Wireshark-users: Re: [Wireshark-users] saving decoded ssl packets back to libpcap format
From: Vijay Sitaram <vjatfugen@xxxxxxxxx>
Date: Tue, 21 Nov 2006 18:47:26 -0800 (PST)
Hi Ken,
Let us know if your excercise is successful since I think there are other users who would be interested in the same functionality.
I doubt that you can use the text2pcap utility, since it does not appear to support decryption. The key point here is that 'wireshark' or 'tshark' can decrypt SSL traffic (using the server private key). So, I have looked into the option of adding '-T pdml' as a command argument to 'tshark'.
I do see the result, but still have to execute additional steps (such as ASCII /HEX decoding) to get the final result. Perhaps we can use text2pcap program for this purpose, I have not looked deep into this. However, I think you are looking for a one-step process for achieving the result which I don't think exists as of yet (a nice-to-have feature :).
Kind regards,
Vijay
Kenneth Hunt <kenneth.hunt.b@xxxxxxxxx> wrote:
OK... I worked on this yesterday, and I think the answer involves text2pcap which can read in hex dumps of packets... my theory is that decoding the packets and saving them in the interim format means I can pull them back in. decoded... anyone else think this is possible?
Can anyone confirm this is the right approach? I think I'm missing the correct switches on the commandline when writing the packets to a file:
tshark -x -r rsasnakeoil2.cap -o "ssl.keys_list: 127.0.0.1,443,http,./rsasnakeoil2.key" -o "ssl.debug_file: ./ssldebug.txt" -w out.cap
all I get is the encoded packet stream in the .cap file.
Kenneth Hunt
Bayer Corporate and Business Services LLC
North America Information Technology
IS Analyst
http://www.linkedin.com/in/kennethhunt
"deepali goel" <deepaligoel2003@xxxxxxxxx>
Sent by: wireshark-users-bounces@xxxxxxxxxxxxx11/20/2006 11:45 PM
Please respond to
Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
To"Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx> cc SubjectRe: [Wireshark-users] saving decoded ssl packets back to libpcap format
i know the contents of my packet but cant see the packet flowing in the traffic captured??
On 11/21/06, Kenneth Hunt <kenneth.hunt.b@xxxxxxxxx> wrote:
I can open the sample file snakeoil2.tgz in the wiki: http://wiki.wireshark.org/SSL
Is it possible to save the decoded packets back to libpcap format so I can reopen it with out the SSL settings?
I am using 127.0.0.1,443,http,c:\rsasnakeoil2.key with the private key in the root of my c drive.
Kenneth Hunt
Bayer Corporate and Business Services LLC
North America Information Technology
IS Analyst
The information contained in this e-mail is for the exclusive use of the intended recipient(s) and may be confidential, proprietary, and/or legally privileged. Inadvertent disclosure of this message does not constitute a waiver of any privilege. If you receive this message in error, please do not directly or indirectly use, print, copy, forward, or disclose any part of this message. Please also delete this e-mail and all copies and notify the sender. Thank you.
For alternate languages please go to http://bayerdisclaimer.bayerweb.com
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users
Sponsored Link
Want a degree but can't afford to quit? Online degrees from top schools - in as fast as 1 year
- References:
- Re: [Wireshark-users] saving decoded ssl packets back to libpcap format
- From: Kenneth Hunt
- Prev by Date: Re: [Wireshark-users] (no subject)
- Next by Date: [Wireshark-users] 2 gig limit on mergecap
- Previous by thread: Re: [Wireshark-users] saving decoded ssl packets back to libpcap format
- Next by thread: [Wireshark-users] Capturing packets on dial-up connections
- Index(es):