Search:     Advanced search
Browse by category:
Glossary | Ask question



How to Decrypt Packet capture with Session keys?
Add comment
Views: 84
Votes: 0
Comments: 0

Problem

This solution helps to decrypt packet captures that contains ECDHE cipher based SSL Sessions

 

Solution

It is not possible to use Private Key to decrypt packet capture when SSL handshake is done using Elliptical Ciphers like ECDHE.

 

In such scenarios we can make use of SSL Session keys that APV saves when we take packet capture on APV.

 

Example:

 

We have a ssl vhost with all ECDHE ciphers

 


When we access this VIP, we can see cipher negotiated is ECDHE based

 


 

Below packet capture was taken while accessing VIP

 

 

Sslkeylog file is gpg encrypted and hence we need to share sslkeylog file with Array Tech Support to get file decrypted.

 

After decryption we get a Tar file of sslkeylog

 

 

Extract the file to get SSL session keys

 

Now use this key file in Wireshark to decrypt the SSL traffic.

 

Before decrypting packet capture if we filter for TLS we can see encrypted traffic.

 

 

To decrypt follow below steps in Wireshark GUI:

 

Go to Edit > Preferences >Protocols > TLS > (Pre)-Master-Secret log filename --- Browse and Select the sslkeylog file here [highlighted in RED color]

 

 

Now you can see that file is decrypted even though cipher negotiated was ECDHE

 

 

 



Other questions in this category
How do I configure slb (server load balancing)?
What are the types of real service?
How do I configure health check type?
How do I check for the status of server(s)?
What are slb group method algorithms?
What are slb policies and what are their types?
How do I configure static policy type?
How do I configure default policy type?
How do I configure backup policy type?
SLB Methods in Term OSI Concept
Round Robin (rr) SLB Definition
Shortest Response (sr) SLB Definition
Least Connection (lc) SLB Definition
Persistent IP (pi) SLB Definition
Hash IP (hi) SLB Definition
Consistent Hash IP (chi) SLB Definition
Port Range (port) SLB Definition
L2 MAC-Based SLB Definition
L3 IP-Based SLB Definition
SIP SLB Definition
RTSP SLB Definition
SNMP (snmp) SLB Definition
Persistent Cookie (pc) SLB Definition
Persistent Hostname (ph) SLB Definition
Persistent URL (pu) SLB Definition
Insert Cookie (ic) SLB Definition
Rewrite Cookie (rc) SLB Definition
Embed Cookie (ec) SLB Definition
Hash Cookie (hc) SLB Definition
Hash Header (hh) SLB Definition
Consistent Hash Header (chh) SLB Definition
Hash URL (hashurl) SLB Defnitions
Regular Expresssion (regex) SLB Definition
File Type (filetype) SLB Definition
QoS Cookie (cookie) SLB Definition
QoS Hostname (hostname) SLB Definition
Qos URL (url) SLB Definition
What is the range of ports to be used when connecting to backend servers?
How do I calculate least connection (lc) method threshold granularity and real server weight?
How do I configure Firewall Load Balancing (FWLB)?
How is the "Average Response time" calculated?
APV Deployment guide for SharePoint 2010
Changes required while using Exchange 2019 as HTTPS Real Server
Windows Authentication Issue