How do I search decrypted TLS data in a capture.

asked 2020-11-30 22:01:57 +0000

I have created a capture with decrypted TLS data by injecting the keys into the capture file. I have not found a way to search the decrypted data using the display filter. I can search encrypted data using tls.app_data. It seems like it should be a simple thing to search decrypted data, but I have not found it. I have tried using tls.segment tls.segment.data, tls.segments, tls.reassembled.data and others. Thanks

answered 2020-12-01 02:30:01 +0000

Chuckc
2858 ●5 ●568 ●19

Using the snakeoil2 sample cature, the TLS is decrypted as HTTP.

1. A display filter of http contains "Linux" returns 12 frames.
2. Or you can select a decrypted packet, right click and use Follow->TLS Stream or Follow->HTTP Stream.
3. Or disable the decode for HTTP and filter on data.data contains "Linux"

edit flag offensive delete link

Comments

Thanks. I tried 'http contains' but wasn't finding what I was looking for. After sleeping on it and looking again, it appears you are correct and I don't know what I was doing yesterday. I did not realize 'data.data' did not work because http was enabled, that bit of info helps.

netwonder ( 2020-12-01 14:22:09 +0000 )edit

The data "dissector" is only called if no other dissector can be found to handle the data.

grahamb ( 2020-12-01 18:10:17 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

How do I search decrypted TLS data in a capture.

1 Answer

Comments

Your Answer

Question Tools

Stats

How do I search decrypted TLS data in a capture. edit

1 Answer

Comments

Your Answer

Question Tools

Stats

How do I search decrypted TLS data in a capture.