This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi everyone,

I have an issue with tshark. It decrypts only firsts https request then stop to decrypt https traffic.

Any idea?

The debug file content:

dissect_ssl enter frame #302 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x1f8dda0, ssl_session = 0x1f8e5c0
  record: offset = 0, reported_length_remaining = 53
dissect_ssl3_record: content_type 21 Alert
decrypt_ssl3_record: app_data len 48, ssl state 0x97
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #313 (first time) packet_from_server: is from server - FALSE conversation = 0x1f88f40, ssl_session = 0x1f89760 record: offset = 0, reported_length_remaining = 53 dissect_ssl3_record: content_type 21 Alert decrypt_ssl3_record: app_data len 48, ssl state 0x6BF packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 48 Ciphertext[48]: | 02 e9 42 6a 0f 83 15 a5 1f de 64 b0 c4 91 a7 94 |..Bj......d.....| | 6e 4e d3 dd 6b f7 85 13 43 90 c5 c4 97 0d 1f 73 |nN..k...C......s| | d0 d4 87 32 37 1e 04 2a 50 fc 5e d0 7f 6a 08 a0 |...27..*P.^..j..| Plaintext[32]: | 01 00 f7 43 17 7d 18 86 00 43 07 84 d2 be 6c e5 |...C.}...C....l.| | 3c 10 26 bb 21 a7 09 09 09 09 09 09 09 09 09 09 |<.&.!...........| ssl_decrypt_record found padding 9 final len 22 checking mac (len 2, version 303, ct 21 seq 5) tls_check_mac mac type:SHA1 md 2 Mac[20]: | f7 43 17 7d 18 86 00 43 07 84 d2 be 6c e5 3c 10 |.C.}...C....l.<.| | 26 bb 21 a7 |&.!. | ssl_decrypt_record: mac ok

dissect_ssl enter frame #457 (first time) association_find: TCP port 58491 found (nil) packet_from_server: is from server - FALSE conversation = 0x1fabd80, ssl_session = 0x1facc30 record: offset = 0, reported_length_remaining = 517 dissect_ssl3_record: content_type 22 Handshake Calculating hash with offset 5 512 decrypt_ssl3_record: app_data len 512, ssl state 0x00 association_find: TCP port 58491 found (nil) packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 508 bytes, remaining 517 ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #459 (first time) packet_from_server: is from server - TRUE conversation = 0x1fabd80, ssl_session = 0x1facc30 record: offset = 0, reported_length_remaining = 161 dissect_ssl3_record found version 0x0303(TLS 1.2) -> state 0x91 dissect_ssl3_record: content_type 22 Handshake Calculating hash with offset 5 81 decrypt_ssl3_record: app_data len 81, ssl state 0x91 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 86 ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93 ssl_dissect_hnd_srv_hello found CIPHER 0x002F TLS_RSA_WITH_AES_128_CBC_SHA -> state 0x97 record: offset = 86, reported_length_remaining = 75 dissect_ssl3_record: content_type 20 Change Cipher Spec ssl_dissect_change_cipher_spec Session resumption using Session Ticket ssl_load_keyfile dtls/ssl.keylog_file is not configured! ssl_finalize_decryption state = 0x97 ssl_restore_master_key can't find master secret by Session ID ssl_restore_master_key can't find master secret by Session Ticket ssl_restore_master_key can't find master secret by Client Random Cannot find master secret packet_from_server: is from server - TRUE ssl_change_cipher SERVER record: offset = 92, reported_length_remaining = 69 dissect_ssl3_record: content_type 22 Handshake Calculating hash with offset 97 64 decrypt_ssl3_record: app_data len 64, ssl state 0x97 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 21 offset 97 length 15483064 bytes, remaining 161

dissect_ssl enter frame #461 (first time) packet_from_server: is from server - FALSE conversation = 0x1fabd80, ssl_session = 0x1facc30 record: offset = 0, reported_length_remaining = 75 dissect_ssl3_record: content_type 20 Change Cipher Spec ssl_load_keyfile dtls/ssl.keylog_file is not configured! ssl_finalize_decryption state = 0x97 ssl_restore_master_key can't find master secret by Session ID ssl_restore_master_key can't find master secret by Session Ticket ssl_restore_master_key can't find master secret by Client Random Cannot find master secret packet_from_server: is from server - FALSE ssl_change_cipher CLIENT record: offset = 6, reported_length_remaining = 69 dissect_ssl3_record: content_type 22 Handshake Calculating hash with offset 11 64 decrypt_ssl3_record: app_data len 64, ssl state 0x97 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 246 offset 11 length 14460938 bytes, remaining 75

