hunting a spyware and decrypting traffic
Hello guys, how are you ? Oh, maybe I'm not here to ask you about that. Well I'm hunting a very advanced spyware that exfiltrate data maybe throught email or google talk. So I tried to decrypt the traffic exporting the SSLKEYLOGFILE variable to a file. Then I inserted the file in the wireshark TLS protocol option. But unfortunately only the 1% of the 443 traffic had been decrypted (HTTP2 protocol).
Anyone can help me to understand what's happening ?
Also, how do I troubleshoot why the packets haven't been decrypted ?
Is there debug or log ?
Also how I know which packets have not decrypted ?
It's enough somehting like "tls and not http2" display filter ?
Thank u all.
From a practical point of view decrypting traffic is rather limited these days.A lot of the documentation is out dated by todays standards and those "tricks"won't work.
what's means ? that I canno decrypt traffic ? So, it's not enough to provide the key under TLS option ?