Hi, I'm trying to decrypt an ssl conversation using the ssl key.

This is working in the wireshark gui.
When I try to decrypt in tshark, this is also working, but I wan to decrypt it and save the result as a pcap file. This doesn't work.
When I use : tshark -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list: 10.135.56.22,443,http,/trace/test/test.pem" -t ad -r 443_test.pcap -w decrypted.pcap
the result is the same as the input-file.

Is there a way I can decrypt via cli to a pcap file?
I want to use the resulting pcap-file as input for tcpick, so I can save complete TCP sessions.

asked 27 Sep '11, 02:34

fcozijnsen's gravatar image

fcozijnsen
1112
accept rate: 0%


The short answer: Wireshark/tshark aren't capable of saving decrypted packets to a pcap file.

See message thread starting at http://www.wireshark.org/lists/wireshark-users/201105/msg00000.html for some (possibly) relevant information.

See especially: http://www.wireshark.org/lists/wireshark-users/201105/msg00002.html

A Google search may find further info.

link

answered 27 Sep '11, 06:22

Bill%20Meier's gravatar image

Bill Meier ♦♦
2.7k1746
accept rate: 15%

edited 27 Sep '11, 06:38

Is there an other way to create seperate files for each communication session? I'm now using tcpick to seperate the tcp streams from each other (and save each stream in a file) but this doesn't support ssl. I rather use wireshark, but is this even possible?

(27 Sep '11, 06:28) fcozijnsen
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×171
×112
×34

Asked: 27 Sep '11, 02:34

Seen: 1,985 times

Last updated: 27 Sep '11, 06:38

powered by OSQA