This article contains information about decrypting a network trace by using the ssldump utility.

Instructions

1. Download the ssldump utility from the ssldump home page.

2. Install the ssldump utility.
   The installation instruction and documentation for ssldump utility are available in the ssldump documentation Web page.
   Note: You can download the ssldump utility directly from UNIX or Linux operating system. You can install the utility by using a software management package, such as rpm, yum, or ports.

3. Run the following command to decrypt the network trace:
   ssldump -r <File_Name>.pcap -k <Key_File>.key -d host <IP_Address>
   You specify the following options with the ssldump utility:

   • r: Read data from the <File_Name>.pcap file instead of from the network.

   • -k: Use <Key_File>.key file as the location for the SSL keyfile.

   • -d: Display the application data traffic.

New TCP connection #1: 10.102.14.108 (1992) <-> 10.102.14.180 (443)
1 1 0.0019 (0.0019) C>S Handshake
ClientHello
Version 3.1
cipher suites
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
compression methods
NULL
1 2 0.0020 (0.0000) S>C Handshake
ServerHello
Version 3.1
session_id[0]=

cipherSuite TLS_RSA_WITH_RC4_128_MD5
compressionMethod NULL
1 3 0.0020 (0.0000) S>C Handshake
Certificate
1 4 0.0020 (0.0000) S>C Handshake
ServerHelloDone
1 5 0.0035 (0.0015) C>S Handshake
ClientKeyExchange
1 6 0.0035 (0.0000) C>S ChangeCipherSpec
1 7 0.0035 (0.0000) C>S Handshake
Finished
1 8 0.0042 (0.0006) S>C ChangeCipherSpec
1 9 0.0042 (0.0000) S>C Handshake
Finished
1 10 0.0078 (0.0036) C>S application_data
---------------------------------------------------------------
GET /dns HTTP/1.1
Host: 10.102.14.180
SERVER: sample.example.com
ORGSVR: sample
Cookie: NSC_AAAC=e03f9e7ec9f6542f11axc443b9ed4f99

---------------------------------------------------------------
1 11 1.2709 (1.2630) S>C application_data
---------------------------------------------------------------
HTTP/1.1 200 OK
Server:NS8.0.51.4
Content-Type: text/html
Cache-control: no-cache
Pragma: no-cache
Content-length:0
CSIP:0.0.0.0

---------------------------------------------------------------
1 12 1.2731 (0.0022) C>S Alert
level warning
value close_notify
1 1.2734 (0.0002) C>S TCP FIN
1 1.2734 (0.0000) S>C TCP FIN
New TCP connection #2: 10.102.14.108 (1992) <-> 10.102.14.180 (443)
2 1 0.0005 (0.0005) C>S Handshake
ClientHello
Version 3.1
cipher suites  TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
compression methods
NULL
2 2 0.0006 (0.0000) S>C Handshake
ServerHello
Version 3.1
session_id[0]=

cipherSuite TLS_RSA_WITH_RC4_128_MD5
compressionMethod NULL
2 3 0.0006 (0.0000) S>C Handshake
Certificate
2 4 0.0006 (0.0000) S>C Handshake
ServerHelloDone
2 5 0.0016 (0.0010) C>S Handshake
ClientKeyExchange
2 6 0.0016 (0.0000) C>S ChangeCipherSpec
2 7 0.0016 (0.0000) C>S Handshake
Finished
2 8 0.0022 (0.0006) S>C ChangeCipherSpec
2 9 0.0022 (0.0000) S>C Handshake
Finished
2 10 0.0034 (0.0011) C>S application_data
---------------------------------------------------------------
GET /dns HTTP/1.1
Host: 10.102.14.180
SERVER: sample.example.com
ORGSVR: sample
Cookie: NSC_AAAC=e03f9e7ec9f6542f11axc443b9ed4f99

---------------------------------------------------------------
2 11 0.2434 (0.2400) S>C application_data
---------------------------------------------------------------
HTTP/1.1 200 OK
Server:NS8.0.51.4
Content-Type: text/html
Cache-control: no-cache
Pragma: no-cache
Content-length:0
CSIP:0.0.0.0

---------------------------------------------------------------
2 12 0.2454 (0.0019) C>S Alert
level warning
value close_notify
2 0.2457 (0.0002) C>S TCP FIN
2 0.2457 (0.0000) S>C TCP FIN
New TCP connection #3: 10.102.14.108 (1992) <-> 10.102.14.180 (443)
3 1 0.0005 (0.0005) C>S Handshake
ClientHello
Version 3.1
cipher suites
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
compression methods
NULL
3 2 0.0006 (0.0000) S>C Handshake
ServerHello
Version 3.1
session_id[0]=

cipherSuite TLS_RSA_WITH_RC4_128_MD5
compressionMethod NULL
3 3 0.0006 (0.0000) S>C Handshake
Certificate
3 4 0.0006 (0.0000) S>C Handshake
ServerHelloDone
3 5 0.0016 (0.0009) C>S Handshake
ClientKeyExchange
3 6 0.0016 (0.0000) C>S ChangeCipherSpec
3 7 0.0016 (0.0000) C>S Handshake
Finished
3 8 0.0022 (0.0006) S>C ChangeCipherSpec
3 9 0.0022 (0.0000) S>C Handshake
Finished
3 10 0.0033 (0.0010) C>S application_data
---------------------------------------------------------------
GET /dns HTTP/1.1
Host: 10.102.14.180
SERVER: sample.example.com
ORGSVR: sample
Cookie: NSC_AAAC=e03f9e7ec9f6542f11axc443b9ed4f99

---------------------------------------------------------------
3 11 0.2532 (0.2499) S>C application_data
---------------------------------------------------------------
HTTP/1.1 200 OK
Server:NS8.0.51.4
Content-Type: text/html
Cache-control: no-cache
Pragma: no-cache
Content-length:0
CSIP:0.0.0.0

CTX116557 – How to Decrypt SSL and TLS Traffic using Wireshark

CTX115536 – Hotfix PSG400R04W2K011 - For Citrix Presentation Server 4.0 for Windows 2000 Server