This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Tshark decrypts only firsts https packets

0

Hi everyone,

I have an issue with tshark. It decrypts only firsts https request then stop to decrypt https traffic.

Any idea?

The debug file content:

dissect_ssl enter frame #302 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x1f8dda0, ssl_session = 0x1f8e5c0
  record: offset = 0, reported_length_remaining = 53
dissect_ssl3_record: content_type 21 Alert
decrypt_ssl3_record: app_data len 48, ssl state 0x97
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl enter frame #313 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x1f88f40, ssl_session = 0x1f89760
  record: offset = 0, reported_length_remaining = 53
dissect_ssl3_record: content_type 21 Alert
decrypt_ssl3_record: app_data len 48, ssl state 0x6BF
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
ssl_decrypt_record ciphertext len 48
Ciphertext[48]:
| 02 e9 42 6a 0f 83 15 a5 1f de 64 b0 c4 91 a7 94 |..Bj......d.....|
| 6e 4e d3 dd 6b f7 85 13 43 90 c5 c4 97 0d 1f 73 |nN..k...C......s|
| d0 d4 87 32 37 1e 04 2a 50 fc 5e d0 7f 6a 08 a0 |...27..*P.^..j..|
Plaintext[32]:
| 01 00 f7 43 17 7d 18 86 00 43 07 84 d2 be 6c e5 |...C.}...C....l.|
| 3c 10 26 bb 21 a7 09 09 09 09 09 09 09 09 09 09 |<.&.!...........|
ssl_decrypt_record found padding 9 final len 22
checking mac (len 2, version 303, ct 21 seq 5)
tls_check_mac mac type:SHA1 md 2
Mac[20]:
| f7 43 17 7d 18 86 00 43 07 84 d2 be 6c e5 3c 10 |.C.}...C....l.<.|
| 26 bb 21 a7                                     |&.!.            |
ssl_decrypt_record: mac ok
dissect_ssl enter frame #457 (first time)
association_find: TCP port 58491 found (nil)
packet_from_server: is from server - FALSE
  conversation = 0x1fabd80, ssl_session = 0x1facc30
  record: offset = 0, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 5 512
decrypt_ssl3_record: app_data len 512, ssl state 0x00
association_find: TCP port 58491 found (nil)
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 508 bytes, remaining 517
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01
dissect_ssl enter frame #459 (first time)
packet_from_server: is from server - TRUE
  conversation = 0x1fabd80, ssl_session = 0x1facc30
  record: offset = 0, reported_length_remaining = 161
dissect_ssl3_record found version 0x0303(TLS 1.2) -> state 0x91
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 5 81
decrypt_ssl3_record: app_data len 81, ssl state 0x91
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 86
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93
ssl_dissect_hnd_srv_hello found CIPHER 0x002F TLS_RSA_WITH_AES_128_CBC_SHA -> state 0x97
  record: offset = 86, reported_length_remaining = 75
dissect_ssl3_record: content_type 20 Change Cipher Spec
ssl_dissect_change_cipher_spec Session resumption using Session Ticket
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
ssl_finalize_decryption state = 0x97
ssl_restore_master_key can't find master secret by Session ID
ssl_restore_master_key can't find master secret by Session Ticket
ssl_restore_master_key can't find master secret by Client Random
  Cannot find master secret
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
  record: offset = 92, reported_length_remaining = 69
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 97 64
decrypt_ssl3_record: app_data len 64, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 21 offset 97 length 15483064 bytes, remaining 161
dissect_ssl enter frame #461 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x1fabd80, ssl_session = 0x1facc30
  record: offset = 0, reported_length_remaining = 75
dissect_ssl3_record: content_type 20 Change Cipher Spec
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
ssl_finalize_decryption state = 0x97
ssl_restore_master_key can't find master secret by Session ID
ssl_restore_master_key can't find master secret by Session Ticket
ssl_restore_master_key can't find master secret by Client Random
  Cannot find master secret
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
  record: offset = 6, reported_length_remaining = 69
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 11 64
decrypt_ssl3_record: app_data len 64, ssl state 0x97
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 246 offset 11 length 14460938 bytes, remaining 75
dissect_ssl enter frame #462 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x1fabd80, ssl_session = 0x1facc30
  record: offset = 0, reported_length_remaining = 533
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 528, ssl state 0x97
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 58491 found (nil)
association_find: TCP port 443 found 0x1f548a0
dissect_ssl enter frame #464 (first time)
packet_from_server: is from server - TRUE
  conversation = 0x1fabd80, ssl_session = 0x1facc30
  record: offset = 0, reported_length_remaining = 2896
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 448, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
  record: offset = 453, reported_length_remaining = 2443
  need_desegmentation: offset = 453, reported_length_remaining = 2443
dissect_ssl enter frame #465 (first time)
packet_from_server: is from server - TRUE
  conversation = 0x1fabd80, ssl_session = 0x1facc30
  record: offset = 0, reported_length_remaining = 4421
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 4416, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl enter frame #469 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x1fabd80, ssl_session = 0x1facc30
  record: offset = 0, reported_length_remaining = 757
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 752, ssl state 0x97
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl enter frame #470 (first time)
packet_from_server: is from server - TRUE
  conversation = 0x1fabd80, ssl_session = 0x1facc30
  record: offset = 0, reported_length_remaining = 1610
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 448, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
  record: offset = 453, reported_length_remaining = 1157
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 1152, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

