Ask Your Question
0

Decrypting using pms file fails!

asked 2024-05-16 18:24:58 +0000

lrhazi gravatar image

Hello, I have pcap created on an F5 device, with --f5 tls option. I extracted the pms using tshark command, but then when I load it into wireshark, it does not seem to decrypt traffic. What's odd is that F5 support engineer tells me it works fine for him, using the same pcap file I have sent him, and the same latest wireshark version as I am!

The tls log contains the following... any idea what could be wrong with my setup?

https://gist.github.com/lrhazi/03cce9...

edit retag flag offensive close merge delete

Comments

extracted the pms using tshark command

Do you have a link to these steps?

Chuckc gravatar imageChuckc ( 2024-05-17 02:07:26 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-05-17 04:26:32 +0000

lrhazi gravatar image

updated 2024-05-17 04:26:47 +0000

I found my problem! The pms is created with a command like this:

tshark -r decrypt.pcap -Y f5ethtrailer.tls.keylog -Tfields -e f5ethtrailer.tls.keylog > ./pre_master_log.pms

It turns out my file was created encoded in utf-16le (tshak man page does say it will if output is TTY on and on Windows). wireshark does not seem to like that. converting it to utf-8 fixed it.

Thanks!

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2024-05-16 18:24:58 +0000

Seen: 72 times

Last updated: May 16