I am trying to figure out how you can tell the time duration of an SSL session. In Wireshark, if you choose from the File Menu Statistics -> Conversations -> TCP -> Limit to filter, you get results based on your filter. If I choose "SSL" as my filter than all the results would be SSL packets/sessions. My question is "How is the time duration field of the SSL session computed?" I am having difficulty finding out what keeps track of an SSL session. Any help would be greatly appreciated. Thank you This question is marked "community wiki". asked 14 Sep '11, 04:30 gakar06 |
One Answer:
The "Duration" column in the Conversation statistics is the time difference between the first packet seen in the conversation and the last packet seen in the conversation. When you use the option "limit to display filter", the first and last packet seen in a particular conversation can change. As in your case, the filter "ssl" won't match the packets of the 3-way handshake, so the first packet seen in the TCP conversation that is displayed when the filter "ssl" is active, is the ClientHello. The last packet seen will either be a data packet (with unclean shutdown enabled on the server) or an EncryptedAlert message. The FIN packets and the last ACK will not be seen when using the filter "ssl". So the duration column will show the time between the ClientHello and the last data/alert packet. If you want to include the TCP session setup and teardown in the calculation of the duration column, you can use the display filter "tcp.port==443" instead of "ssl". answered 14 Sep '11, 05:18 SYN-bit ♦♦ |
Thanks for the quick response SYNbit. I will definitely use "tcp.port == 443" instead of "SSL" to make the SSL session duration more accurate but I guess what I am asking is how can you tell what SSL packets are specific to a given SSL session. I know in the Conversation statistics the information is there for you but how did they determine for instance "these 5 packets make up this SSL session". I am wanting to search several packet capture files (or a directory full of files) to pull out/extract the duration of each SSL session but I am not sure how to determine what part of the packet signifies "hey, this is the start of the session". Is there a session identifier that would show if 5 packets are apart of the same SSL session?
(converted your "answer" to a "comment", see the FAQ for details)
In the TCP conversations overview, the IP addresses and TCP ports determine whether a packet belongs to a certain TCP session. Please note that in that window, there is no knowledge about SSL sessions, all is treated as TCP. But each TCP session can only belong to one SSL session, so in practice you are fine (unless you want to combine statistics for reused SSL sessions in which case multiple TCP conversations can belong to the same SSL session).
So what I was doing was combining the Src IP, Src Port, Dst IP, and Dst Port together to make basically a "unique key". So I concatenated the 4 fields together and was basically assuming that when these 4 fields are present, it represents a session.
For example, all 4 of the fields below (with the specific data in each field present) would represent a session. Does that make sense? Src IP -> 123.123.123.123 Src Port -> 15451 Dst IP -> 213.213.213.213 Dst Port -> 443
With these results, I was able to determine the time of each session by subtracting the max(time) from the min(time). I did a count of the "unique key" above to give me the total number of sessions per "unique key". The issue I currently see with this is that the output could contain several different sessions because the dates could range from say May through August (and obviously the session didn't last that long).
So to make a long story short, I was trying to figure out how to determine the length of an SSL session and how I could determine if one packet was part of a "certain" SSL session.
Any ideas? Does what I described above make sense?
Gakar06
(please use "add comment" instead of "Your Answer" when replying, see the FAQ)
When multiple TCP sessions exist with the same combination of ip-addresses and tcp-ports, then you need to split up the sessions at the TCP SYN packets. That is the marker for a new session. Wireshark does this in the packet list and it will show you "[ports reused]" on the SYN of the new session. It will also assign a new tcp.stream number to all packets (which you can use to differate them too).
I'm not sure if the output in the conversation statistics takes multiple sessions with the same into account.
Sorry about how I have been submitting my responses. I didn't realize what you had written in the parenthesis was for me.
Regarding the Duration column in Conversations, do you know if that is in seconds?
Thanks for your responses.