This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can we get a decrypted .pcap from an encrypted .pcap file through some command if i have private key

0

I have private key. All i want is if i get an encrypted .pcap file, I should be able to decrypt it using private key and generate a decrypted .pcap file which i can share with other without sharing private key

Please help me out.

Thanks in advance....

asked 17 Apr '13, 21:36

Amby's gravatar image

Amby
1234
accept rate: 0%

edited 17 Apr '13, 23:55

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245

I have got the same through VB scripting

  1. Get the pcap file

  2. Use the import1.rb (or vbscript) script to import it www.unleashnetworks.com/devzone/unsniff/...tegory:_ImportExport

  3. Select the decrypted sessions and export them to another pcap file.

Code is something like

' ' detls - Strip a TLS pcap file into two capture files ' 1. A USNF file with only TLS decrypted application records xxx_strip_tls.usnf ' 2. A USNF file with only App (HTTP) plain text xxx_strip_app.usnf ' ' Pre-req : ' 1. Ensure the private key is specified in unencypted PKCS8 form via Unsniff ' 2. Ensure "Decrypt Upper Layers" is TRUE in Plugins>Configure>TLS '

' ----------------------- ' Check usage & arguments ' ----------------------- Set Stdout = WScript.StdOut

if WScript.Arguments.Count <> 2 then Stdout.WriteLine "Usage: detls <from-filename> <to-pattern>" WScript.Quit end if

FromFile = WScript.Arguments.Item(0)

NewDBName_TLS = WScript.Arguments.Item(1) + "_strip_tls.usnf" NewDBName_APP = WScript.Arguments.Item(1) + "_strip_app.usnf" NewDBName_TMP = WScript.Arguments.Item(1) + "_tmp.usnf"

' A Temp file backing the imported TLS pcap Set UnsniffDB_TMP = CreateObject("Unsniff.Database") UnsniffDB_TMP.New(NewDBName_TMP) UnsniffDB_TMP.Import "libpcap", FromFile

' Set up file to receive plaintext stream at TLS Layer Set UnsniffDB_TLS = CreateObject("Unsniff.Database") UnsniffDB_TLS.New(NewDBName_TLS)

' Set up file to receive plaintext stream at APP (HTTP) layer Set UnsniffDB_APP = CreateObject("Unsniff.Database") UnsniffDB_APP.New(NewDBName_APP)

' Examine each stream in imported file, look for decrypted stream ' Send streams processed at TLS layer to strip_tls, and HTTP layer to strip_app

Set STMIndex = UnsniffDB_TMP.StreamIndex For Each STM In STMIndex If InStr(STM.Description,"[Synt/Decrypted]") > 0 Then If STM.DestinationPort = 80 Then StdOut.WriteLine "Saving HTTP plaintext " & STM.ID & vbTab & STM.Description UnsniffDB_APP.AddStream(STM) Elseif STM.DestinationPort = 443 Then StdOut.WriteLine "Saving SSL/TLS plaintext " & STM.ID & vbTab & STM.Description UnsniffDB_TLS.AddStream(STM) End If End If Next

UnsniffDB_TMP.Close()

UnsniffDB_TLS.Save() Stdout.WriteLine "Plain text TLS layer stored in " & NewDBName_TLS

UnsniffDB_APP.Save() Stdout.WriteLine "Plain text APP/HTTP stored in " & NewDBName_APP

(17 Apr '13, 22:17) Amby

All,

I got through VB but i want it using CMD in Windows

' ' detls - Strip a TLS pcap file into two capture files ' 1. A USNF file with only TLS decrypted application records xxx_strip_tls.usnf ' 2. A USNF file with only App (HTTP) plain text xxx_strip_app.usnf ' ' Pre-req : ' 1. Ensure the private key is specified in unencypted PKCS8 form via Unsniff ' 2. Ensure "Decrypt Upper Layers" is TRUE in Plugins>Configure>TLS '

' ----------------------- ' Check usage & arguments ' ----------------------- Set Stdout = WScript.StdOut

if WScript.Arguments.Count <> 2 then Stdout.WriteLine "Usage: detls <from-filename> <to-pattern>" WScript.Quit end if

FromFile = WScript.Arguments.Item(0)

NewDBName_TLS = WScript.Arguments.Item(1) + "_strip_tls.usnf" NewDBName_APP = WScript.Arguments.Item(1) + "_strip_app.usnf" NewDBName_TMP = WScript.Arguments.Item(1) + "_tmp.usnf"

' A Temp file backing the imported TLS pcap Set UnsniffDB_TMP = CreateObject("Unsniff.Database") UnsniffDB_TMP.New(NewDBName_TMP) UnsniffDB_TMP.Import "libpcap", FromFile

' Set up file to receive plaintext stream at TLS Layer Set UnsniffDB_TLS = CreateObject("Unsniff.Database") UnsniffDB_TLS.New(NewDBName_TLS)

' Set up file to receive plaintext stream at APP (HTTP) layer Set UnsniffDB_APP = CreateObject("Unsniff.Database") UnsniffDB_APP.New(NewDBName_APP)

' Examine each stream in imported file, look for decrypted stream ' Send streams processed at TLS layer to strip_tls, and HTTP layer to strip_app

Set STMIndex = UnsniffDB_TMP.StreamIndex For Each STM In STMIndex If InStr(STM.Description,"[Synt/Decrypted]") > 0 Then If STM.DestinationPort = 80 Then StdOut.WriteLine "Saving HTTP plaintext " & STM.ID & vbTab & STM.Description UnsniffDB_APP.AddStream(STM) Elseif STM.DestinationPort = 443 Then StdOut.WriteLine "Saving SSL/TLS plaintext " & STM.ID & vbTab & STM.Description UnsniffDB_TLS.AddStream(STM) End If End If Next

UnsniffDB_TMP.Close()

UnsniffDB_TLS.Save() Stdout.WriteLine "Plain text TLS layer stored in " & NewDBName_TLS

UnsniffDB_APP.Save() Stdout.WriteLine "Plain text APP/HTTP stored in " & NewDBName_APP

(17 Apr '13, 22:20) Amby

One Answer:

1

Wireshark can't uncrypt the pcap file, but you are able to export the SSL session keys for the SSL sessions in the file. These keys will only decrypt these specific sessions, so you can distribute them freely.

  1. Load the tracefile
  2. Point wireshark to the private key
  3. Go to "File -> Export -> SSL session keys" to export the session keys to a new file
  4. Provide the tracefile and the file with the session keys to 3rd party

The 3rd party needs to:

  1. Load the capture file
  2. Configure the SSL protocol preferences by filling in the path to the session keys file in "(Pre-)Master-Secret log filename"

There is no way yet to do this in tshark, but there is a workaround by using the ssl-debug file, see http://ask.wireshark.org/questions/20283/programatically-export-the-ssl-session-key

answered 17 Apr '13, 23:54

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

to automate the task of sharing an encrypted ssl session, would it make sense to add an option for "exporting" the ssl session keys to a new pcapng option frame? This would eliminate the whole storing and loading of the keys and there would be only one file to exchange.

(18 Apr '13, 01:39) Kurt Knochner ♦

Yes, that does make sense and has been discussed before @ Sharkfest. I expected it to be on the wireshark pcapng wishlist, but is wasn't there so I added it...

(18 Apr '13, 01:51) SYN-bit ♦♦

I expected it to be on the wireshark pcapng wishlist, but is wasn't there so I added it...

Thanks

(18 Apr '13, 01:56) Kurt Knochner ♦