Ask Your Question

Lekensteyn's profile - activity

2020-02-22 17:29:00 +0000 received badge  Rapid Responder (source)
2020-02-22 17:29:00 +0000 answered a question Accessing decrypted TLS data in Lua dissector

You should not try to access the decrypted data via a field, but ensure that dissectors call each other. Register your

2020-02-22 00:24:28 +0000 commented question Quic Decryption fails

I don't see an attached flow. In any case, note that QUIC is an in-development protocol and subject to change. If you kn

2020-02-22 00:23:15 +0000 commented question TLS1.2 Handshake failure

This does not look like TLS traffic to me.

2020-02-22 00:20:15 +0000 received badge  Commentator
2020-02-22 00:20:15 +0000 commented question Decyption Issue with SSL-key-log file

Hi, consider providing the original capture file (note that it will obviously be public, so hopefully it does not have s

2020-02-22 00:14:26 +0000 received badge  Rapid Responder (source)
2020-02-22 00:14:26 +0000 answered a question How to decrypt TLS 1.3 PSK sent by Zabbix?

In TLS 1.2 and before, the PSK can be used with PSK cipher suites such as TLS_PSK_WITH_AES_128_CCM to decrypt sessions i

2020-02-16 18:04:32 +0000 received badge  Rapid Responder (source)
2020-02-16 18:04:32 +0000 answered a question Lua dissector, loop vs table, what is supported?

The result of ProtoField.new(...) should be added to the fields property of a Proto instance. This allows them to be reg

2020-01-03 13:55:49 +0000 answered a question [ws 3.2.0] quic handshake is decrypted but subsequent packets are not

From my reply at https://www.wireshark.org/lists/wireshark-users/202001/msg00000.html: In your screenshot, the visible

2020-01-03 13:53:34 +0000 commented question [ws 3.2.0] quic handshake is decrypted but subsequent packets are not

(This question was cross-posted at https://www.wireshark.org/lists/wireshark-users/201912/msg00009.html)

2020-01-03 13:53:05 +0000 commented question [ws 3.2.0] quic handshake is decrypted but subsequent packets are not

(This question was cross-posted at https://www.wireshark.org/lists/wireshark-users/201912/msg00009.html)

2020-01-03 13:52:45 +0000 commented question [ws 3.2.0] quic handshake is decrypted but subsequent packets are not

(This question was cross-posted at https://www.wireshark.org/lists/wireshark-users/201912/msg00009.html)

2019-10-20 18:25:20 +0000 edited question simulate packets of TCP/IP protocols

simulate packets of TCP/IP protocols I hope you don't mind my asking this, but I've been looking for different types of

2019-10-18 22:49:33 +0000 received badge  Rapid Responder (source)
2019-10-18 22:49:33 +0000 answered a question TLS decryption with Tshark and RSA keys

The TLS key log file (not to be confused with debug log file) can indeed not be used with RSA key files, it can only acc

2019-08-13 20:26:49 +0000 edited answer Regular failure to capture HTTP2

There are several possible reasons why you do not always see decryped HTTP/2 traffic: Your capture started while the T

2019-08-13 20:22:35 +0000 answered a question Regular failure to capture HTTP2

There are several possible reasons why you do not always see decryped HTTP/2 traffic: Your capture started while the T

2019-07-20 17:52:11 +0000 edited answer TLS 1.3 Hello Retry Messages

Wireshark supports TLS 1.3 since Wireshark 2.6.0. It of course supports the final RFC 8446 version, but currently suppor

2019-07-20 17:51:31 +0000 answered a question TLS 1.3 Hello Retry Messages

Wireshark supports TLS 1.3 since Wireshark 2.6.0. It of course supports the final RFC 8446 version, but currently suppor

2019-07-20 17:30:06 +0000 commented answer Is there any version of wireshark which support coap over TCP and coap over websockets?

The reporter has opened a bug report at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15910, CoAP over WebSockets

2019-07-20 17:28:33 +0000 commented answer Why isn't DNS-over-TLS (DoT) - RFC7858 - being dissected by Wireshark 3.0?

DNS-over-TLS (DoT) is different from DNS-over-HTTPS (DoH). The former defaults to TCP port 853 where the latter runs ove

2019-06-19 22:39:15 +0000 received badge  Rapid Responder (source)
2019-06-19 22:39:15 +0000 answered a question Wireshark 3.0.2 Linux for Debian/Ubuntu

You can manually build from source using the latest tarball, the Debian packaging scripts are included. Grab the latest

2019-06-19 01:06:13 +0000 commented answer Help decrypting TLS between socket client and server

If you open the packet capture in Wireshark, you will find it in the packet details:

2019-06-19 00:56:23 +0000 edited answer Display filter for TLS versions in tshark and saving to a new file.

