Decrypting my own TLS traffic with tshark
Hi,
I am developing some Web Applications for what I am doing HTTP requests , in and out my host.
I am interested in the HTTPS traffic and I have already captured it with tshark
as I mainly work in the command-line.
I have been able to decrypt my own conversations on Wireshark , but dumping my own "TLS" private keys , then referred them on
C:\Users\fakuve\AppData\Roaming\preferences
tls.keylog_file: C:\Users\fakuve\Documents\Wireshark\ssl-keys.log
So working with GUI Wireshark , I am able to decrypt those conversations.
On a certain message , If I do follow HTTP Stream , it will show the conversation with the headers.
In this I can see that
Wireshark Follow HTTP Stream (tcp.stream eq 7)
So I go to the terminal and I do
tshark.exe -o "tls.keylog_file: C:\Users\fakuve\Documents\Wireshark\ssl-keys.log" -r https-2024-05-14-17-04.pcap -z "follow,tcp,ascii,7"
And I am getting
``` Follow: tcp,ascii Filter: tcp.stream eq 7
Some IPS.
Loads of unencrypted giversih characters ```
Doesnt tshark have the option to decode these conversations according to the TLS Private keys , as I am doing with GUI Wireshark
Thank you
Do you get a different result when
tshark
is asked to make a second pass with the-2
option?I get the same
It works doing
tshark.exe -r https-2024-05-14-17-04.pcap -o "tls.keylog_file: C:\Users\fakuve\Documents\Wireshark\ssl-keys.log" -Y "frame.number==28" -V
It is jusrt ultraverbose information , but it does work I bet I need to wrap my head around crafting the command to output what I exactly need.
Thank you