This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello team, I have 2 sniffers (one is 138K, the other is 47M). Both sniffers are destined to same vip same cert. I can decrypt the small sniffer. But I cannot decrypt the big one.

Here is some information from debug. This is for critical troubleshooting. Thanks a lot for the help.

dissect_ssl enter frame #4 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000000004711700, ssl_session = 00000000047120D0
  record: offset = 0, reported_length_remaining = 146
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 5 141
decrypt_ssl3_record: app_data len 141, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 137 bytes, remaining 146 
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #6 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000004711700, ssl_session = 00000000047120D0
  record: offset = 0, reported_length_remaining = 177
ssl_try_set_version found version 0x0303 -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 5 81
decrypt_ssl3_record: app_data len 81, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 86 
ssl_try_set_version found version 0x0303 -> state 0x11
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_dissect_hnd_srv_hello found CIPHER 0x003D TLS_RSA_WITH_AES_256_CBC_SHA256 -> state 0x17
  record: offset = 86, reported_length_remaining = 91
dissect_ssl3_record: content_type 20 Change Cipher Spec
ssl_dissect_change_cipher_spec Session resumption using Session ID
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
ssl_finalize_decryption state = 0x17
ssl_restore_master_key can't find master secret by Session ID
ssl_restore_master_key can't restore master secret using an empty Session Ticket
ssl_restore_master_key can't find master secret by Client Random
  Cannot find master secret
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
  record: offset = 92, reported_length_remaining = 85
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 97 80
decrypt_ssl3_record: app_data len 80, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 107 offset 97 length 9561053 bytes, remaining 177 

dissect_ssl enter frame #8 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000000004711700, ssl_session = 00000000047120D0
  record: offset = 0, reported_length_remaining = 91
dissect_ssl3_record: content_type 20 Change Cipher Spec
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
ssl_finalize_decryption state = 0x17
ssl_restore_master_key can't find master secret by Session ID
ssl_restore_master_key can't restore master secret using an empty Session Ticket
ssl_restore_master_key can't find master secret by Client Random
  Cannot find master secret
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
  record: offset = 6, reported_length_remaining = 85
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 11 80
decrypt_ssl3_record: app_data len 80, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 74 offset 11 length 14921458 bytes, remaining 91 

dissect_ssl enter frame #9 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000000004711700, ssl_session = 00000000047120D0
  record: offset = 0, reported_length_remaining = 1460
  need_desegmentation: offset = 0, reported_length_remaining = 1460

dissect_ssl enter frame #14 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000000004711700, ssl_session = 00000000047120D0
  record: offset = 0, reported_length_remaining = 4485
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 4480, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #18 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000004711700, ssl_session = 00000000047120D0
  record: offset = 0, reported_length_remaining = 309
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 304, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #27 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000000004714A40, ssl_session = 0000000004715410
  record: offset = 0, reported_length_remaining = 146
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 5 141
decrypt_ssl3_record: app_data len 141, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 137 bytes, remaining 146 
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

asked 19 Jan '17, 09:12

ping2's gravatar image

ping2
6112
accept rate: 0%

edited 19 Jan '17, 09:34

grahamb's gravatar image

grahamb ♦
19.8k330206

Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×69
×62

question asked: 19 Jan '17, 09:12

question was seen: 850 times

last updated: 19 Jan '17, 09:34

p​o​w​e​r​e​d by O​S​Q​A