Ask Your Question
0

decrypted frame

asked 2023-11-10 18:29:36 +0000

Picsoufr gravatar image

Hello everyone,

I first want to analyze the frames in order to find the request on a site. When I analyze the frames I see that the protocol used is TLSv1.3. I created an environment variable to store the keys then put the file containing the keys in the wireshark preferences. But I still can't decode the frames. My goal is to find the arguments of the request in decrypted form

edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by » oldest newest most voted
0

answered 2023-11-10 21:03:49 +0000

Picsoufr gravatar image

And the SSLKEYLOGFILE environment needs to be set for the TLS client (browser) or TLS server (web-service).

When I delete the contents of this file, launch my browser and make a request to a website, the key file does not fill up. If I open discord there the file fills up. But i want a key for website

My final goal would be to first retrieve the contents of a Get method with wireshark

edit flag offensive delete link more

Comments

When I delete the contents of this file, launch my browser and make a request to a website, the key file does not fill up.

So the SSLKEYLOGFILE is not picked up by your browser. As the procedure describes; "1. Close the browser completely (check your task manager just to be sure).", thus including any background processes before restarting it with the variable set.

André gravatar imageAndré ( 2023-11-10 21:19:04 +0000 )edit

when I close Chrome and open the task manager I no longer see the Chrome application. and I don't see any chrome processes either. When I restart Chrome nothing is written in the key file it remains blank.

Picsoufr gravatar imagePicsoufr ( 2023-11-10 21:32:23 +0000 )edit

If I restart my PC, and I launch Chrome, I will definitely have the key to decrypt the request made on Chrome?

Picsoufr gravatar imagePicsoufr ( 2023-11-10 21:38:53 +0000 )edit

To launch Chrome do:

On Windows on a command prompt:

set SSLKEYLOGFILE=%CD%\keylogfile.txt
"%ProgramFiles%\Google\Chrome\Application\chrome.exe"

On Linux:

SSLKEYLOGFILE=$PWD/keylogfile.txt chrome &

On MacOS:

export SSLKEYLOGFILE=$PWD/keylogfile.txt
open -a chrome
André gravatar imageAndré ( 2023-11-10 22:46:38 +0000 )edit

I have succeeded in fill the key file by temporarily uninstalling my antivirus.

Then I can see the HTTP frames in wireshark. But in none of these frames I can find the query request which is entered in the browser

Picsoufr gravatar imagePicsoufr ( 2023-11-12 13:35:57 +0000 )edit
add a comment
0

answered 2023-11-10 20:53:06 +0000

André gravatar image

The procedure is described here: https://wiki.wireshark.org/TLS#using-...

Make sure your capture contains the TLS handshake, otherwise the decryption will fail.
And the SSLKEYLOGFILE environment needs to be set for the TLS client (browser) or TLS server (web-service).
SSLKEYLOGFILE does not work on libraries that do not support it, like Windows Secure Channel (Schannel).

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2023-11-10 18:29:36 +0000

Seen: 299 times

Last updated: Nov 10 '23

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2