First time here? Check out the FAQ!

Ask Your Question
0

decrypted frame
 
  
 
 
     
 
 
 
 
 
 
 
    
        
        asked Nov 10 '3  
 
 Picsoufr gravatar image  
 
 
 
 
 
Hello everyone,
 
I first want to analyze the frames in order to find the request on a site. When I analyze the frames I see that the protocol used is TLSv1.3. I created an environment variable to store the keys then put the file containing the keys in the wireshark preferences. But I still can't decode the frames. My goal is to find the arguments of the request in decrypted form
 
Preview: (hide)
 
 
 
 
          
 
add a comment
 
 
 
 
 
 2 Answers
    
 
 
                    Sort by »
                     oldest newest most voted 
 
 
 
 
 
  
 
 
 
 
0
 
 
  
 
 
 
 
 
 
 
 
    
        
        answered Nov 10 '3  
 
 Picsoufr gravatar image  
 
 
 
 
 
 
And the SSLKEYLOGFILE environment needs to be set for the TLS client (browser) or TLS server (web-service).
 
 
When I delete the contents of this file, launch my browser and make a request to a website, the key file does not fill up. 
If I open discord there the file fills up. But i want a key for website
 
My final goal would be to first retrieve the contents of a Get method with wireshark
 
Preview: (hide)
 
 
 
 
         
        link
        
 
Comments
When I delete the contents of this file, launch my browser and make a request to a website, the key file does not fill up. 
So the SSLKEYLOGFILE is not picked up by your browser. As the procedure describes; "1. Close the browser completely (check your task manager just to be sure).", thus including any background processes before restarting it with the variable set.
André gravatar imageAndré (
    
        Nov 10 '3
    )
when I close Chrome and open the task manager I no longer see the Chrome application. and I don't see any chrome processes either. When I restart Chrome nothing is written in the key file it remains blank.
Picsoufr gravatar imagePicsoufr (
    
        Nov 10 '3
    )
If I restart my PC, and I launch Chrome, I will definitely have the key to decrypt the request made on Chrome?
Picsoufr gravatar imagePicsoufr (
    
        Nov 10 '3
    )
To launch Chrome do:
On Windows on a command prompt:
set SSLKEYLOGFILE=%CD%\keylogfile.txt
"%ProgramFiles%\Google\Chrome\Application\chrome.exe"
On Linux:
SSLKEYLOGFILE=$PWD/keylogfile.txt chrome &
On MacOS:
export SSLKEYLOGFILE=$PWD/keylogfile.txt
open -a chrome
André gravatar imageAndré (
    
        Nov 10 '3
    )
I have succeeded in
fill the key file by temporarily uninstalling my antivirus.
Then I can see the HTTP frames in wireshark. But in none of these frames I can find the query request which is entered in the browser
Picsoufr gravatar imagePicsoufr (
    
        Nov 12 '3
    )
add a comment
 
 
 
 
   
 
 
 
 
0
 
 
  
 
 
 
 
 
 
 
 
    
        
        answered Nov 10 '3  
 
 André gravatar image  
 
 
 
 
 
The procedure is described here: https://wiki.wireshark.org/TLS#using-...
 
Make sure your capture contains the TLS handshake, otherwise the decryption will fail. 

And the SSLKEYLOGFILE environment needs to be set for the TLS client (browser) or TLS server (web-service). 

SSLKEYLOGFILE does not work on libraries that do not support it, like Windows Secure Channel (Schannel).
 
Preview: (hide)
 
 
 
 
         
        link
        
 
add a comment
 
 
 
 
 
 
 
 
 

    
        Your Answer
    

 
 Please start posting anonymously - your entry will be published after you log in or create a new account.

    

 
 
Add Answer
 
 
 
 
 
 
 
 
   
  
 
   
 
 
 
 
 
 
 
 
Question Tools
  
 
 
 
 
 subscribe to rss feed 
 
 
 
 
 
 
Stats
 

        Asked:  Nov 10 '3  
 
 
        Seen: 452 times 
 

        Last updated: Nov 10 '23