Wireshark-users: [Wireshark-users] How to decrypt SSL in TShark 1.6.5 (giving the key file in the
From: rouli <rouli.net@xxxxxxxxx>
Date: Tue, 7 Feb 2012 17:47:34 +0200
I'm using tshark to decrypt ssl traffic in pcaps, using the -o "ssl.keys_list:..." option to specify the keyfile. 
It worked well for tshark 1.6.2 and lower.

Here's an example:
"c:\Program Files\Wireshark\tshark.exe" -r "C:\temp\input.pcap" -o "http.tcp.port:80,80,8080,8888" -o "ssl.keys_list:172.30.2.31,443,http,"C:/temp/private.key""  -R "http" -T pdml


However, I can't find the right command line to make it work with 1.6.5. Trying the one above, tshark crashes - apparently it's missing the extra password parameter. Trying to add a blank password (ssl.keys_list:172.30.2.31,443,http,"C:/temp/private.key","") doesn't work either - tshark doesn't crash, but doesn't decrypt the traffic either. In the ssl debug log it says 

ssl_parse: Can't load UAT string "172.30.2.31","443","http","C:/temp/private.key,"","": ssl_keys:1: unexpected char '"'

while looking for field keyfile


I've tried several other options, with similar errors in the log file, or an error that it can find my key file. One important thing to mention - my key file is not encrypted, and setting this params using the UI (which I don't want to do, I need automation capabilities) works fine.

Any ideas?

Thanks,
-rouli