Unable to find Cipher Suite

Dec 30, 2010 at 7:52 PM

I am trying to decrypt a capture and get the following error in the log file

Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientKeyExchange
With Value: Binary Large Object (130 Bytes)
Data Encryption Method == NULL
Found Next Filter for Field: Ethernet.Ipv4.Tcp.TCPPayload.TlsSslData.Tls.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientKeyExchange
Processing Client Key Exchange
EXCEPTION: Unable to find Cipher Suite. Looking for Ethernet.Ipv4.Tcp.TCPPayload.TlsSslData.Tls.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ServerHello.TLSCipherSuite

Does anyone know what the problem might be?

 

 

Feb 9, 2011 at 9:03 PM

I ran into the same thing today....

 

EXCEPTION: Unable to find Cipher Suite. Looking for Ethernet.Ipv4.Tcp.TCPPayload.TlsSslData.Tls.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ServerHello.TLSCipherSuite

Mar 4, 2011 at 5:15 PM

My guess is becuse the entire TSL/SSL session is not present in the trace.  The TCP conversation you select in the conversation tree must contain the full SSL/TLS session setup. Do you know if this is the case?

Paul

 

Mar 14, 2012 at 4:44 PM

I'm a total n00b at this.  How would I know if I got the full SSL/TLS session setup?

Could this error be from a bad pfx password?  I tried what I think is the correct password & got this error message.  Then I purposely tried a bad password & still got the same error message.

-Chris

Mar 14, 2012 at 4:49 PM

If you look at the help that is accessible from the menu in Network Monitor by the expert, there is a section that shows what the full session setup looks like. Additionally, in the client hello, you should see that the SessionIDLength is zero. If not, this is not a new session but a reused one. This blog also has some more info (http://blogs.technet.com/b/netmon/archive/2011/03/03/nmdecrypt-expert-updates-version-2-3.aspx).

Also be sure you are using the server side certificate and it's password. The client side does not have enough info to decrypt the trace.

Paul

Mar 14, 2012 at 7:33 PM

That worked.  Thank you, Paul.

-Chris