Ask Your Question

Command line PCAP decyryption with TLS Key log file

asked 2022-04-11 12:25:05 +0000

Matty gravatar image

I have a PCAP file I am trying to decrypt, and a TLS keylog file produced by nodejs (using the --tls-keylog option)

I am trying to convert the HTTP messaging inside the PCAP file into WARC format, but cannot figure out how to use the command line tshark util to decrypt the relevant traffic. I can do so in the Wireshark UI by updating TLS PMS setting and then right clicking and choosing to follow the HTTP stream, how can I recreate this behaviour with tshark?

I'd also like to print out the "follow" view for _all_ HTTP connections in a PCAP file (including HTTPS and HTTP2), in JSON format if possible? thanks!

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2022-04-11 15:57:35 +0000

Chuckc gravatar image

Breaking this into "TLS keys" and "how to follow".
TLS background info: Sharkfest '19

09: Debugging TLS issues with Wireshark by Peter Wu / Presentation Video (1:10:44)

Peter's slides available here Debugging TLS issues with Wireshark.

Also check the Wireshark wiki page for TLS. Sections for Embedding decryption secrets in a pcapng file and Preference Settings (hint: tls.keylog_file)

The tshark man page documents the follow option:

-z follow,prot,mode,filter[,range]
Displays the contents of a TCP or UDP stream between two nodes. The data sent by the second node is prefixed with a tab to differentiate it from the data sent by the first node.

prot specifies the transport protocol. It can be one of:

tcp   TCP
udp   UDP
tls   TLS or SSL
http  HTTP streams
http2 HTTP/2 streams
quic  QUIC streams
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2022-04-11 12:25:05 +0000

Seen: 844 times

Last updated: Apr 11 '22