I am the developer of a device which now maintains a queue of packet traffic from which you can generate a PCAPNG file on command. The resulting file can be easily downloaded and wonderfully opened by Wireshark. Thank you all for that.
I've also developed all of the crypto for that device (as we don't use 3rd party software so as to be assured of being able to debug, not have to work-around, and respond quickly).
Regarding SSL decoding, I have access to the all of the key material for a connection, has Wireshark grown to support the master secret (whatever is needed) from the capture file?
I can decode when I have the private key. This is generally only with incoming TLS connections. Outgoing traffic (recently SMTP using STARTTLS) ends up encoded with the remote server's key. It would be so nice to include the key material in the capture file. I'd have to figure out how to log it in the queue but that's the fun stuff to do.
Wireshark has support for decryption using an RSA key file (when RSA key exchanges are in use) or the (pre-)master secrets. See this list for all supported formats.
The pcapng format does not have support for including key material. There was a suggestion in the past, but nothing has really materialized: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9616
The current best practice is to create a second file that contains the key material (also known as "(pre-)master secrets key log file"). This file can then be configured in the SSL/TLS dissector. A common convention given a pcap "foo.pcapng" is to name the keylog file "foo.keys", but you use any name you like (I often use "premaster.txt").
answered 14 Oct '16, 07:37