Ask Your Question
0

Can Wireshark use SSLKEYLOGFILE from SSH remote capture server?

asked 2023-02-13 20:53:39 +0000

NOYB gravatar image

Can copy the SSLKEYLOGFILE from the remote system to then use locally with saved SSH remote capture. But that is cumbersome and not live.

What I'd like is to SSH remote capture and have Wireshark use the SSLKEYLOGFILE that is on the remote system to decrypt the SSH remote capture live.

Maybe a option in the SSH capture configuration profile pointing to the SSLKEYLOGFILE on the remote system. Wireshark could then use the SSH capture credentials to access the SSLKEYLOGFILE.

Tried using an SSH tail command like this as the (Pre)-Master-Secret log filename. Not surprisingly it didn't work though.

"C:\Program Files\PuTTY\plink.exe" -batch -ssh [email protected] tail -F /var/SSLKEYLOGFILE.txt

(The command does function as expected in command prompt. Just doesn't provide the desired Wireshark result. i.e. live SSH remote capture decryption.)

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-02-15 22:41:40 +0000

NOYB gravatar image

Figured out a workaround way to do this.

In a command prompt redirect the SSL Key Log file from the SSH remote to where the Wireshark TLS (Pre)-Master-Secret log filename setting is pointed.

example:

"C:\Program Files\PuTTY\plink.exe" -batch -ssh [email protected] tail -n 0 -F /var/SSLKEYLOGFILE.txt >> C:\Users\AHS\Downloads\SSLKEYLOGFILE.txt

The SSH remote capture can then be decrypted live.

Would be nice if Wireshark had this capability built in to grab the SSL key log file from the SSH remote.

edit flag offensive delete link more

Comments

That could be an enhancement request which you can file here.

Jaap gravatar imageJaap ( 2023-02-16 08:25:51 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-02-13 20:53:39 +0000

Seen: 2,074 times

Last updated: Feb 15 '23