NMDecrypt Expert Updates - Version 2.3

re: NMDecrypt Expert Updates - Version 2.3

Paul E Long — Thu, 06 Oct 2011 14:09:37 GMT

I can't tell for sure what the issue is, but the following is a check list based on other instance of this same error:

1. Make sure you've selected a single TCP conversation with a full SSL session setup. This is the best way to test things are working properly.

2. Make sure you have the latest parsers from http://nmparsers.codeplex.com.

3. Verify you have captured both SSL and TCP traffic to be decrypted.

In the log file you should see lines where it finds the key in the server hello. I might be able to help further if you supply the complete log (perhaps on skydrive or something similar).

BTW, the forums on social.technet.microsoft.com/.../threads might be a better place to ask these types of questions.

Thanks,

Paul

re: NMDecrypt Expert Updates - Version 2.3

Santosh More — Thu, 06 Oct 2011 04:57:20 GMT

I am not able to decrypt, I am getting following error in the log.

Computing ServerIV for next application data

Exception: Object reference not set to an instance of an object. at SSLDecryptionExpert.AppDataDecryption.LogApplicationDataDetails(String sourceIP, CipherSuiteInfo cipherSuite)

at SSLDecryptionExpert.AppDataDecryption.DecryptSslApplicationData(String sourceIP, CipherSuiteInfo cipherSuite)

Exception: Object reference not set to an instance of an object. at System.Security.Cryptography.HMAC.InitializeKey(Byte[] key)

at SSLDecryptionExpert.AppDataDecryption.VerifyMacValueTLS(CipherSuiteInfo cipherSuite, String sourceIP)

at SSLDecryptionExpert.AppDataDecryption.VerifyMacValue(CipherSuiteInfo cipherSuite, String sourceIP)

at SSLDecryptionExpert.AppDataDecryption.DecryptSslApplicationData(String sourceIP, CipherSuiteInfo cipherSuite)

at SSLDecryptionExpert.SSLDecryption.DecryptApplicationData(Int32[] value, String sourceIP)

at SSLDecryptionExpert.SSLDecryption.ParsedFrameInformation(IntPtr parsedFrame, UInt32& frameNumber, Boolean& isKeyBlockComputed, Boolean& decryptedAppDataPacket, Boolean& exitOnError, NMFilters filter)

at SSLDecryptionExpert.SSLDecryption.StartDecryption(Dictionary`2 property, String& decryptionResult)

at SSLDecryptionExpert.SSLDecryption.SslDecryptCapture(Dictionary`2 property, String& decryptionResult)

re: NMDecrypt Expert Updates - Version 2.3

Duncan — Fri, 18 Mar 2011 12:43:24 GMT

Thank you... Appreciate your time and explanation..

re: NMDecrypt Expert Updates - Version 2.3

Paul E Long — Wed, 16 Mar 2011 13:50:30 GMT

When TLS/SSL negotiates the first time, it creates a session ID. Further sessions can reuse this ID, however there is not enough information in those sessions to decrypt the data. You'll have to make sure you get the initial session setup, which usually means restarting the client side. One update with the expert, mentioned above, is being able to handle an entire IPv4/IPv6 conversation. However, the first session still has to have the full session setup and not reuse a session ID. The way to determine if you have a reused session is to look at the SessionIDLength, it should be zero. The following filter will see if you have any decrypt-able traffic for TLS.

TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.SessionIDLength == 0x0

re: NMDecrypt Expert Updates - Version 2.3

Duncan — Wed, 16 Mar 2011 12:56:45 GMT

I keep getting this when I try and use it:

clienthello contains a reused session id and the initial session setup is missing. session id length in the first clienthello must be zero. you can try to restart the application that is generating the secure connection or narrow down the trace so it contains only one session id.