This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decrypting a WCF response

0

Hi all,

What would be the possible reasons for wireshark not showing a decrypted WCF response? I have successfully decrypted the request information from a WCF service for dummies, but can't get the response to be decrypted.

This are the frames of interest:

74 -60.405045 52.171.130.206 100.75.14.89 HTTP/XML 288 POST /Service1.svc HTTP/1.1 75 -60.404223 100.75.14.89 52.171.130.206 TLSv1 576 [SSL segment of a reassembled PDU], Application Data

Looking at the request frame detail, this is what I get (which is ok):

POST /Service1.svc HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/IService1/GetData" Host: myazurecloudservice2.cloudapp.net Content-Length: 157 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive

<s:envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:body><getdata xmlns="http://tempuri.org/"><value>0</value></getdata></s:body></s:envelope>

But I still can't see the decrypted response. What am I missing?

Thanks in advance!

asked 24 Jul '17, 09:29

c4rlosmarin's gravatar image

c4rlosmarin
6113
accept rate: 0%

edited 25 Jul '17, 10:46

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142


One Answer:

0

Some checks you could perform to investigate why the decrypted data is not shown:

  1. Check the Decrypted SSL byte view tab (normally at the bottom of the screen) for the Content-Length header. From this you will learn how much data to expect. If it is a small value, it will probably fit in a few frames. If there is no Decrypted SSL (or Decrypted SSL data in Wireshark 2.2 and before), then it indicates that decryption failed for some reason.
  2. "SSL segment of a reassembled PDU" indicates that the response has not been fully received yet, it will be fully reassembled in a later packet. But when TCP segments appear out-of-order, then it will mess up the dissection and decryption state. If this happens, decryption will fail and the response will not be shown.

answered 24 Jul '17, 20:45

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

Hi Lekensteyn,

Decrypted SSL byte view tab is just showing "48 H":

Here is the information from the SSL debug file

By the way, that last one (frame 61) is the only frame the server sends for the wcf response, the client successfully gets the response but the trace from the server doesn't show it as a decrypted packet.

Thanks!

(25 Jul '17, 13:46) c4rlosmarin

I suppose the H is part of the headers, starting with HTTP/1.1 200 OK. Indeed, the decrypted data is shown on the first pass, but not in the second one. Can you file a bug report with the attached pcap?

(28 Jul '17, 07:21) Lekensteyn
1

Hi Lekensteyn,

I've submitted a bug with the required information: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13943

Cheers!

(03 Aug '17, 13:05) c4rlosmarin

Related to bug 13943, version 2.4.2 is actually not showing any wcf response at all. I've attached the screenshot of what I see as well as the trace and the self-signed certificate.

Since bug 13943 was declared as duplicate, I've submitted the information for bug 13885 (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13885)

Cheers!

(17 Oct '17, 10:05) c4rlosmarin