This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Couldn’t extract encrypted Application data from pcap using Perl Netpacket module

0

I tried to extract the encrypted application data using the perl Netpacket module.I am able to see the ports but couldn't see the encrypted data.Any Modules are there to see the encrypted app data or any unpack function is required to read that?

asked 22 May '13, 23:54

Kalai's gravatar image

Kalai
165510
accept rate: 0%

edited 23 May '13, 06:25

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

1

I am able to see the ports but couldn't see the encrypted data.

well, that depends on your code. If you post the code somewhere I'm willing to check it.

Regards
Kurt

answered 23 May '13, 01:50

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

0

The code snippet is,

sub func( my($pcapfile, $header, $pcapPacket) = @_; # unpack ethernet header
  my $ethObj = NetPacket::Ethernet->decode($pcapPacket); # unpack ip header
  my $ipObj = NetPacket::IP->decode($ethObj->{data}); # unpack udp header
  my $pktObj;

if ($ipObj->{proto} == IP_PROTO_TCP) { $pktObj = NetPacket::TCP->decode($ipObj->{data}); print $pktObj->{src_port} print $pktObj->{dest_port} print $pktObj->{data}; } )

Its printing ports properly..but some junk values for data.any unpack function need to use to decode the ssl encrypted app data?

(23 May ‘13, 01:55) Kalai

code looks O.K. (generally).

but some junk values for data.

that’s the binary data of the payload.

What did you expect to get?

BTW: Just a reminder. You cannot decrypt the data with NetPacket.

(23 May ‘13, 02:12) Kurt Knochner ♦

Yes it wont decrypt.I just want to see the encrypted application data in hex like wireshark shows.can it be possible?

(23 May ‘13, 02:18) Kalai

Yes I am able to see when I convert binary data into hex value..Thanks for the input…

(23 May ‘13, 02:40) Kalai

when I convert binary data into hex value

yes, that’s the way to do it.

(23 May ‘13, 06:20) Kurt Knochner ♦