TLS negotiates the TLS version during the handshake. The client reports its minimum version through the tls.record.versi

2019-06-19 00:56:10 +0000 received badge  Rapid Responder (source)
2019-06-19 00:56:10 +0000 answered a question Display filter for TLS versions in tshark and saving to a new file.

TLS negotiates the TLS version during the handshake. The client reports its minimum version through the tls.record.versi

2019-06-19 00:45:05 +0000 edited answer Looking for failed SSL handshakes

When implementations fail during the TLS handshake, they typically do either: Forcefully the TCP connection. This can

2019-06-19 00:44:03 +0000 received badge  Rapid Responder (source)
2019-06-19 00:44:03 +0000 answered a question Looking for failed SSL handshakes

When implementations fail during the TLS handshake, they typically do either: Forcefully the TCP connection. This can

2019-06-19 00:38:44 +0000 edited answer quic malformed packet error

Wireshark has reasonable support (dissection and decryption) for the QUIC version that is in development by the IETF wor

2019-06-19 00:38:14 +0000 edited answer quic malformed packet error

Wireshark has reasonable support (dissection and decryption) for the QUIC version that is in development by the IETF wor

2019-06-19 00:36:55 +0000 answered a question quic malformed packet error

Wireshark has reasonable support (dissection and decryption) for the QUIC version that is in development by the IETF wor

2019-06-15 19:21:04 +0000 commented answer Help decrypting TLS between socket client and server

Building libsslkeylog.so requires OpenSSL development headers which you can install with yum install openssl-devel as ro

2019-06-13 23:38:23 +0000 edited answer Help decrypting TLS between socket client and server

As Graham said, your session is using an ephemeral Diffie-Hellman (DH) cipher suite: ssl_set_cipher found CIPHER 0xC

2019-06-13 23:38:07 +0000 edited answer Help decrypting TLS between socket client and server

As Graham said, your session is using an ephemeral Diffie-Hellman (DH) cipher suite: ssl_set_cipher found CIPHER 0xC

2019-06-13 23:37:13 +0000 received badge  Rapid Responder (source)
2019-06-13 23:37:13 +0000 answered a question Help decrypting TLS between socket client and server

As Graham said, your session is using an ephemeral Diffie-Hellman (DH) cipher suite: ssl_set_cipher found CIPHER 0xC

2019-06-13 23:25:45 +0000 commented answer TLS1.2 handshaking issue, need help, urgent, thanks a ton!

@xjfromsh Why do you think that lack of a Certificate and Key Exchange message is a problem? Session resumption speeds u

2019-06-12 20:56:34 +0000 commented answer Decrypt TLS 1.3 with Wireshark

The slides are now up here: https://lekensteyn.nl/files/wireshark-tls-debugging-sharkfest19us.pdf You need at least Wire

2019-06-12 20:54:08 +0000 commented question mmdbresolve.exe could not be removed. Is it in use?

Can you double-check your process list? It should exit automatically when Wireshark is closed.

2019-06-10 17:39:36 +0000 answered a question How to capture HTTPS traffic with v3.0.2?

If you can absolutely not decrypt any traffic even if the key log file is correctly written and configured in Wireshark,

2018-12-19 22:46:29 +0000 answered a question Wireshark SSLKEYLOGFILE decryption not working

While the key log file is non-empty, some keys are still missing. To cross-reference the keys from the key log file, no

2018-11-01 09:02:50 +0000 edited answer Unable to decrypt HTTPS TLSv1.2 traffic with wireshark (sha1WithRSAEncryption)

You indeed seem to satisfy the required conditions to use RSA private key files: TLS_RSA_WITH_AES_256_GCM_SHA384 uses

2018-11-01 09:02:37 +0000 answered a question Unable to decrypt HTTPS TLSv1.2 traffic with wireshark (sha1WithRSAEncryption)

You indeed seem to satisfy the required conditions to use RSA private key files: - TLS_RSA_WITH_AES_256_GCM_SHA384 uses

2018-11-01 08:54:17 +0000 received badge  Rapid Responder (source)
2018-11-01 08:54:17 +0000 answered a question libssh in Wireshark 2.x for macOS susceptible to CVE-2018-10933 exploit?

The libssh vulnerability does not affect the majority of products since it only affects servers and not client applicati

2018-10-14 06:35:09 +0000 received badge  Nice Answer (source)