Ask Your Question
0

Is it possible to access decrypted TLS data in tshark programmatically?

asked 2020-04-20 15:42:10 +0000

PaulCavan gravatar image

Is there any way to get the decrypted TLS payload programatically in tshark, for example with -T jsonraw or pdml? I can see the decrypted data with the -x option or by following a tls stream (neither of which is convenient for programming access) but with -T option I can only see the encrypted payload.

For comparison, with ESP protocol, once the data is decrypted, the decrypted data is easily accessible in tcp.payload and data.data and display filters can be applied to the decrypted data. Is there any way to do that with TLS?

If that is not possible, an alternative for me would be saving only the raw decrypted data a file. I can do this in wireshark in the follow TLS stream window. Any way to do it in tshark?

Thanks

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-04-20 17:23:42 +0000

PaulCavan gravatar image

updated 2020-04-20 17:26:08 +0000

Actually, even though my data is not http (actually ASN.1 BER), I can still apply the http dissector and get the data via tls.segment.data, and even apply display filters to it:

tshark -r example_ssl.pcap -o "tls.debug_file:ssldebug.log" -o "tls.desegment_ssl_records:TRUE" -o "tls.desegment_ssl_application_data:TRUE" -o "tls.keylog_file:sslkeylog.txt" -d "tls.port==0-65535,http" -T fields -e "tls.segment.data"

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2020-04-20 15:42:10 +0000

Seen: 65 times

Last updated: Apr 20