This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark is decrypting data but output pcap file still has encrypted data

0

I want to have pcap file with decrypted SSL data in it. I am running tshark like this-

tshark -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:192.168.56.101,443,http,/etc/nginx/cert.key" -o "ssl.debug_file:/tmp/ssl.log" tcp port 443 -w /tmp/ssl.pcap

When I review /tmp/ssl.log file I can see decryption is happening just fine. I can see plaintext data in it(ssl.log) but when I open /tmp/ssl.pcap in WireShark I observe that tshark is not putting plaintext data in it.

Is this expected behaviour? If so, how do I go about getting plaintext data directly in pcap file

Version info

Linux Kernel - Linux debian1 3.2.0-4-amd64

Distribution - Debian Stable

TShark version - 1.8.2

asked 22 Oct '14, 03:03

gauravphoenix's gravatar image

gauravphoenix
16226
accept rate: 0%

2 Answers:

1

Yep, that's expected, the data is only decrypted for display purposes, the packets written to the output file are those from the input that have passed any supplied filters.

Think about what you're asking for, the protocols in your capture were originally something like ethernet -> ip -> tcp -> ssl -> payload, and you now want to "remove" the ssl layer and end up with ethernet -> ip -> tcp -> payload, so all the headers of the protocols underlying the ssl payload would need to be adjusted for lengths, checksums, sequence numbers etc.

You could use tshark to output the decrypted text and then use some other application to stuff that back into a pcap to give you the required info, but I don't know what the "other application" is.

answered 22 Oct '14, 03:25

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thanks for detailed answer. What is the most elegant way for saving plaintext data from tshark?

(22 Oct '14, 03:29) gauravphoenix

Depends on how you want to process it, you can use plain text, csv, psml, pdml or postscript, and probably hex as well.

You could also limit the output to just the payload protocol.

(22 Oct '14, 03:57) grahamb ♦

Wiresharks Export PDU function can export the decrypted layer above SSL to a pcap file retaining meta information of the packets like src/dst IP of original frame etc. But it's not available fom tshark yet.

(22 Oct '14, 05:04) Anders ♦

0

As Graham said, this is expected.

But if you can use the GUI then you have access to the "Export PDUs to file" function (under the File menu) which allows you to export decrypted packets into a new PCAP file.

(Note, though, that new PCAP file will probably only be readable by Wireshark; other programs using the PCAP format probably won't understand Wireshark's special "exported PDUs" DLT value.)

answered 22 Oct '14, 05:11

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%