Ask Your Question
0

How do I search decrypted TLS data in a capture.

asked 2020-11-30 22:01:57 +0000

netwonder gravatar image

I have created a capture with decrypted TLS data by injecting the keys into the capture file. I have not found a way to search the decrypted data using the display filter. I can search encrypted data using tls.app_data. It seems like it should be a simple thing to search decrypted data, but I have not found it. I have tried using tls.segment tls.segment.data, tls.segments, tls.reassembled.data and others. Thanks

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-12-01 02:30:01 +0000

Chuckc gravatar image

Using the snakeoil2 sample cature, the TLS is decrypted as HTTP.

1. A display filter of http contains "Linux" returns 12 frames.
2. Or you can select a decrypted packet, right click and use Follow->TLS Stream or Follow->HTTP Stream.
3. Or disable the decode for HTTP and filter on data.data contains "Linux"

edit flag offensive delete link more

Comments

Thanks. I tried 'http contains' but wasn't finding what I was looking for. After sleeping on it and looking again, it appears you are correct and I don't know what I was doing yesterday. I did not realize 'data.data' did not work because http was enabled, that bit of info helps.

netwonder gravatar imagenetwonder ( 2020-12-01 14:22:09 +0000 )edit

The data "dissector" is only called if no other dissector can be found to handle the data.

grahamb gravatar imagegrahamb ( 2020-12-01 18:10:17 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-11-30 22:01:57 +0000

Seen: 2,256 times

Last updated: Dec 01 '20