Ask Your Question
0

Decrypt TLS - TLS1.2 seen as TCP ?

asked 2022-01-21 11:15:48 +0000

hjacquemin gravatar image

Hello Guys,

I'm facing an issue with wireshark and the TLS decryption. I have an old trace (november) from a user and his SSLKEYLOFGILE. This trace is decrypted by wireshark.

Recently, I needed to do it again but this time wireshark doesn't decrypt the TLS stream.

Source of both traces is the same user (same browser and same URL).

In the new trace the TLS 1.2 is displayed as TCP (not sure if it's the issue) but at this point I'm unable to decrypt the traffic.

I upgraded to the latest version 3.4.2 (in case of) but still the same issue.

I absolutly need to read this file (problem occurs rarely and we doesn't know how to generate the issue) so I don't have much traces :/

Can you help me?

Thanks a lot

Herve Jacquemin

edit retag flag offensive close merge delete

Comments

3.6.1 is the latest stable version of Wireshark. Is the traffic on TCP port 443? Have you tried creating a new profile in Wireshark to eliminate config settings?

You could share the capture on a public share and link back to it here so we can check why it's not being dissected as TLS, even if we can't decrypt it.

grahamb gravatar imagegrahamb ( 2022-01-21 12:01:25 +0000 )edit

You'll find the trace here (link valid 1 week).

I just upgraded again to 3.6.1 but still the same. I don't use profile, I use default settings.

Yes it's on port 443.

It's wierd as old trace are good and not the last one.

Thanks for your help

hjacquemin gravatar imagehjacquemin ( 2022-01-21 12:54:34 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2022-01-22 10:25:20 +0000

SYN-bit gravatar image

The TLS sessions are proxied. Normally when there is a proxied connection over port 8080 or so, ou are able to see the "CONNECT <xxx.xxx.xxx>", the "HTTP/1.1 200 OK" and then the following packets would be shown as TLS, but since this proxy connection is using port 443 as proxy port, Wireshark seems to get confused.

As a workaround, you can disable the HTTP protocol dissector, which will expose the TLS decoding for the TLS part of the proxy connections.

edit flag offensive delete link more
0

answered 2022-01-21 14:07:41 +0000

hjacquemin gravatar image

I just found out that the client got Zscaler client installed (was not aware). It create a tunnel at the pc start so that's normal it's tagged as TCP.

Sorry for the time lost and thanks for your help anyway !

Have a nice week-end.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-01-21 11:15:48 +0000

Seen: 1,828 times

Last updated: Jan 22 '22