Skip to content

Add a debug helper for reading traffic with Wireshark #1627

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 4, 2025
Merged

Add a debug helper for reading traffic with Wireshark #1627

merged 1 commit into from
May 4, 2025

Conversation

Rob-Hague
Copy link
Collaborator

@Rob-Hague Rob-Hague commented Apr 5, 2025
edited
Loading

Wireshark can already helpfully dissect the initial SSH handshake. When given the session keys, it can also dissect the encrypted traffic for inspection/debugging. This adds a helper in Debug mode to write out that information in the format Wireshark requires.

Usage is to set SshNetLoggingConfiguration.WiresharkKeyLogFilePath before connecting, and supply the same value to Wireshark in Edit -> Preferences -> Protocols -> SSH -> "Key log filename".

Description of the format is at https://wiki.wireshark.org/SSH#key-log-format and https://gitlab.com/wireshark/wireshark/-/blob/82d6f8631aad39f1f10db77a62ebae01e3be881f/epan/dissectors/packet-ssh.c#L2071

I've had this branch around for a while and had the impression that it didn't always work, but seems OK testing recently

image

@Rob-Hague
Add a debug helper for reading traffic with Wireshark
0bd6f5b 
Wireshark can already helpfully dissect the initial SSH handshake. When given the
session keys, it can also dissect the encrypted traffic for inspection/debugging.
This adds a helper in Debug mode to write out that information in the format
Wireshark requires.

Usage is to set `SshNetLoggingConfiguration.WiresharkKeyLogFilePath` before connecting, and supply the same value to Wireshark in Edit -> Preferences -> Protocols
-> SSH -> "Key log filename".

The description of the format is at https://wiki.wireshark.org/SSH#key-log-format
drieseng
drieseng reviewed Apr 18, 2025
View reviewed changes
Copy link
Member

@drieseng drieseng left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I only see you logging the "shared secret" to the Wireshark log file. This does not correspond with the logging that you included in the description of this PR.

Update:
The logging in the description is solely produced by Wireshark, right?

@Rob-Hague
Copy link
Collaborator Author

Yeah the shared secret is all that's needed, everything else comes from wireshark

@Rob-Hague Rob-Hague merged commit 8590508 into sshnet:develop May 4, 2025
4 checks passed
@Rob-Hague Rob-Hague deleted the wireshark branch May 4, 2025 09:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@drieseng drieseng drieseng left review comments

@WojciechNagorski WojciechNagorski WojciechNagorski approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Rob-Hague @drieseng @WojciechNagorski