Search:     Advanced search
Browse by category:
Glossary | Ask question

How to Decrypt Packet capture with Session keys?
Add comment
Views: 545
Votes: 0
Comments: 0


This solution helps to decrypt packet captures that contains ECDHE cipher based SSL Sessions



It is not possible to use Private Key to decrypt packet capture when SSL handshake is done using Elliptical Ciphers like ECDHE.


In such scenarios we can make use of SSL Session keys that APV saves when we take packet capture on APV.




We have a ssl vhost with all ECDHE ciphers


When we access this VIP, we can see cipher negotiated is ECDHE based



Below packet capture was taken while accessing VIP



Sslkeylog file is gpg encrypted and hence we need to share sslkeylog file with Array Tech Support to get file decrypted.


After decryption we get a Tar file of sslkeylog



Extract the file to get SSL session keys


Now use this key file in Wireshark to decrypt the SSL traffic.


Before decrypting packet capture if we filter for TLS we can see encrypted traffic.



To decrypt follow below steps in Wireshark GUI:


Go to Edit > Preferences >Protocols > TLS > (Pre)-Master-Secret log filename --- Browse and Select the sslkeylog file here [highlighted in RED color]



Now you can see that file is decrypted even though cipher negotiated was ECDHE




Other questions in this category
How to download corefile(s)?
What is the max number of Syslog servers Array support on the SPX
What is the max number of SNMP servers Array support on the SPX
What is the syntax of ssldump to decrypt an SSL trace?
What is the syntax of ssldump to collect a clear text SSL trace?
What are the commands that will not sync either by SSF or Synconfig?
How to collect the debug snapshot all?
How to collect debug snapshot and traces?
How does the SPX send SNMP trap?
What are the steps for password recovery of APV/AG/ASF Appliance?