Wireshark-users: [Wireshark-users] how to convert ssl pcap to decrypted pcap file that can be use
I need to convert https pcap file into decrypted http file so i can use it with tcpflow to create separate files for each session.
how ever i am unable to achieve this , i am using the rsasnakeoil sample file of wireshark site for test.
when i dont use the -w flag i can see that output on console showing me http Encrypted Application decoded, however if i use a -w flag to decrypt it and open the decrypted data pcap file it still shows as Encrypted data.
shouldn't the new file be decrypted
output snippet if i dont use the "-w" flag
$~/work/wireshark-0.99.7/tshark -V -r /tmp/rsasnakeoil2.cap -o "ssl.keys_list:127.0.0.1,443,http,/tmp/rsasnakeoil2.key" -o"ssl.debug_file:/tmp/debug.txt" > cap.txt
-------------you can see that frame 11 application data is visible ---------------
Secure Socket Layer
SSLv3 Record Layer: Application Data Protocol: http
Content Type: Application Data (23)
Version: SSL 3.0 (0x0300)
Length: 432
Encrypted Application Data: 4AC33E9D7778012CB4BC4C9A84D7B9900C2110F0FA007C16...
Hypertext Transfer Protocol
GET / HTTP/1.1\r\n
Request Method: GET
Request URI: /
Request Version: HTTP/1.1
Host: localhost\r\n
User-Agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:
1.8.0.2) Gecko/20060308 Firefox/1.5.0.2\r\n
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3\r\n
Accept-Encoding: gzip,deflate\r\n
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
Keep-Alive: 300\r\n
Connection: keep-alive\r\n
\r\n
---------------------end of sample ----------------------------------------------------
now if use the "-w" flag and save the file and open the file in wire shark i assumed that the application data should have been decryptted
$~/work/wireshark-0.99.7/tshark -V -r /tmp/rsasnakeoil2.cap -o "ssl.keys_list:127.0.0.1,443,http,/tmp/rsasnakeoil2.key" -o"ssl.debug_file:/tmp/debug.txt" -F libpcap -w - > /tmp/test
---------------here is what i see in wireshark gui for frame 11-------------------------------------------
Secure Socket Layer
SSLv3 Record Layer: Application Data Protocol: http
Content Type: Application Data (23)
Version: SSL 3.0 (0x0300)
Length: 408
Encrypted Application Data: 842F81CCD99765C1AC2AC1B6CE9250D339BC7454C8A623FC...
---------------------end----------------------------------------------------------------------------------
please help!!!
-Vishal Arya
www.vishalarya.in