This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi everyone,

I am unable to decrypt the SSL diameter based messages on wireshark even after adding the server.key in RSK key field. This is my ssl debug log.

Wireshark SSL debug log

Wireshark version: 2.0.2 (v2.0.2-0-ga16e22e from master-2.0) GnuTLS version: 3.2.15 Libgcrypt version: 1.6.2

ssl_association_remove removing TCP 3869 - diameter handle 00000000059A7E80
KeyID[20]:
| d2 4a 15 8f b6 90 86 a1 2b 8b 64 6d c6 2c 42 8d |.J......+.dm.,B.|
| 55 bf 89 04                                     |U...            |
ssl_load_key: swapping p and q parameters and recomputing u
ssl_init private key file C:/Users/rprasad/Documents/server.key successfully loaded.
ssl_init port '3869' filename 'C:/Users/rprasad/Documents/server.key' password(only for p12 file) ''
association_add TCP port 3869 protocol ssl handle 00000000059F6010

dissect_ssl enter frame #1575 (first time)
association_find: TCP port 3869 found 0000000006F5B280
packet_from_server: is from server - TRUE
  conversation = 00000000082F34A0, ssl_session = 00000000082F3970
  record: offset = 0, reported_length_remaining = 133
dissect_ssl3_record found version 0x0303(TLS 1.2) -> state 0x10
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 128, ssl state 0x10
association_find: TCP port 3869 found 0000000006F5B280
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 3869 found 0000000006F5B280

dissect_ssl enter frame #1577 (first time)
association_find: TCP port 6551 found 0000000000000000
packet_from_server: is from server - FALSE
  conversation = 00000000082F34A0, ssl_session = 00000000082F3970
  record: offset = 0, reported_length_remaining = 149
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 144, ssl state 0x10
association_find: TCP port 6551 found 0000000000000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #2884 (first time)
association_find: TCP port 6551 found 0000000000000000
packet_from_server: is from server - FALSE
  conversation = 00000000082F34A0, ssl_session = 00000000082F3970
  record: offset = 0, reported_length_remaining = 309
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 304, ssl state 0x10
association_find: TCP port 6551 found 0000000000000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #2888 (first time)
association_find: TCP port 3869 found 0000000006F5B280
packet_from_server: is from server - TRUE
  conversation = 00000000082F34A0, ssl_session = 00000000082F3970
  record: offset = 0, reported_length_remaining = 805
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 800, ssl state 0x10
association_find: TCP port 3869 found 0000000006F5B280
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #1575 (already visited)
association_find: TCP port 3869 found 0000000006F5B280
packet_from_server: is from server - TRUE
  conversation = 00000000082F34A0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 133
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #1577 (already visited)
association_find: TCP port 6551 found 0000000000000000
packet_from_server: is from server - FALSE
  conversation = 00000000082F34A0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 149
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #2884 (already visited)
association_find: TCP port 6551 found 0000000000000000
packet_from_server: is from server - FALSE
  conversation = 00000000082F34A0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 309
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #2888 (already visited)
association_find: TCP port 3869 found 0000000006F5B280
packet_from_server: is from server - TRUE
  conversation = 00000000082F34A0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 805
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #1575 (already visited)
association_find: TCP port 3869 found 0000000006F5B280
packet_from_server: is from server - TRUE
  conversation = 00000000082F34A0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 133
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #1575 (already visited)
association_find: TCP port 3869 found 0000000006F5B280
packet_from_server: is from server - TRUE
  conversation = 00000000082F34A0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 133
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #1575 (already visited)
association_find: TCP port 3869 found 0000000006F5B280
packet_from_server: is from server - TRUE
  conversation = 00000000082F34A0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 133
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #1577 (already visited)
association_find: TCP port 6551 found 0000000000000000
packet_from_server: is from server - FALSE
  conversation = 00000000082F34A0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 149
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #2884 (already visited)
association_find: TCP port 6551 found 0000000000000000
packet_from_server: is from server - FALSE
  conversation = 00000000082F34A0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 309
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #2888 (already visited)
association_find: TCP port 3869 found 0000000006F5B280
packet_from_server: is from server - TRUE
  conversation = 00000000082F34A0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 805
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #1575 (already visited)
association_find: TCP port 3869 found 0000000006F5B280
packet_from_server: is from server - TRUE
  conversation = 00000000082F34A0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 133
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #1575 (already visited)
association_find: TCP port 3869 found 0000000006F5B280
packet_from_server: is from server - TRUE
  conversation = 00000000082F34A0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 133
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #1575 (already visited)
association_find: TCP port 3869 found 0000000006F5B280
packet_from_server: is from server - TRUE
  conversation = 00000000082F34A0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 133
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #1577 (already visited)
association_find: TCP port 6551 found 0000000000000000
packet_from_server: is from server - FALSE
  conversation = 00000000082F34A0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 149
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #2884 (already visited)
association_find: TCP port 6551 found 0000000000000000
packet_from_server: is from server - FALSE
  conversation = 00000000082F34A0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 309
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #2888 (already visited)
association_find: TCP port 3869 found 0000000006F5B280
packet_from_server: is from server - TRUE
  conversation = 00000000082F34A0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 805
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #1575 (already visited)
association_find: TCP port 3869 found 0000000006F5B280
packet_from_server: is from server - TRUE
  conversation = 00000000082F34A0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 133
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #1577 (already visited)
association_find: TCP port 6551 found 0000000000000000
packet_from_server: is from server - FALSE
  conversation = 00000000082F34A0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 149
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #2884 (already visited)
association_find: TCP port 6551 found 0000000000000000
packet_from_server: is from server - FALSE
  conversation = 00000000082F34A0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 309
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #2888 (already visited)
association_find: TCP port 3869 found 0000000006F5B280
packet_from_server: is from server - TRUE
  conversation = 00000000082F34A0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 805
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #1575 (already visited)
association_find: TCP port 3869 found 0000000006F5B280
packet_from_server: is from server - TRUE
  conversation = 00000000082F34A0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 133
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #1577 (already visited)
association_find: TCP port 6551 found 0000000000000000
packet_from_server: is from server - FALSE
  conversation = 00000000082F34A0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 149
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #2884 (already visited)
association_find: TCP port 6551 found 0000000000000000
packet_from_server: is from server - FALSE
  conversation = 00000000082F34A0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 309
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #2888 (already visited)
association_find: TCP port 3869 found 0000000006F5B280
packet_from_server: is from server - TRUE
  conversation = 00000000082F34A0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 805
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #1577 (already visited)
association_find: TCP port 6551 found 0000000000000000
packet_from_server: is from server - FALSE
  conversation = 00000000082F34A0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 149
dissect_ssl3_record: content_type 23 Application Data

