Ask Your Question

How do I add keys (that I already have) to a packet capture?

asked 2020-07-28 22:04:17 +0000

I have a DTLS file with encryption keys. When I download it, I have two files, the packet capture itself and the key; they come separately. How do I add the keys to the pcap to make a pcapng file on my mac?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2020-07-28 23:41:06 +0000

Chuckc gravatar image

updated 2020-07-28 23:42:04 +0000

edit flag offensive delete link more


This is on a UN*X, so the command line shouldn't be too painful, although, on macOS, you should install the files that add the Wireshark binary directory to your PATH (they're in one of the sub-packages for the .dmg for newer releases).

And remember not to send the file to anybody you don't want to be able to read the DTLS traffic (and, if you do send it to somebody, make sure they don't forward it).

Guy Harris gravatar imageGuy Harris ( 2020-07-29 05:52:21 +0000 )edit

How would I install the files that add the Wireshark binary directory? Sorry, I am a bit new to this.

Tiger123 gravatar imageTiger123 ( 2020-07-29 21:47:08 +0000 )edit

Installing Wireshark under macOS - "See the included Read me first.html file for more details."

Source adoc file for the Readme
The Quick Setup section shows steps for adding the Extras to your path but will be easier to read if you have the HTML version.

Chuckc gravatar imageChuckc ( 2020-07-29 22:03:51 +0000 )edit

And, in particular, you will need to mount the .dmg you downloaded to install Wireshark. You may have to download it again; you won't need to drag-install Wireshark again, but you will need to double-click the "Add Wireshark to the system path" package to install it.

Guy Harris gravatar imageGuy Harris ( 2020-07-29 23:16:25 +0000 )edit

Sorry - just now got it - "I am looking only to embed the keys into the pcap file (specifically this DTLS test file) to create one single pcapng file. Right now, the capture and the key come separately."

Try the steps here It's a two step process to extract the session keys then merge them into a new capture file.

(there was a bit of parallel questions - link to the related question )

Chuckc gravatar imageChuckc ( 2020-07-30 06:27:48 +0000 )edit

The first way requires me to decrypt the file. I am not looking to do that. The second way is what I've tried earlier (editcap command line), however I am getting an error. The error says the key I am using (the example key provided by Wireshark), "is not a key log file, but an unsupported private key file". Is there a way to fix this and not have to actually decrypt the file to embed the keys?

Tiger123 gravatar imageTiger123 ( 2020-07-30 18:35:29 +0000 )edit

It would be nice to export the key log file from the command line with tshark or wireshark but not supported.
Peter's (@Lekensteyn) presentations from Sharkfest 2019 are here

09: Debugging TLS issues with Wireshark by Peter Wu
Presentation Video (1:10:44)

If you have a way to generate the key log file outside of the Wireshark GUI, then that is the piece needed to inject secrets.

Chuckc gravatar imageChuckc ( 2020-07-30 19:57:47 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2020-07-28 22:04:17 +0000

Seen: 43 times

Last updated: Jul 28