Ask Your Question

Decrypting using pms file fails!

asked 2024-05-16 18:24:58 +0000

lrhazi gravatar image

Hello, I have pcap created on an F5 device, with --f5 tls option. I extracted the pms using tshark command, but then when I load it into wireshark, it does not seem to decrypt traffic. What's odd is that F5 support engineer tells me it works fine for him, using the same pcap file I have sent him, and the same latest wireshark version as I am!

The tls log contains the following... any idea what could be wrong with my setup?

edit retag flag offensive close merge delete


extracted the pms using tshark command

Do you have a link to these steps?

Chuckc gravatar imageChuckc ( 2024-05-17 02:07:26 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2024-05-17 04:26:32 +0000

lrhazi gravatar image

updated 2024-05-17 04:26:47 +0000

I found my problem! The pms is created with a command like this:

tshark -r decrypt.pcap -Y f5ethtrailer.tls.keylog -Tfields -e f5ethtrailer.tls.keylog > ./pre_master_log.pms

It turns out my file was created encoded in utf-16le (tshak man page does say it will if output is TTY on and on Windows). wireshark does not seem to like that. converting it to utf-8 fixed it.


edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2024-05-16 18:24:58 +0000

Seen: 49 times

Last updated: May 16