asked 03 Jun '16, 02:36

M%20Roshan%20Prasad's gravatar image

M Roshan Prasad
31113
accept rate: 100%

edited 03 Jun '16, 02:59

grahamb's gravatar image

grahamb ♦
19.8k330206

Can you post the capture file someplace accessible--e.g., cloudshark.org? We'll need to see the start of the TLS session, especially the "server hello" message.

Also, is the above the complete start of the log? It seems that the first few messages aren't about the TLS setup.

(03 Jun '16, 06:16) JeffMorriss ♦

Hello Jeff, I re created the RSA key and added the same in Wireshark and it looks to be working fine now. Thank you..

permanent link

answered 03 Jun '16, 10:48

M%20Roshan%20Prasad's gravatar image

M Roshan Prasad
31113
accept rate: 100%

Great. I'll Accept your answer so that your question will show up as having been answered--see the FAQ for details.

(03 Jun '16, 13:00) JeffMorriss ♦

Hello Jeff. Looks like my wire shark is able to do a follow SSL stream only when there is a start of the TLS session, with "server hello" message and certificate exchange messages.

(08 Jun '16, 03:09) M Roshan Prasad

and the next consecutive messages i am not able to do the Follow SSL stream.

(08 Jun '16, 03:10) M Roshan Prasad

i have uploaded the same in cloudshark.org, the one with Server Hello you can find in https://www.cloudshark.org/captures/4baddb1bc4fa and the next consecutive where i am not able to do a Follow SSL Stream is in https://www.cloudshark.org/captures/1c0406a67f7c. Please help me with this

(08 Jun '16, 03:15) M Roshan Prasad

Like any of the tutorials or answers, will tell you

Important: The capture must include the initial SSL/TLS session establishment. In other words, the CLIENTHELLO and SERVERHELLO exchange. Beware captures taken where a session has been resumed. Ideally, ensure any capture either a) is of packets related to an entirely new device connecting or b) where a device that has already previously established a session is used, it is used after a considerable time after the last session was established.
(08 Jun '16, 03:43) Jaap ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×56

question asked: 03 Jun '16, 02:36

question was seen: 1,030 times

last updated: 08 Jun '16, 03:43

p​o​w​e​r​e​d by O​S​Q​A