First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Why can't I decrypt TLS traffic in one of my captures?

  • retag add tags

Can't find log files for Wireshark.

I have a tcpdump from server that Decode As TLS doesn't work.

I've successfully decoded dumps from the same server recently.

No idea why this fresh dump doesn't decode.

rschuster's avatar
1
rschuster
asked 2020-10-13 20:23:29 +0000
Guy Harris's avatar
19.9k
Guy Harris
updated 2020-10-14 19:44:02 +0000
edit flag offensive 0 remove flag close merge delete

Comments

What steps have you taken to decde it? TLS decryption does not work statically. If you could decode last months and not done the proper steps again you can't decode fromthe same server now in most cases.

hugo.vanderkooij's avatar hugo.vanderkooij (2020-10-14 07:47:00 +0000) edit
more
  • delete

To what log files are you referring?

Guy Harris's avatar Guy Harris (2020-10-14 08:01:54 +0000) edit
more
  • delete

Local WireShark log file on PC, trying to determine why WireShark doesn't decode the new dump taken from a server.

I think I'm doing the right steps to decode, nothing has changed but when I right click to decode new trace nothing happens.

rschuster's avatar rschuster (2020-10-14 12:52:54 +0000) edit
more
  • delete

Might be that my dump doesn't seem to have the ClientKeyExchange packet, I'll try again.

rschuster's avatar rschuster (2020-10-14 15:21:09 +0000) edit
more
  • delete

Local WireShark log file on PC, trying to determine why WireShark doesn't decode the new dump taken from a server.

Wireshark doesn't have a log file to which it writes errors. It should be reporting all errors directly to the user, either as dialog boxes or as indications in the display of packet details. For some failures it doesn't report a reason for the failure when it should - for example, IEEE 802.11 decryption can fail with no indication why it failed`; all the user sees is that the 802.11 payload isn't decrypted and dissected.

Guy Harris's avatar Guy Harris (2020-10-14 16:56:18 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

I was able to decrypt one that included the KeyExchange packet.

rschuster's avatar
1
rschuster
answered 2020-10-14 19:05:56 +0000
edit flag offensive 0 remove flag delete link
more

Comments

This appears to be mentioned, at least for decryption using an RSA private key, in the "TLS decryption" section of the TLS page of the Wireshark Wiki:

The RSA private key file can only be used in the following circumstances:

...

  • The session has not been resumed. The handshake must include the ClientKeyExchange handshake message.
Guy Harris's avatar Guy Harris (2020-10-14 19:43:20 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer