Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to decrypt WireShark packets #29

Open
buffyslays opened this issue Jun 4, 2024 · 3 comments
Open

Unable to decrypt WireShark packets #29

buffyslays opened this issue Jun 4, 2024 · 3 comments

Comments

@buffyslays
Copy link

buffyslays commented Jun 4, 2024
edited

Hi Thomas!

First, thank you for providing this code as open-source code! Very well done and I can see that a lot of work has gone into this project.

As for my issue, I am attempting to decrypt Wireshark packets between the S7CommPlusDriver and a S71200.

I have tried both ways that you have included in your README.

1. Place the log file in a directory and make it known to Wireshark. To do this, go to the Wireshark menu → Settings. Under Protocols, select TLS, and select the appropriate file in the (Pre)-Master-Secret log filename field

I point Wireshark to the key log file that is created in the bin file when I capture the data from the program (edit -> preferences -> TLS -> Pre-Master-Secret log filename). I save the file as S7CommPlusTest.pcapng and close Wireshark. When I re-open the file, all the packets are still encrypted.

Integrate the secrets directly into the Wireshark recording

I have tried this manually using the command prompt as well as using the Pcap Key Injector utility tool included in your project. I save the capture as S7CommPlusTest.pcapng. When I open the S7CommPlusTest_withKey.pcapng file, all the packets are still encrypted.

I have verified that I am using the correct key log file with each capture. I have verified that the version of Wireshark I am using is the latest and includes the Siemens dissector.

I have tried this on two different PC's and am unable to view decrypted packets. Is there something that I am missing?
@buffyslays buffyslays changed the title Unable to decrypt packets Unable to decrypt WireShark packets Jun 4, 2024
@thomas-v2
Copy link
Owner

thomas-v2 commented Jun 5, 2024
edited

You should see in the Wireshark capture without keys, at least the S7COMM-PLUS "Req InitSSL" and "Res InitSSL". After this the TLS enrcryption is handshaked and then active. Do you see these packets in your captures? You need to start the capture before starting the communication, so Wireshark can see the TLS handshake packets.

@buffyslays
Copy link
Author

Hi Thomas, thanks for the quick response.
We were confused thinking the S7COMM-PLUS was bundled into Wireshark along with S7COMM! We added the plugin.dll and we are in business. Wishing I hadn't made that assumption. Thanks for pointing out which packets to look for!

@thomas-v2
Copy link
Owner

The hint that you need the plugin dll for S7comm-Plus is in the readme. Yes it's a bit confusing that S7comm is integrated, and S7comm-plus not (not now).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thomas-v2 @buffyslays