OSQA is unmaintained. Help us figure out where to go from here.

Hi, I'm trying to decrypt an ssl conversation using the ssl key.

This is working in the wireshark gui.
When I try to decrypt in tshark, this is also working, but I wan to decrypt it and save the result as a pcap file. This doesn't work.
When I use : tshark -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:,443,http,/trace/test/test.pem" -t ad -r 443_test.pcap -w decrypted.pcap
the result is the same as the input-file.

Is there a way I can decrypt via cli to a pcap file?
I want to use the resulting pcap-file as input for tcpick, so I can save complete TCP sessions.

asked 27 Sep '11, 02:34

fcozijnsen's gravatar image

accept rate: 0%

The short answer: Wireshark/tshark aren't capable of saving decrypted packets to a pcap file.

See message thread starting at http://www.wireshark.org/lists/wireshark-users/201105/msg00000.html for some (possibly) relevant information.

See especially: http://www.wireshark.org/lists/wireshark-users/201105/msg00002.html

A Google search may find further info.

permanent link

answered 27 Sep '11, 06:22

Bill%20Meier's gravatar image

Bill Meier ♦♦
accept rate: 17%

edited 27 Sep '11, 06:38

Is there an other way to create seperate files for each communication session? I'm now using tcpick to seperate the tcp streams from each other (and save each stream in a file) but this doesn't support ssl. I rather use wireshark, but is this even possible?

(27 Sep '11, 06:28) fcozijnsen
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 27 Sep '11, 02:34

question was seen: 3,761 times

last updated: 27 Sep '11, 06:38

p​o​w​e​r​e​d by O​S​Q​A