Ask Your Question
0

Decrypting my own TLS traffic with tshark

asked 2024-05-14 17:00:37 +0000

freddieventura gravatar image

Hi,

I am developing some Web Applications for what I am doing HTTP requests , in and out my host. I am interested in the HTTPS traffic and I have already captured it with tshark as I mainly work in the command-line.

I have been able to decrypt my own conversations on Wireshark , but dumping my own "TLS" private keys , then referred them on C:\Users\fakuve\AppData\Roaming\preferences

tls.keylog_file: C:\Users\fakuve\Documents\Wireshark\ssl-keys.log

So working with GUI Wireshark , I am able to decrypt those conversations.

On a certain message , If I do follow HTTP Stream , it will show the conversation with the headers.

In this I can see that

Wireshark Follow HTTP Stream (tcp.stream eq 7)

So I go to the terminal and I do

tshark.exe -o "tls.keylog_file: C:\Users\fakuve\Documents\Wireshark\ssl-keys.log" -r https-2024-05-14-17-04.pcap -z "follow,tcp,ascii,7"

And I am getting

``` Follow: tcp,ascii Filter: tcp.stream eq 7

Some IPS.

Loads of unencrypted giversih characters ```

Doesnt tshark have the option to decode these conversations according to the TLS Private keys , as I am doing with GUI Wireshark

Thank you

edit retag flag offensive close merge delete

Comments

Do you get a different result when tshark is asked to make a second pass with the -2 option?

Chuckc gravatar imageChuckc ( 2024-05-14 17:46:15 +0000 )edit

I get the same

freddieventura gravatar imagefreddieventura ( 2024-05-14 19:45:12 +0000 )edit

It works doing tshark.exe -r https-2024-05-14-17-04.pcap -o "tls.keylog_file: C:\Users\fakuve\Documents\Wireshark\ssl-keys.log" -Y "frame.number==28" -V

It is jusrt ultraverbose information , but it does work I bet I need to wrap my head around crafting the command to output what I exactly need.

Thank you

freddieventura gravatar imagefreddieventura ( 2024-05-14 21:15:32 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-05-20 06:01:19 +0000

SYN-bit gravatar image

updated 2024-05-20 06:03:05 +0000

-z "follow,tcp,ascii,7" will output the TCP payload, which is TLS encrypted data, you will have to use -z "follow,tls,ascii,7" to get to the decrypted data (or -z "follow,http,ascii,7" if the http objects are transferred with compression enabled).

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-05-14 17:00:37 +0000

Seen: 709 times

Last updated: May 20