asked 24 Aug '16, 13:35

Mickael_R's gravatar image

Mickael_R
11114
accept rate: 0%

edited 24 Aug '16, 14:11

Jasper's gravatar image

Jasper ♦♦
23.8k551284


One Answer:

0

It looks like you have unsufficient key material or packets turned out-of-order.

dissect_ssl enter frame #313 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x1f88f40, ssl_session = 0x1f89760

See this conversation (and ssl_session) identifier? It is different from the other ones below.

  record: offset = 0, reported_length_remaining = 53
dissect_ssl3_record: content_type 21 Alert
decrypt_ssl3_record: app_data len 48, ssl state 0x6BF
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
ssl_decrypt_record ciphertext len 48
Ciphertext[48]:
| 02 e9 42 6a 0f 83 15 a5 1f de 64 b0 c4 91 a7 94 |..Bj......d.....|
| 6e 4e d3 dd 6b f7 85 13 43 90 c5 c4 97 0d 1f 73 |nN..k...C......s|
| d0 d4 87 32 37 1e 04 2a 50 fc 5e d0 7f 6a 08 a0 |...27..*P.^..j..|
Plaintext[32]:
| 01 00 f7 43 17 7d 18 86 00 43 07 84 d2 be 6c e5 |...C.}...C....l.|
| 3c 10 26 bb 21 a7 09 09 09 09 09 09 09 09 09 09 |<.&.!...........|
ssl_decrypt_record found padding 9 final len 22
checking mac (len 2, version 303, ct 21 seq 5)
tls_check_mac mac type:SHA1 md 2
Mac[20]:
| f7 43 17 7d 18 86 00 43 07 84 d2 be 6c e5 3c 10 |.C.}...C....l.<.|
| 26 bb 21 a7                                     |&.!.            |
ssl_decrypt_record: mac ok

dissect_ssl enter frame #457 (first time) association_find: TCP port 58491 found (nil) packet_from_server: is from server - FALSE conversation = 0x1fabd80, ssl_session = 0x1facc30

See? It is different. So unless you managed to get keys for this session and captured the full unabbreviated handshake, you will not be able to decrypt it.

  record: offset = 0, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake

answered 26 Aug ‘16, 09:42

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

OK, thanks, I’m gonna check what’s wrong and what my ssl_session ID changed

(26 Aug ‘16, 11:44) Mickael_R

The internal conversation and ssl_session change for each TCP connection. Perhaps you have only partially captured the SSL session (TCP connection).

(26 Aug ‘16, 12:17) Lekensteyn