Ask Your Question
0

tshark and SSL/TLS Traffic

asked 2023-08-17 06:41:29 +0000

sawesa gravatar image

Hello, I want to use tshark to read some pcaps in my linux server and I was hoping I can decrypt the ssl traffic using the ssl.keylog option, but it does not work somehow.

  • I capture traffic using tcpdump for a given interface and port. I make sure there is traffic using a custom.pem certificate towards that port. I see the .pcap increasing
  • I open the .pcap using thsark by:

tshark -r /tmp/mycapture.pcap -o "ssl.keylog_file:/tmp/ssl_log/ssl_keylog.txt"

But the ssl_keylog.txt gets nothing written on it and the ssl traffic not shown.

I then tried to indicate tshark where my cert is, just in case is not finding it somehow:

tshark -r /tmp/mycapture.pcap -o "ssl.keylog_file:/tmp/ssl_log/ssl_keylog.txt" -o "ssl.debug_file:/opt/ssl_log/certificate.pem"

I also tried to convert the .pem to .p12 but same issue.

What am I missing here?

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2023-08-17 20:21:12 +0000

André gravatar image

updated 2023-08-17 20:33:46 +0000

TShark reads a SSLKEYLOGFILE to decrypt the traffic. It does not create it. Only the endpoints of a TLS connection can do that.

As noted in the documentation:

The key log file is a text file generated by applications such as Firefox, Chrome and curl when the SSLKEYLOGFILE environment variable is set. To be precise, their underlying library (NSS, OpenSSL or boringssl) writes the required per-session secrets to a file. This file can subsequently be configured in Wireshark (Using the (Pre)-Master Secret).

So you need to set up the client (browser) or server to log the session keys.

The option tls.debug_file specifies the debug log file. That file is (over)written with log entries.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2023-08-17 06:41:29 +0000

Seen: 1,123 times

Last updated: Aug 17 '23