, untick the checkbox next to SSH in the pane above, and click OK) and all your SSH packets will be shown as plain TCP ones.

If my guess is correct, you'll have to capture on the loopback interface. ssh allows you to make a local port N represent a remote socket X:Y, you then tell your application to connect to localhost:N instead of X:Y (which is inaccessible directly), and you have to capture at the loopback interface to analyze the tcp session using the tunnel. If your client application runs on Windows, you'll have to use npcap instead of WinPcap to be able to capture at loopback interface, because the loopback normally does not exist as an interface in Windows; npcap creates it for you.

(05 Apr '16, 02:08) sindy