Hello, I want to use tshark to read some pcaps in my linux server and I was hoping I can decrypt the ssl traffic using the ssl.keylog option, but it does not work somehow.
- I capture traffic using tcpdump for a given interface and port. I make sure there is traffic using a custom.pem certificate towards that port. I see the .pcap increasing
- I open the .pcap using thsark by:
tshark -r /tmp/mycapture.pcap -o "ssl.keylog_file:/tmp/ssl_log/ssl_keylog.txt"
But the ssl_keylog.txt gets nothing written on it and the ssl traffic not shown.
I then tried to indicate tshark where my cert is, just in case is not finding it somehow:
tshark -r /tmp/mycapture.pcap -o "ssl.keylog_file:/tmp/ssl_log/ssl_keylog.txt" -o "ssl.debug_file:/opt/ssl_log/certificate.pem"
I also tried to convert the .pem to .p12 but same issue.
What am I missing here?