Ask Your Question
0

Using tshark to decrypt tls/ssl.

asked 2020-12-24 04:39:01 +0000

ray gravatar image

If provide the sslkeylogfile , is it possible for me to use tshark to decrypt tls? Can I wirte the plaintext to the another pcap file? For that, I want to get the decryption sample.

edit retag flag offensive close merge delete

Comments

That will depend a lot on the TLS level and keys used. Decoding them later is painful at best and it's getting harder and harder with newer encryption method.

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2020-12-24 11:21:19 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-12-24 14:52:22 +0000

Chuckc gravatar image

updated 2020-12-24 14:53:52 +0000

Wireshark doesn't save a decrypted file but you can add the decryption keys to the capture file:
TLS\SSL pcap with key - save decrypted output to pcap file without the attach key
To decrypt with tshark, set the -o tls.keylog_file:<filename> preference.
Also check the Wireshark wiki TLS page for links to presentations using tshark with TLS.

ask_wireshark$ tshark -r ./tls_pcap.pcapng -z io,phs,tls -q

===================================================================
Protocol Hierarchy Statistics
Filter: tls

frame                                    frames:11074 bytes:14792926
  eth                                    frames:11074 bytes:14792926
    ip                                   frames:11074 bytes:14792926
      tcp                                frames:11074 bytes:14792926
        tls                              frames:11074 bytes:14792926
          tcp.segments                   frames:1087 bytes:1457505
            tls                          frames:1073 bytes:1446693
            data                         frames:4 bytes:5416
===================================================================
ask_wireshark$ tshark -r ./tls_pcap.pcapng -z io,phs,tls -o tls.keylog_file:keys.txt -q

===================================================================
Protocol Hierarchy Statistics
Filter: tls

frame                                    frames:11074 bytes:14792926
  eth                                    frames:11074 bytes:14792926
    ip                                   frames:11074 bytes:14792926
      tcp                                frames:11074 bytes:14792926
        tls                              frames:11074 bytes:14792926
          tcp.segments                   frames:1077 bytes:1445986
            tls                          frames:1065 bytes:1435861
            data                         frames:4 bytes:5416
          http2                          frames:32 bytes:5807
            xml                          frames:1 bytes:134
          http                           frames:7 bytes:3271
            json                         frames:1 bytes:454
              tcp.segments               frames:1 bytes:454
<snip>
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-12-24 04:39:01 +0000

Seen: 5,226 times

Last updated: Dec 24 '20