Ask Your Question
0

tshark and SSL/TLS Traffic

asked 2023-08-17 06:41:29 +0000

sawesa gravatar image

Hello, I want to use tshark to read some pcaps in my linux server and I was hoping I can decrypt the ssl traffic using the ssl.keylog option, but it does not work somehow.

  • I capture traffic using tcpdump for a given interface and port. I make sure there is traffic using a custom.pem certificate towards that port. I see the .pcap increasing
  • I open the .pcap using thsark by:

tshark -r /tmp/mycapture.pcap -o "ssl.keylog_file:/tmp/ssl_log/ssl_keylog.txt"

But the ssl_keylog.txt gets nothing written on it and the ssl traffic not shown.

I then tried to indicate tshark where my cert is, just in case is not finding it somehow:

tshark -r /tmp/mycapture.pcap -o "ssl.keylog_file:/tmp/ssl_log/ssl_keylog.txt" -o "ssl.debug_file:/opt/ssl_log/certificate.pem"

I also tried to convert the .pem to .p12 but same issue.

What am I missing here?

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2023-08-17 20:21:12 +0000

André gravatar image

updated 2023-08-17 20:33:46 +0000

TShark reads a SSLKEYLOGFILE to decrypt the traffic. It does not create it. Only the endpoints of a TLS connection can do that.

As noted in the documentation:

The key log file is a text file generated by applications such as Firefox, Chrome and curl when the SSLKEYLOGFILE environment variable is set. To be precise, their underlying library (NSS, OpenSSL or boringssl) writes the required per-session secrets to a file. This file can subsequently be configured in Wireshark (Using the (Pre)-Master Secret).

So you need to set up the client (browser) or server to log the session keys.

The option tls.debug_file specifies the debug log file. That file is (over)written with log entries.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2023-08-17 06:41:29 +0000

Seen: 1,871 times

Last updated: Aug 17 '23

Related questions

Tshark select end certificate only

tshark capture filter with live ssl decryption

Looking for a detailed explanation on the SSL debug file

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Help to read this trace

Using tshark filters to extract only interesting traffic from 12GB trace

How to verify what protocol was used in an encrypted file transfer?

Application data isn't decrypted whether I choose spdy, data, http or tcp as protocol.

Any way to use cmd tshark for a gns3 wire?