i am new to wireshark and trying to get a little exposer. Is there any way to export SSL session key through command line.
Please help me....
\Thanks in advance... :)
asked 10 Apr '13, 07:08
As @SYN-bit said, there is no CLI option to do that.
But, you could run tshark with a SSL debug file and then extract the SSL session keys from the debug file.
Use a command like this (not tested lately!).
Please replace x.x.x.x with the IP address of your server.
After tshark has finished, parse the file ssl_debug.log (with your preferred scripting language) and extract the SSL session keys. Search for the string below and extract the consecutive lines, which is the SSL session key in HEX.
answered 10 Apr '13, 07:31
Kurt Knochner ♦
edited 10 Apr '13, 07:53
As @Kurt pointed out, the SSL session keys are available in the ssl-debug file (nice one Kurt), it just needs to be reformatted.
I did a little CLI mungling and came with the following oneliner (on multiple lines for readability):
Which transforms the following output in the ssl-debug file:
Which is the format needed for Wireshark to be able to import the session keys to decrypt the SSL sessions in the file without the need for the private key.
(multiple session keys in the debug file will be converted)
answered 10 Apr '13, 08:11
edited 10 Apr '13, 08:27
Thanks Kurt and SYN-bit for your quick responses. @SYN-bit can we generate the session key using batch scripting??
(10 Apr '13, 22:10) Amby
(please use "add a comment" to respond to given answers, see the FAQ for details)
Yes, you can use bash scripting to extract the session keys from a bunch of tracefiles. You can loop through your files with a "for" loop and then for each file call the command from @Kurt's answer and then call my command sequence to extract the session keys from the ssl-debug file.
(11 Apr '13, 01:13) SYN-bit ♦♦
by batch scripting, do you mean Windows batch scripting?
If yes, I recommend to look at powershell.
(11 Apr '13, 02:43) Kurt Knochner ♦
Nice catch @Kurt, I am not using windows much anymore, so I kinda have a bias in my answers.
@Amby, you could use Cygwin on windows to have a bash shell and the then you can use my 'script' on a Windows machine too. But powershell should be able to do the ssame, I am just not familiar enough with it to convert my 'script' into powershell commands...
(11 Apr '13, 02:54) SYN-bit ♦♦
If VMware Workstation wasn't such a pain in the a.. on Linux (i.e. forced to recompile all modules after a kernel update, etc.), I would probably use Linux as a Desktop system ;-) Unless that changes, Windows 7 is my preferred VMWare Workstation Host, of course dual booted with Linux :-)
(11 Apr '13, 03:22) Kurt Knochner ♦
Unfortunately not, that has not (yet?) been implemented, so for now, you will need to use the Wireshark GUI to export the SSL session keys.
answered 10 Apr '13, 07:14
Guys i was able to generate SSL session key using the above hints that you gave i.e. by grepping "ssl_save_session stored session id" all i want to know that is there any chances that ssl session key what we generate from wire shark will not work to get the decrypted pcap data....
yes, if the key extraction (with a script) fails (missing some bytes, etc.). Does it work, if you extract the key manually and then use it in Wireshark?