Wireshark · Wireshark-users: Re: [Wireshark-users] Decrypting SSL traffic through tshark

Wireshark-users: Re: [Wireshark-users] Decrypting SSL traffic through tshark

From: Sake Blok <sake@xxxxxxxxxx>

Date: Thu, 11 Nov 2010 19:14:08 +0100

On 11 nov 2010, at 07:34, Sahaj wrote:

> I need to decrypt SSL traffic to get content length.
> 
> ./tshark   -o "ssl.keys_list:,443,http,client.ky" -T fields -E separator=":"  -e frame.time_relative -e frame.number -e tcp.len -e http.content_length -e tcp.flags.fin -e tcp.flags.push  -R "ip.src == source_ip && ip.dst == destination_ip  && tcp.srcport == 443 && ! (tcp.analysis.out_of_order)  && ! (tcp.analysis.retransmission) "  -r sample.pcap
> [...]
> the field for content length is empty.
> 
> please help me out and suggest me if i am missing anything or doing wrong.

You should use the server IP address in the keys_list:

 -o "ssl.keys_list:<SERVER-IP>,443,http,client.ky"

It also helps if you add:

-o "ssl.debuf_file:ssl-debug.log"

That way you can see in the logfile if the key is loaded OK in Wireshark and you can follow the decryption process.

Let's see how that goes first...

Cheers,


Sake

References:
- [Wireshark-users] Decrypting SSL traffic through tshark
  - From: Sahaj

Prev by Date: Re: [Wireshark-users] Crash when LTE dissector (over UDP framing) enabled
Next by Date: [Wireshark-users] Trouble converting .pcap file to XML (pdms) via command line in Windows
Previous by thread: [Wireshark-users] Decrypting SSL traffic through tshark
Next by thread: Re: [Wireshark-users] Decrypting SSL traffic through tshark
Index(es):
- Date
- Thread