 | 1 | initial version |
Wireshark doesn't save a decrypted file but you can add the decryption keys to the capture file:
TLS\SSL pcap with key - save decrypted output to pcap file without the attach key
To decrypt with tshark, set the -o tls.keylog_file:<filename> preference.
Also check the Wireshark wiki TLS page for links to presentations using tshark with TLS.
ask_wireshark$ tshark -r ./tls_pcap.pcapng -z io,phs,tls -q
===================================================================
Protocol Hierarchy Statistics
Filter: tls
frame frames:11074 bytes:14792926
eth frames:11074 bytes:14792926
ip frames:11074 bytes:14792926
tcp frames:11074 bytes:14792926
tls frames:11074 bytes:14792926
tcp.segments frames:1087 bytes:1457505
tls frames:1073 bytes:1446693
data frames:4 bytes:5416
===================================================================
ask_wireshark$ tshark -r ./tls_pcap.pcapng -Y tls -z io,phs,tls -o tls.keylog_file:keys.txt -q
===================================================================
Protocol Hierarchy Statistics
Filter: tls
frame frames:11074 bytes:14792926
eth frames:11074 bytes:14792926
ip frames:11074 bytes:14792926
tcp frames:11074 bytes:14792926
tls frames:11074 bytes:14792926
tcp.segments frames:1077 bytes:1445986
tls frames:1065 bytes:1435861
data frames:4 bytes:5416
http2 frames:32 bytes:5807
xml frames:1 bytes:134
http frames:7 bytes:3271
json frames:1 bytes:454
tcp.segments frames:1 bytes:454
<snip>
| | 2 | No.2 Revision |
Wireshark doesn't save a decrypted file but you can add the decryption keys to the capture file:
TLS\SSL pcap with key - save decrypted output to pcap file without the attach key
To decrypt with tshark, set the -o tls.keylog_file:<filename> preference.
Also check the Wireshark wiki TLS page for links to presentations using tshark with TLS.
ask_wireshark$ tshark -r ./tls_pcap.pcapng -z io,phs,tls -q
===================================================================
Protocol Hierarchy Statistics
Filter: tls
frame frames:11074 bytes:14792926
eth frames:11074 bytes:14792926
ip frames:11074 bytes:14792926
tcp frames:11074 bytes:14792926
tls frames:11074 bytes:14792926
tcp.segments frames:1087 bytes:1457505
tls frames:1073 bytes:1446693
data frames:4 bytes:5416
===================================================================
ask_wireshark$ tshark -r ./tls_pcap.pcapng -Y tls -z io,phs,tls -o tls.keylog_file:keys.txt -q
===================================================================
Protocol Hierarchy Statistics
Filter: tls
frame frames:11074 bytes:14792926
eth frames:11074 bytes:14792926
ip frames:11074 bytes:14792926
tcp frames:11074 bytes:14792926
tls frames:11074 bytes:14792926
tcp.segments frames:1077 bytes:1445986
tls frames:1065 bytes:1435861
data frames:4 bytes:5416
http2 frames:32 bytes:5807
xml frames:1 bytes:134
http frames:7 bytes:3271
json frames:1 bytes:454
tcp.segments frames:1 bytes:454
<snip>