ssldump: PCAP: erro de sintaxe

2

Estou usando:

# uname -ro
FreeBSD 9.0-RELEASE-p3

E o mais recente ssldump :

# pkg_info | grep ssldump
ssldump-0.9b3_4     SSLv3/TLS network protocol analyzer

Quando eu tento iniciá-lo com a descriptografia, recebo o seguinte erro:

# ssldump -Xnd -i em0 port 8443 -k name.pem -p password
PCAP: syntax error

Eu instalei o libpcap :

# pkg_info | grep libpcap
dnstop-20121017     Captures and analyzes DNS traffic (or analyzes libpcap dump
libpcap-1.4.0       Ubiquitous network traffic capture library

Encontrei uma referência sobre possíveis problemas com algumas interfaces de rede:

Support is provided for only for Ethernet and loopback interfaces

Então tentei eun ssldump com lo0 :

# ssldump -Xnd -i lo0 port 8443 -k name.pem -p password
PCAP: syntax error

Então - como posso executar ssldump com a descriptografia de pacotes? Onde está o meu erro?

    
por setevoy 22.01.2014 / 13:03

2 respostas

1

O exemplo (s) eu encontrei o comando assim:

$ sudo ssldump -i bge0 -d -k /tmp/myserverkey port 8088
Enter PEM pass phrase:
Then I connect to my server from a browser:

New TCP connection #1: laptop(39699) <-> myserver(8088)
1 1  0.0853 (0.0853)  C>S SSLv2 compatible client hello
  Version 3.1
  cipher suites
  Unknown value 0x39
  Unknown value 0x38
  Unknown value 0x35
  Unknown value 0x33
  Unknown value 0x32
  TLS_RSA_WITH_RC4_128_MD5
  TLS_RSA_WITH_RC4_128_SHA
  Unknown value 0x2f
  TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  Unknown value 0xfeff
  TLS_RSA_WITH_3DES_EDE_CBC_SHA
  TLS_DHE_RSA_WITH_DES_CBC_SHA
  TLS_DHE_DSS_WITH_DES_CBC_SHA
  Unknown value 0xfefe
  TLS_RSA_WITH_DES_CBC_SHA
  TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
  TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
  TLS_RSA_EXPORT_WITH_RC4_40_MD5
  TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
1 2  0.0856 (0.0002)  S>C  Handshake
      ServerHello
        Version 3.1
        session_id[32]=
          08 22 c2 25 34 4e 85 61 dd 24 ba 9a 59 a2 dc b0
          77 a0 3f b7 ac c9 d3 ce 76 4a b5 42 cc 44 30 fb
        cipherSuite         TLS_RSA_WITH_RC4_128_MD5
        compressionMethod                   NULL
      Certificate
      ServerHelloDone
1 3  6.1870 (6.1013)  C>S  Handshake
      ClientKeyExchange
1 4  6.1870 (0.0000)  C>S  ChangeCipherSpec
1 5  6.1870 (0.0000)  C>S  Handshake
      Finished
1 6  6.1931 (0.0061)  S>C  ChangeCipherSpec
1 7  6.1931 (0.0000)  S>C  Handshake
      Finished
1 8  6.2852 (0.0921)  C>S  application_data
    ---------------------------------------------------------------
    GET / HTTP/1.1
    Host: myserver:8088
    User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041217
    Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,\*/\*;q=0.5
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,\*;q=0.7
    Keep-Alive: 300
    Connection: keep-alive

    ---------------------------------------------------------------
1 9  6.2859 (0.0007)  S>C  application_data
    ---------------------------------------------------------------
    HTTP/1.1 403 Forbidden
    Server: Sun-Java-System-Web-Server/7.0
    Date: Thu, 27 Apr 2006 08:12:15 GMT
    Content-length: 142
    Content-type: text/html

Obtendo seu arquivo-chave .pem

trecho de blog Oracle de Jyri Virkki

If given access to the server private key, ssldump can decrypt the traffic to and from that server on the fly. That's where it gets really useful. We'll need to do a bit of prep work to set this up.

First, extract the private key from the server instance into a PKCS#12 format file using pk12util.

You'll need to know the nickname of the server keypair/cert (see your server.xml) for the -n parameter.

I changed to the directory where the NSS *.db files live so I type "-d .". Alternatively you could run the command from elsewhere by giving the right path. Finally, I'm running JES Web Server 7.0 so there is no prefix to the NSS files, but if you are on 6.1 you'll need to give a -P parameter with the right prefix for that instance.

   $ pk12util -o myserver.pk12 -n Server-Cert -d . -v
    Enter Password or Pin for "NSS Certificate DB":
    Enter password for PKCS12 file:
    Re-enter password:
    pk12util: PKCS12 EXPORT SUCCESSFUL

Perhaps needless to say, but if this was a production server I'd have to be very careful where I store this private key file. Keep that in mind.

Next I'll just convert this to a format suitable for ssldump using openssl:

   $ openssl pkcs12 -in myserver.pk12 -out myserverkey
    Enter Import Password:
    MAC verified OK
    Enter PEM pass phrase:
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:

Referências

por 22.01.2014 / 16:17
1

Qualquer opção "adicional" deve ser usada antes de "especificada" (ou vice-versa nestas definições: -)).

Caminho errado:

# ssldump -i em0 port 8443 -a
PCAP: syntax error

Caminho certo:

# ssldump -a -i em0 port 8443

PCAP: syntax error Aqui significa erro em ssldump opções de início - não em qualquer lugar na configuração do sistema.

    
por 23.01.2014 / 17:53