This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I'm trying to use wireshark to debug a REST application running over HTTP with SSL.

I'm using Version 1.6.5 (SVN Rev 40429 from /trunk-1.6)running on Windows 7.

I've installed the RSA key in Wireshark using Edit/Prefernces/Protocols/SSL and installing my server's unencrypted private key inthe "RSA keys list". It's installed with the IP address of the server (in this case I'm running both server and client on the local machine, so it's the same as the address of the client), the port (which happens to be 8181), protocol=http (get an error if I try to put in https, so I assume http is the correct value here), and the location of my key file.

I also went to Edit/Preferences/Protocols/HTTP and addes 8181 after 443 in list of SSL ports for HTTP.

I also configured an ssl debug file location.

I captured some traffic using RawCap.exe and have it in a packet capture file. (If I try to capture directly using Wireshark it doesn't work, even though I'm using my machine's FQDN in the app, which is translating to the machine's address, not the loopback address, the traffic is perhaps still being sent via loopback, which I've read Wireshark can't sniff on Windows.)

When I open the packet capture file in Wireshark, I see some encouraging looking stuff in the ssl debug file (though I don't really know what it all means). However, what I really want to do is follow the TCP stream, and see the HTTP text that was sent back and forth. I can't seem to do this. The "Follow SSL Stream" option is greyed out. If I select "Follow TCP Stream" I see garbled data, though with some legible text scattered in.

Any suggestions?

Thanks,

Duncan

ssldebug file contents (with hex decodes snipped out):

Private key imported: KeyID 13:3e:82:de:30:23:69:10:8c:6e:7d:4e:29:17:18:7f:...
ssl_init IPv4 addr '192.168.1.6' (192.168.1.6) port '8181' filename 'C:\Users\duncant\Documents\Keys and Certs\duncanpc-privkey.key' password(only for p12 file) ''
ssl_init private key file C:\Users\duncant\Documents\Keys and Certs\duncanpc-privkey.key successfully loaded.
association_add TCP port 8181 protocol http handle 0000000004554940

dissect_ssl enter frame #32 (first time)
ssl_session_init: initializing ptr 0000000005F438C0 size 680
  conversation = 0000000005F43410, ssl_session = 0000000005F438C0
  record: offset = 0, reported_length_remaining = 103
packet_from_server: is from server - FALSE
ssl_find_private_key server 192.168.1.6:8181
client random len: 32 padded to 32
dissect_ssl2_hnd_client_hello found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #34 (first time)
  conversation = 0000000005F43410, ssl_session = 0000000005F438C0
  record: offset = 0, reported_length_remaining = 1432
  need_desegmentation: offset = 0, reported_length_remaining = 1432

dissect_ssl enter frame #35 (first time)
  conversation = 0000000005F43410, ssl_session = 0000000005F438C0
  record: offset = 0, reported_length_remaining = 2864
  need_desegmentation: offset = 0, reported_length_remaining = 2864

dissect_ssl enter frame #37 (first time)
  conversation = 0000000005F43410, ssl_session = 0000000005F438C0
  record: offset = 0, reported_length_remaining = 4296
  need_desegmentation: offset = 0, reported_length_remaining = 4296

dissect_ssl enter frame #38 (first time)
  conversation = 0000000005F43410, ssl_session = 0000000005F438C0
  record: offset = 0, reported_length_remaining = 5728
  need_desegmentation: offset = 0, reported_length_remaining = 5728

dissect_ssl enter frame #39 (first time)
  conversation = 0000000005F43410, ssl_session = 0000000005F438C0
  record: offset = 0, reported_length_remaining = 7160
  need_desegmentation: offset = 0, reported_length_remaining = 7160

dissect_ssl enter frame #40 (first time)
  conversation = 0000000005F43410, ssl_session = 0000000005F438C0
  record: offset = 0, reported_length_remaining = 8592
  need_desegmentation: offset = 0, reported_length_remaining = 8592

dissect_ssl enter frame #43 (first time)
  conversation = 0000000005F43410, ssl_session = 0000000005F438C0
  record: offset = 0, reported_length_remaining = 10024
  need_desegmentation: offset = 0, reported_length_remaining = 10024

dissect_ssl enter frame #44 (first time)
  conversation = 0000000005F43410, ssl_session = 0000000005F438C0
  record: offset = 0, reported_length_remaining = 11456
  need_desegmentation: offset = 0, reported_length_remaining = 11456

