This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

decrypting ssl using tshark while only seeing one side of the conversation

0

Hello, Been bashing my brain trying to find a solution to decrypting ssl traffic using tshark when I only have access to one side of the conversation. The traffic I see is asymmetric so I will never see the response from the ssl handshake leaving my network as it leaves out of another network pipe. Would it be possible to sniff the traffic having the private/pub keys or would I require full visibility into the TCP session?

Thank you.

asked 27 Feb '12, 23:49

divious1's gravatar image

divious1
1111
accept rate: 0%

One Answer:

1

AFAIK that is not possible. You need information from both sides of the conversation to be able to decrypt the traffic. The things that pop into mind are:

  • You need the ServerHello message from the server to know which cipher was chosen
  • You need the ClientKeyExchange from the client to extract the pre-master secret to extract the bulk-encryption key for each specific SSL session

answered 04 Mar '12, 03:27

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%