-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to decrypt WireShark packets #29
Comments
You should see in the Wireshark capture without keys, at least the S7COMM-PLUS "Req InitSSL" and "Res InitSSL". After this the TLS enrcryption is handshaked and then active. Do you see these packets in your captures? You need to start the capture before starting the communication, so Wireshark can see the TLS handshake packets. |
Hi Thomas, thanks for the quick response. |
The hint that you need the plugin dll for S7comm-Plus is in the readme. Yes it's a bit confusing that S7comm is integrated, and S7comm-plus not (not now). |
Hi Thomas!
First, thank you for providing this code as open-source code! Very well done and I can see that a lot of work has gone into this project.
As for my issue, I am attempting to decrypt Wireshark packets between the S7CommPlusDriver and a S71200.
I have tried both ways that you have included in your README.
1. Place the log file in a directory and make it known to Wireshark. To do this, go to the Wireshark menu → Settings. Under Protocols, select TLS, and select the appropriate file in the (Pre)-Master-Secret log filename field
I point Wireshark to the key log file that is created in the bin file when I capture the data from the program (edit -> preferences -> TLS -> Pre-Master-Secret log filename). I save the file as S7CommPlusTest.pcapng and close Wireshark. When I re-open the file, all the packets are still encrypted.
Integrate the secrets directly into the Wireshark recording
I have tried this manually using the command prompt as well as using the Pcap Key Injector utility tool included in your project. I save the capture as S7CommPlusTest.pcapng. When I open the S7CommPlusTest_withKey.pcapng file, all the packets are still encrypted.
I have verified that I am using the correct key log file with each capture. I have verified that the version of Wireshark I am using is the latest and includes the Siemens dissector.
I have tried this on two different PC's and am unable to view decrypted packets. Is there something that I am missing?
The text was updated successfully, but these errors were encountered: