Ask Your Question
0

TLS\SSL pcap with key - save decrypted output to pcap file without the attach key

asked 2019-10-15 12:32:14 +0000

Dana gravatar image

Hi, I know how to use wireshark inorder to decode an encrypted ssl\tls pcap when providing the key. I can't save the decrypted pcap without it depending on the key. Is there a way to save the decrypted pcap in a way that it won't depend on the key? Thanks

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2019-10-15 18:48:17 +0000

Pascal Quantin gravatar image

You can also save the decrypted packets starting from Wireshark 2.0 (if I remember correctly) by clicking on File -> Export PDUs to file -> OSI layer 7.

edit flag offensive delete link more
0

answered 2019-10-15 17:55:53 +0000

SYN-bit gravatar image

Wireshark won't save the decrypted data, but you can export the session keys which are specific to the traffic in your capture file. After doing the decryption with the private key, go to file -> Export TLS Session Keys. Save the keys to a file. When you want to view the decrypted traffic again without the private key, point to the session keys file in the TLS protocol preferences under "(Pre)-Master-Secret log filename".

You can also add the keys to the pcap-ng file so that you do not have to point to a separate file by using editcap --inject-secrets tls,<file-with-exported-keys> <original.pcap> <new.pcap>

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-10-15 12:32:14 +0000

Seen: 52 times

Last updated: Oct 15