dissect_ssl enter frame #462 (first time) packet_from_server: is from server - FALSE conversation = 0x1fabd80, ssl_session = 0x1facc30 record: offset = 0, reported_length_remaining = 533 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 528, ssl state 0x97 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available association_find: TCP port 58491 found (nil) association_find: TCP port 443 found 0x1f548a0

dissect_ssl enter frame #464 (first time) packet_from_server: is from server - TRUE conversation = 0x1fabd80, ssl_session = 0x1facc30 record: offset = 0, reported_length_remaining = 2896 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 448, ssl state 0x97 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available record: offset = 453, reported_length_remaining = 2443 need_desegmentation: offset = 453, reported_length_remaining = 2443

dissect_ssl enter frame #465 (first time) packet_from_server: is from server - TRUE conversation = 0x1fabd80, ssl_session = 0x1facc30 record: offset = 0, reported_length_remaining = 4421 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 4416, ssl state 0x97 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #469 (first time) packet_from_server: is from server - FALSE conversation = 0x1fabd80, ssl_session = 0x1facc30 record: offset = 0, reported_length_remaining = 757 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 752, ssl state 0x97 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #470 (first time) packet_from_server: is from server - TRUE conversation = 0x1fabd80, ssl_session = 0x1facc30 record: offset = 0, reported_length_remaining = 1610 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 448, ssl state 0x97 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available record: offset = 453, reported_length_remaining = 1157 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 1152, ssl state 0x97 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available

asked 24 Aug '16, 13:35

Mickael_R's gravatar image

Mickael_R
11114
accept rate: 0%

edited 24 Aug '16, 14:11

Jasper's gravatar image

Jasper ♦♦
23.8k551284


It looks like you have unsufficient key material or packets turned out-of-order.

dissect_ssl enter frame #313 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x1f88f40, ssl_session = 0x1f89760

See this conversation (and ssl_session) identifier? It is different from the other ones below.

  record: offset = 0, reported_length_remaining = 53
dissect_ssl3_record: content_type 21 Alert
decrypt_ssl3_record: app_data len 48, ssl state 0x6BF
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
ssl_decrypt_record ciphertext len 48
Ciphertext[48]:
| 02 e9 42 6a 0f 83 15 a5 1f de 64 b0 c4 91 a7 94 |..Bj......d.....|
| 6e 4e d3 dd 6b f7 85 13 43 90 c5 c4 97 0d 1f 73 |nN..k...C......s|
| d0 d4 87 32 37 1e 04 2a 50 fc 5e d0 7f 6a 08 a0 |...27..*P.^..j..|
Plaintext[32]:
| 01 00 f7 43 17 7d 18 86 00 43 07 84 d2 be 6c e5 |...C.}...C....l.|
| 3c 10 26 bb 21 a7 09 09 09 09 09 09 09 09 09 09 |<.&.!...........|
ssl_decrypt_record found padding 9 final len 22
checking mac (len 2, version 303, ct 21 seq 5)
tls_check_mac mac type:SHA1 md 2
Mac[20]:
| f7 43 17 7d 18 86 00 43 07 84 d2 be 6c e5 3c 10 |.C.}...C....l.<.|
| 26 bb 21 a7                                     |&.!.            |
ssl_decrypt_record: mac ok

dissect_ssl enter frame #457 (first time)
association_find: TCP port 58491 found (nil)
packet_from_server: is from server - FALSE
  conversation = 0x1fabd80, ssl_session = 0x1facc30

See? It is different. So unless you managed to get keys for this session and captured the full unabbreviated handshake, you will not be able to decrypt it.

  record: offset = 0, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
permanent link

answered 26 Aug '16, 09:42

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

OK, thanks, I'm gonna check what's wrong and what my ssl_session ID changed

(26 Aug '16, 11:44) Mickael_R

The internal conversation and ssl_session change for each TCP connection. Perhaps you have only partially captured the SSL session (TCP connection).

(26 Aug '16, 12:17) Lekensteyn
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×319
×165

question asked: 24 Aug '16, 13:35

question was seen: 867 times

last updated: 26 Aug '16, 12:17

p​o​w​e​r​e​d by O​S​Q​A