This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do you use tshark with multiple ssl keys?

0

I understand it's possible to do SSL decryption with tshark by giving a key rule with the ssl.keys_list preferences option. However I've only seen examples with a single key, and I can't find any real documentation for it. Is it possible to use tshark with multiple key rules, like you can in the Wireshark GUI?

asked 26 Feb '13, 23:03

rakslice's gravatar image

rakslice
9115
accept rate: 0%

edited 26 Feb '13, 23:03

One Answer:

2

It's possible, and there are a couple of ways to go about it.

First, you can set the preferences on the CLI using the -o flag and a semi-colon to separate them like this:

tshark -o "ssl.keys_list:ip1,port1,proto1,key1;ip2;port2;proto2;key2" ... (rest of your command)

the "key" field is the path to the RSA Key file somewhere on disk.

Second, starting I think in Wireshark 1.8, whenever you configure SSL Decodes in the GUI, they are written to a file on disk in your Wireshark preferences directory (mac/linux that's ~/.wireshark/).

If you look in there at the ssl_keys file, you'll see all your keys listed. tshark respects this file when starting up, so you could configure multiple keys in the GUI, and then using tshark, it will inherit all of those same keys BY DEFAULT and you won't need to use the -o flag.

Have fun!

answered 27 Feb '13, 06:40

zachad's gravatar image

zachad
331149
accept rate: 21%

1

One additional note: If you specify more than one key for a given IP address and port combination, only the last will be tried.

(06 Mar '13, 18:50) rakslice