EXCEPTION: Error: Couldn't Select TLS or SSL based on Version Info

May 15, 2012 at 6:56 PM
Edited May 15, 2012 at 6:57 PM

Hi,

I'm trying the expert inside a vpn tunnel (Juniper). I cannot decrypt anything. I get this error on decryption startup :

 

-.-.-.-.-.-.- SSL Decryption Log -.-.-.-.-.-.-

Log Created On: 15/05/2012 19:53:48

NMDecrypt Version: 2.3.4.0
NMAPIs Initialized.
Initializing Netmon Parsers...
sparser.npb:001.000 Successfully unserialized NPL parser 'C:\ProgramData\Microsoft\Network Monitor 3\NPL\NetworkMonitor Parsers\Profiles\64BAA24A-0AAD-44e6-9846-3BE43D698FF6\sparser.npb.
Netmon Parsers initialized successfully.
Adding SSLVersionSelector Display Filter...
Display Filter added successfully
Adding Conversation.TLS.Id == 5 Conversation Filter...
****Warning****: Using a non TCP Conversation Filter, Conversation.TLS.Id == 5, might cause the expert to fail.  You should use a filter at the TCP layer or higher.  A conversation filter at a higher level might work, say IPv4 or IPv6, but this depends on the traffic.  Under these conditions all traffic must use the same certificate and the traffic for each conversation must be sequential.
Conversation Filter, Conversation.TLS.Id == 5 added successfully
SSL Version Filter added successfully
Adding Conversation.TLS.Id == 5 Conversation Filter...
****Warning****: Using a non TCP Conversation Filter, Conversation.TLS.Id == 5, might cause the expert to fail.  You must use a filter at the TCP layer or higher.  A conversation filter at a higher level might work, say IPv4 or IPv6, but this depends on the traffic.  Under these conditions all traffic must use the same certificate and the traffic for each conversation must be sequential.
Eval Parser Conversation Filter, Conversation.TLS.Id == 5 added successfully
This Netmon Version is supported
****Warning***: We've tested with version: 03.04.2748.0001.  Your version is: 03.04.2774.0001 0000. This might cause problems if the TLS/SSL parsers have changed significantly.
Opening Encrypted Capture File: C:\******\Captures\encrypted.cap
Creating Decrypted Capture File: C:\*********\Captures\Decrypted1.cap
Proposing Init Filter String of Ethernet.Ipv4.Tcp.TCPPayload.Http.TLSSSLData
EXCEPTION: Error: Couldn't Select TLS or SSL based on Version Info
Using Init Filter String of Ethernet.Ipv4.Tcp.TCPPayload.Http.TLSSSLData.
Changing Conversation ID from 18446744073709551615 to 2
.................................................
Entered IsTLSSLPayloadFragmented: Frame 6
.................................................


===========================================================================
Processing Frame Number: 6
===========================================================================
Found 59 Fields in Frame
6,0: Processing Field: Ethernet
   Value: Etype = Internet IP (IPv4),DestinationAddress:[00-24-E8-D9-B0-74],SourceAddress:[68-EF-BD-07-E2-BF]
Exception: La référence d'objet n'est pas définie à une instance d'un objet.   à SSLDecryptionExpert.SSLDecryption.ParsedFrameInformation(IntPtr parsedFrame, UInt32& frameNumber, Boolean& isKeyBlockComputed, Boolean& decryptedAppDataPacket, Boolean& exitOnError, NMFilters filter)

   à SSLDecryptionExpert.SSLDecryption.StartDecryption(Dictionary`2 property, String& decryptionResult)

   à SSLDecryptionExpert.SSLDecryption.SslDecryptCapture(Dictionary`2 property, String& decryptionResult)

-.-.-.-.-.-.- SSL Decryption Log Ends-.-.-.-.-.-.-

 

May 15, 2012 at 8:46 PM

One problem for certain is the convesation you clicked on.  It needs to be at most a TCP conversation, instead you clicked on a TLS conversation "Adding Conversation.TLS.Id == 5 Conversation Filter...".

Try selecting the TCP converation and make sure the full TLS handshake exists (the SessionIDLength should equal zero).  If this doesn't work, please attach the text from the last frame that fails.

Paul