Ask Your Question
0

Wireshark export PDUs for decrypted TLS data

asked 2019-09-21 09:20:00 +0000

acid2000 gravatar image

updated 2019-09-21 09:24:58 +0000

I have an RDP packet capture. I need to export the application data to another program that requires decrypted PDUs as input. I should be able to do this by: * opening up Wireshark * ensuring the PCAP is decrypted * File -> Export PDUs to File * Selecting OSI 7

I can reproduce with the samples on the Wireshark wiki https://wiki.wireshark.org/RDP Use SampleCaptures/rdp-ssl.pcap.gz and the associated cert.pem.

If you use this and the latest Wireshark it looks like the Application Data is getting decrypted (decrypted TLS tab) but not going through the TPKT dissector, hence never being parsed and not being marked as layer 7.

Posts elsewhere seem to imply this should work and should be being parsed correct, how can I fix this and get my decrypted data?

Worth saying that in that sample PCAP the CredSSP log in stuff is being parsed and does appear in the OSI7 export, just nothing RDP.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-09-21 09:44:50 +0000

acid2000 gravatar image

OK looks like this is fixed in the latest bleed edge dev build

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-09-21 09:20:00 +0000

Seen: 30 times

Last updated: Sep 21