This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

dont have keys to decrypt pcap file

0

Hi all, I have a pcap file which I want to decrypt in wireshark. The file has full tcp & tls handshake. But to decrypt it I dont have keys. Any ideas how can it be done ?

Thanks & Regards, nm

asked 28 Mar '15, 00:41

nm04's gravatar image

nm04
6112
accept rate: 0%

One Answer:

0

It can't be done without the keys.

answered 28 Mar '15, 09:29

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Jasper, I read on internet that if I have full capture it can be done. Apart from this cipher suites used is RSA and DHE.

(30 Mar '15, 04:09) nm04

you can't, if you don't have the keys. That what crypto is good for - preventing reading the content when you're not authorized (meaning: have no keys).

What you have read is that you need the TLS handshake to be able decrypt the conversation with the keys. Because if you have the keys but not the handshake you can't decrypt the conversation either.

(30 Mar '15, 04:12) Jasper ♦♦

the NSA claims it can be done ;-))

(30 Mar '15, 04:20) Kurt Knochner ♦