dissect_ssl enter frame #45 (first time)
  conversation = 0000000005F43410, ssl_session = 0000000005F438C0
  record: offset = 0, reported_length_remaining = 11894
dissect_ssl3_record found version 0x0301 -> state 0x11
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 11889, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 11894 
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
dissect_ssl3_hnd_srv_hello found CIPHER 0x0004 -> state 0x17
dissect_ssl3_hnd_srv_hello trying to generate keys
ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57)
dissect_ssl3_hnd_srv_hello can't generate keyring material
dissect_ssl3_handshake iteration 0 type 11 offset 86 length 1425 bytes, remaining 11894 
dissect_ssl3_handshake iteration 0 type 13 offset 1515 length 10371 bytes, remaining 11894 
dissect_ssl3_handshake iteration 0 type 14 offset 11890 length 0 bytes, remaining 11894

dissect_ssl enter frame #48 (first time)
  conversation = 0000000005F43410, ssl_session = 0000000005F438C0
  record: offset = 0, reported_length_remaining = 274
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 269, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 3 bytes, remaining 274 
dissect_ssl3_handshake iteration 0 type 16 offset 12 length 258 bytes, remaining 274 
pre master encrypted[256]:
<SNIP>
ssl_decrypt_pre_master_secret:RSA_private_decrypt
pcry_private_decrypt: stripping 207 bytes, decr_len 255
decrypted_unstrip_pre_master[255]:
<SNIP>
pre master secret[48]:
<SNIP>
ssl_generate_keyring_material:PRF(pre_master_secret)
pre master secret[48]:
<SNIP>
client random[32]:
<SNIP>
tls_prf: tls_hash(md5 secret_len 24 seed_len 77 )
tls_hash: hash secret[24]:
<SNIP>
tls_hash: hash seed[77]:
<SNIP>
hash out[48]:
<SNIP>
tls_prf: tls_hash(sha)
tls_hash: hash secret[24]:
<SNIP>
tls_hash: hash seed[77]:
<SNIP>
hash out[48]:
<SNIP>
PRF out[48]:
<SNIP>
master secret[48]:
<SNIP>
ssl_generate_keyring_material sess key generation
tls_prf: tls_hash(md5 secret_len 24 seed_len 77 )
tls_hash: hash secret[24]:
<SNIP>
tls_hash: hash seed[77]:
<SNIP>
hash out[64]:
<SNIP>
tls_prf: tls_hash(sha)
tls_hash: hash secret[24]:
<SNIP>
tls_hash: hash seed[77]:
<SNIP>
hash out[64]:
<SNIP>
PRF out[64]:
<SNIP>
key expansion[64]:
<SNIP>
Client MAC key[16]:
<SNIP>
Server MAC key[16]:
<SNIP>
Client Write key[16]:
<SNIP>
Server Write key[16]:
<SNIP>
Client Write IV[8]:
<SNIP>
Server Write IV[8]:
<SNIP>
ssl_generate_keyring_material ssl_create_decoder(client)
ssl_create_decoder CIPHER: ARCFOUR
decoder initialized (digest len 16)
ssl_generate_keyring_material ssl_create_decoder(server)
ssl_create_decoder CIPHER: ARCFOUR
decoder initialized (digest len 16)
ssl_generate_keyring_material: client seq 0, server seq 0
ssl_save_session stored session id[32]:
<SNIP>
ssl_save_session stored master secret[48]:
<SNIP>
dissect_ssl3_handshake session keys successfully generated

dissect_ssl enter frame #52 (first time)
  conversation = 0000000005F43410, ssl_session = 0000000005F438C0
  record: offset = 0, reported_length_remaining = 6
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT

dissect_ssl enter frame #32 (already visited)
  conversation = 0000000005F43410, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 103

dissect_ssl enter frame #45 (already visited)
  conversation = 0000000005F43410, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 11894
dissect_ssl3_record: content_type 22
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 11894 
dissect_ssl3_handshake iteration 0 type 11 offset 86 length 1425 bytes, remaining 11894 
dissect_ssl3_handshake iteration 0 type 13 offset 1515 length 10371 bytes, remaining 11894 
dissect_ssl3_handshake iteration 0 type 14 offset 11890 length 0 bytes, remaining 11894

dissect_ssl enter frame #48 (already visited)
  conversation = 0000000005F43410, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 274
dissect_ssl3_record: content_type 22
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 3 bytes, remaining 274 
dissect_ssl3_handshake iteration 0 type 16 offset 12 length 258 bytes, remaining 274

asked 16 Feb '12, 10:04

duncant's gravatar image

duncant
16113
accept rate: 0%

edited 16 Feb '12, 10:17

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245

By the way, I should mention that I'm doing "mutual authentication", also known as "client authentication". I would assume that this wouldn't affect the SSL decode, but who knows...

(17 Feb '12, 09:13) duncant
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×319
×69
×62

question asked: 16 Feb '12, 10:04

question was seen: 5,630 times

last updated: 17 Feb '12, 09:13

p​o​w​e​r​e​d by O​S​Q​A