The SSL dissector is fully functional and even supports advanced features such as decryption of SSL if the encryption key can be provided and Wireshark is compiled against GnuTLS (rather than OpenSSL or bsafe). This works for RSA private keys.
If Wireshark is compiled with SSL decryption support there will be a new option in the preferences for SSL. If the key entry option is absent then verify if your Wireshark is linked against the required GnuTLS library. This can be done with wireshark -v . The output should include GnuTLS and GCrypt. If you see without GnuTLS, without Gcrypt, then you will need reconfigure with --with-gnutls, recompile and reinstall.
To configure a RSA private key, go to the SSL dissector preference in the Protocols tree. Then press the RSA keys list button. A new dialog windows appears showing you the currently configured RSA private keys. Press the New button to configure a new RSA private key. In the new window you have to configure the following fields:
The RSA key file can either be a PEM format private key or a PKCS#12 keystore. If the file is a PKCS#12 keystore (typically a file with a .pfx or .p12 extension), the password for the keystore must be specified in the Password field.
Starting with Wireshark 2.0, the RSA key file is automatically matched against the public key as found in the Certificate handshake message. Before Wireshark 2.0, it relied on the user to enter a valid Address and Port value. Note that only RSA key exchanges can be decrypted using this RSA private key, Diffie-Hellman key exchanges cannot be decrypted using a RSA key file! (See "SSLKEYLOGFILE" if you have such a capture.)
The fileformat needed is 'PEM'. Note that it is common practice on webservers to combine the public key (or certificate) and the private key in a single PEM file.
references:
https://ask.wireshark.org/questions/34393/how-to-decrypt-ssl-traffic-using-wireshark
If Wireshark is compiled with SSL decryption support there will be a new option in the preferences for SSL. If the key entry option is absent then verify if your Wireshark is linked against the required GnuTLS library. This can be done with wireshark -v . The output should include GnuTLS and GCrypt. If you see without GnuTLS, without Gcrypt, then you will need reconfigure with --with-gnutls, recompile and reinstall.
To configure a RSA private key, go to the SSL dissector preference in the Protocols tree. Then press the RSA keys list button. A new dialog windows appears showing you the currently configured RSA private keys. Press the New button to configure a new RSA private key. In the new window you have to configure the following fields:
The RSA key file can either be a PEM format private key or a PKCS#12 keystore. If the file is a PKCS#12 keystore (typically a file with a .pfx or .p12 extension), the password for the keystore must be specified in the Password field.
Starting with Wireshark 2.0, the RSA key file is automatically matched against the public key as found in the Certificate handshake message. Before Wireshark 2.0, it relied on the user to enter a valid Address and Port value. Note that only RSA key exchanges can be decrypted using this RSA private key, Diffie-Hellman key exchanges cannot be decrypted using a RSA key file! (See "SSLKEYLOGFILE" if you have such a capture.)
The fileformat needed is 'PEM'. Note that it is common practice on webservers to combine the public key (or certificate) and the private key in a single PEM file.
references:
https://ask.wireshark.org/questions/34393/how-to-decrypt-ssl-traffic-using-wireshark
No comments:
Post a Comment