Now that you have Tomcat configured, you need to configure Wireshark. To do this, start up Wireshark on the machine that you run Tomcat on and in the menus, select Edit --> Preferences (Ctrl-Shift P).
Figure 1. Wireshark preferences screen
Expand the Protocols entry on the left side and select SSL from the list that appears.
Figure 2. Wireshark SSL configuration dialog
You should check both of the options boxes.
The RSA key list field tells Wireshark which private key to use to decode conversations depending on which IP address and port the conversation is with. The format is:
Multiple entries can be provided in a semicolon-separated list as shown here, but for this tutorial we only require one entry.
the purposes of this tutorial I assume the IP address I am running
Tomcat on is 192.168.45.22, and it is listening on port 8443 for SSL traffic.
The traffic will be HTTP traffic, and the
open-private-key.pem file that we generated earlier has been copied to the root of the C drive. For this, the string to
enter in the RSA keys list field
You will need to identify the IP address of your own machine. In Cygwin you can do this by running:
Note: If your machine has multiple network adapters, you may have more than one IP address for the machine. You must choose the address with which your second machine can connect to this machine’s Tomcat server.
You should provide a filename where Wireshark can produce debug output. This will be very useful in troubleshooting your Wireshark configuration.
Press OK to complete the configuration.
You should now open the SSL debug log file that you selected earlier. If your configuration was successful you will see some text indicating that Wireshark successfully loaded the private key. See an example below in Listing 4.
Listing 4. SSL debug log contents
ssl_association_remove removing TCP 9443 - http handle 040820A0 ssl_init keys string: 220.127.116.11,8443,http,C:\temp\open-private-key.pem ssl_init found host entry 18.104.22.168,8443,http,C:\temp\open-private-key.pem ssl_init addr '22.214.171.124' port '8443' filename 'C:\temp\open-private-key.pem' password(only for p12 file) '(null)' Private key imported: KeyID 0E:BA:EA:08:5D:FA:FB:85:59:4A:7B:A9:B2:56:C3:16:... ssl_init private key file C:\temp\open-private-key.pem successfully loaded association_add TCP port 8443 protocol http handle 040820A0
This confirms that you have carried out all the cryptographic manipulation steps and Wireshark configuration steps correctly. If you don’t see this message you need to revisit the steps involved. The mostly likely problems have to do with the path to the key file in the RSA keys list or the actual generation of the private key file.
Once you have Wireshark configured correctly, you are ready to record a conversation. In Wireshark, select Capture --> Interfaces (Ctrl I -- upper case i) from the menu. This should present a dialog similar to the following:
Figure 3. Wireshark interface listing dialog
You need to decide which of the listed network interfaces is the one that your second machine will connect to Tomcat through. This should already be clear since you needed to know the right IP address for the Wireshark configuration step. If you are unsure, you can use the Web browser on the second machine to access the Tomcat server and see which interface shows an increased packet count.
Once you have selected the interface you want to listen on, click options and you should be presented with another dialog:
Figure 4. Wireshark capture options dialog
You should enter the following in the Capture Filter to reduce the amount of noise in the captured conversation:
tcp port 8443
Now click Start to begin capturing traffic. At this point you should not see any packets being captured. You should go to your second machine and access Tomcat with it using a url such as https://192.168.45.22:8443/, but putting in the IP address or hostname of the machine that has Tomcat on it. When you do this, you will be told that there is a certificate problem and asked if you trust the server. As before, you should confirm that you do trust the server. After this, the Tomcat welcome page should appear in the browser and lots of rows of data should appear in Wireshark. You can now stop the capture by selecting Capture --> Stop from the menu.
If you have done this correctly, you will see a screen with some green rows, showing that they have been decrypted, like this:
Figure 5. Successful capture output
You are then free to use Wireshark as you normally would to analyse the HTTP conversation and proceed with your problem investigation.
One final thing to observe here is that if you would normally use follow tcp stream to see an HTTP conversation, you should now use follow ssl stream instead. This will show your HTTP conversation in plain text:
Figure 6. Following an SSL stream
It is possible that you can encounter Out of Order packets as part of your capture, as shown here:
Figure 7. Out of order packets in Wireshark
These can cause the SSL Dissector to partially fail. Observe that there is a
green row near the bottom but the response to that GET has not been decrypted.
To fix this problem you need to save this capture using File -->
Save As. Then, in Cygwin you need
editcap –d capture.pcap fixed.pcap
editcap is included in the Wireshark
capture.pcap is the saved capture
fixed.pcap will contain the fixed capture
after the command has run. After running this command you can load the fixed
packet capture file back in to Wireshark and then you should see the decrypted
packets as expected.
Wireshark relies on capturing the entire SSL conversation. If you make multiple requests from your browser over the course of this tutorial it can be that some parts of the negotiated secure connection are cached and then the captured conversation does not contain the full negotiation. This will prevent the SSL Dissector from doing its job. Look at the start of the capture for an entry with "Server Hello, Certificate, Server Hello Done" in the info line. If you cannot find this, then your browser is reusing part of a previous negotiation. Restarting the browser and trying again should fix this.