How to know if all the encrypted packets have been decrypted in Wireshark

asked 2024-10-31 03:40:32 +0000

Virgo gravatar image

I'm looking for a very advanced spyware on my home network infrastructure. The first thing I am trying to do is decrypt the traffic on port 443 with the well -known method. That is, taking advantage of the "sslkeyogfile" variable on Wireshark. I therefore used the key file to decrypt the traffic. My problem, however, is that once the keys file is entered I can't understand if all the packs passers -by for port 443 have been decripted. Is there a simple way to know? It is not important for me to specify the operating system because I use different systems and because WireShark should work identical on the various systems.

edit retag flag offensive close merge delete

Comments

I don't see how this will help you with finding advanced spyware.

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2024-10-31 12:42:02 +0000 )edit

The only data that come out of my machine are on 443 and UDP: 123. If we exclude the NTP server the only one that remains is the browser. If I export the keys and then I use them to decrypt the browser traffic and a part of the traffic is not decrypted then it is most likely that the spyware has been injected into the browser executable or can be an ADDON. If using the keys I should be able to decrypt all the traffic but this does not happen then the thing is very suspicious. Already this, for me it is a big step forward because I further limited the PC area that I have to analyze. If the traffic is visible it means that the spyware is relatively on the surface. If, on the other hand, there is traffic that is not visible then we are talking ...(more)

Virgo gravatar imageVirgo ( 2024-10-31 18:25:44 +0000 )edit

The only data that come out of my machine are on 443 and UDP: 123

This would be somewhat unusual. No ARP, no DNS? Windows systems, especially, can be chatty with other protocols including port 80 for http.

Bob Jones gravatar imageBob Jones ( 2024-11-01 11:59:39 +0000 )edit

Yes, of course also DNS and ARP. And Irc, or imap and ping will be salt. But DNS is not encrypted nor ARP or Ping. 99% of the traffic is on 443.

Virgo gravatar imageVirgo ( 2024-11-01 13:31:01 +0000 )edit