This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SSL Decrypt to File

1

Hi, I need to decode an ssl stream from a pcap file and save the decoded stream to a new pcap file. I use http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=snakeoil2_070531.tgz cap and key from http://wiki.wireshark.org/SSL for test. So with command:

tshark -n -d tcp.port==443,http -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list: 127.0.0.1,443,http,/snakeoil2_070531/rsasnakeoil2.key" -r /snakeoil2_070531/rsasnakeoil2.cap

tshark print on screen the testual version of decoded packets in right way. Now I need to save the real packets (not text) decoded (ssl->http) to a new file.

Using -w option tshark saves the same packet dunp that it reads (rsasnakeoil2.cap) to another file (test.pcap). The two files are equal.

tshark -n -d tcp.port==443,http -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list: 127.0.0.1,443,http,/snakeoil2_070531/rsasnakeoil2.key" -r /snakeoil2_070531/rsasnakeoil2.cap -w test.cap.

I can't understand why tshark can't save the decoded ssl traffic to another file. Help Me.

Detail of my wireshark version: wireshark 1.4.4

Copyright 1998-2011 Gerald Combs [email protected] and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.22.1, with GLib 2.26.1, with libpcap 1.1.1, without libz, with POSIX capabilities (Linux), without libpcre, without SMI, without c-ares, without ADNS, without Lua, without Python, with GnuTLS 2.10.4, with Gcrypt 1.4.6, with Heimdal Kerberos, without GeoIP, without PortAudio, without AirPcap.

Running on Linux 2.6.37-ARCH, with libpcap version 1.1.1, GnuTLS 2.10.5, Gcrypt 1.4.6.

Built using gcc 4.5.2 20110127 (prerelease).

asked 03 Apr '11, 14:28

mkl's gravatar image

mkl
16112
accept rate: 0%


One Answer:

0

Wireshark and tshark can't save decrypted data back into a new pcap file.

The best thing you can do is add -V (full decodes) to your tshark command and redirect the output to a text file and supply that with the pcap file.

Please also have a look at feature request 3444, in which the same question was asked.

answered 03 Apr '11, 14:36

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%