Ask Your Question
0

How do I inject TLS secrets on the fly when capturing with tshark?

asked 2024-07-19 08:05:15 +0000

hha gravatar image

updated 2024-07-19 09:36:02 +0000

My working workflow is:

  1. start tshark to capture traffic, that contains TLS encoded communication like tshark -i someinterface -w in.pcap

  2. do some TLS communication with the application configured to export the TLS keys into a file.

  3. stop tshark

  4. insert TLS keys into the log file like editcap --inject-secrets tls,keys.txt in.pcap out-dsb.pcapng

  5. start Wireshark to inspect the TLS communication like Wireshark out-dsb.pcapng

Now I would like to be able to do step 5, start Wireshark any time during the communication (step 2).

Is there a way to tell tshark to insert the TLS keys into the pcapng file on the fly during capturing so I do not need editcap and I can look at the packetlog while it is still being written?

I know I can configure Wireshark to look at the secrets file itself but I do this for several logs one afer the other and it is unconvinient to reconfigure Wireshark every time to look at different key files. Also sometimes I have more than one keyfile from different TLS applications.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2024-07-20 04:30:15 +0000

SYN-bit gravatar image

While the answer of @johnthacker is geared towards a (long-term) solution, there might be a workaround for your workflow. If there is a pattern to the naming of your pcap files and the corresponding TLS-keys files, you could create a script/batchfile that takes the common denominator as an argument and starts wireshark reading the pcap file with -r <filename of pcap file> and selection the TLS-keys file with the option -o tls.keylog_file:<filename of keys file>

edit flag offensive delete link more

Comments

Thanks for the suggestion! we will try this. Anyone knows whether Wireshark supports more than one of these -o options to look at several keylog files? Anyways, otherwise we will have to merge our keyfiles before submitting to Wireshark.

hha gravatar imagehha ( 2024-07-22 07:48:16 +0000 )edit

I just tried, only the last occurrence of the option is used.

If on linux/MacOS, you might do something like this -o tls.keylog_file:<( tail -f a.keys b.keys c.keys ....), for windows there might be a similar construction available (turning the output of a command into a file descriptor with <(command))

SYN-bit gravatar imageSYN-bit ( 2024-07-22 08:14:09 +0000 )edit
0

answered 2024-07-19 14:01:40 +0000

johnthacker gravatar image

updated 2024-07-19 14:05:42 +0000

Currently that isn't possible, but it's a good future enhancement.

In 4.2.x and later releases you can inject currently used TLS secrets from Wireshark. https://www.wireshark.org/docs/wsug_h...

If you configure the log file, it will add any secrets used from the log file to the capture file. It's an alternative to using editcap. It would be nice to add it to tshark. It would also be nice to have it inject automatically with an ongoing capture instead of waiting until the capture is finished to add the secrets, for piping/streaming, but that would be more work.

After injecting the secrets you will need to save the file. It might be an easier workflow for you than using editcap, until such time as it is implemented in tshark.

edit flag offensive delete link more

Comments

Thanks for the answer!

Saves me further looking for the solution.

I am afraid I am looking for the "more work" solution of adding to the ongoing capture. Besides for my purpose dumpcap would work just as well as tshark if that helps any.

For now I will have to implement some workaround (create a temporary copy of the capture and add secrets to the temporary with editcap)

Would it be helpful to file a feature request in the issue tracker?

hha gravatar imagehha ( 2024-07-19 14:13:55 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2024-07-19 08:05:15 +0000

Seen: 304 times

Last updated: Jul 20