This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello, I could really use some help here. I'm wondering how to decrypt my saved Wireshark captures that I have saved on an external HD? Where would I find the key to do this? Running Wireshark on a Mac.

asked 28 May '15, 10:37

brody's gravatar image

brody
6112
accept rate: 0%

which protocol are you trying to decrypt? The steps are totally different for IKE/ESP, Wifi, SSL, etc.

(29 May '15, 07:20) Kurt Knochner ♦

Hi Kurt,

I'm trying to decrypt TCP packets. I'm doing the forensics on a fraud case, and the only evidence that the business has are the Wireshark captures that need to be analyzed and hopefully decrypted. If you need a screen shot let me know. Thank you for your help.

(29 May '15, 09:41) brody

TCP is not an encrypted protocol. Do you mean the TCP payload is encrypted? What protocol is it on top of TCP?

(29 May '15, 10:58) Jasper ♦♦

Jasper, I'm not exactly sure which protocol is on top of the TCP. Where exactly would I find this? Thank you.

(29 May '15, 11:43) brody

Well, usually by looking at the port number the SYN is sent to (which would be the server port). If you're lucky, it's a well known port (e.g. 80 for HTTP) - if not, you can only try to determine the protocol by looking at the actual payload. Maybe you can spot a pattern and google for it. If it's really encrypted (meaning, the payload bytes have a high entropy) you're most likely out of luck.

If you want I can take a look - sent a screen shot to [email protected] (since I guess you can't share the PCAP). Please make sure that the hex decode is visible as well as the packet list and the decode pane.

(30 May '15, 03:56) Jasper ♦♦

I'm not exactly sure which protocol is on top of the TCP.

O.K. sounds like you don't know much about your traffic, which (probably) implies that you don't have the keys to decrypt the traffic either.

Without knowing the protocol and without having the keys it's impossible to decrypt anything.

So, if you want any meaningfull answer, please add more details to your question

  • which protocol do you want to deecrypt (ESP, HTTPS, wlan, etc.)?
  • how do you know the data is encrypted? How was it encryted?
  • do you have the keys to decrypt the traffic?
  • etc.

Regards
Kurt

(30 May '15, 08:02) Kurt Knochner ♦

@Kurt: if it's a forensic investigation in a fraud case it's highly unlikely that its "his traffic" :-) Usually a case officer that gets something with the task to "find someting", at least in my experience. More often than not it involves reverse engineering/educated guessing of unknown contents, because little to nothing is known about the network, servers or applications involved.

(30 May '15, 10:39) Jasper ♦♦

if it's a forensic investigation in a fraud case

I've read that, but if the OP is doing Forensics, he/she should know what to look for, otherwise it's going to be a tough experience :-)

Futhermore: If this is a forensic issue, he won't have the keys to decrypt anything, maybe except access to the companies web servers. So, the whole decrypt "TCP traffic" story sounds a bit fruitless to me. That's why I was asking some "probing" questions ;-)

(01 Jun '15, 05:43) Kurt Knochner ♦

I saw what he got. It's just TCP SYN packets, nothing special to decode :-)

(01 Jun '15, 07:20) Jasper ♦♦

well... decode and decrypt seems to be the same for some people ;-)

I'd strongly suggest to hire a prefessional froensics expert, instead of trying to do it on their own....

(01 Jun '15, 07:36) Kurt Knochner ♦
showing 5 of 10 show 5 more comments
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×56

question asked: 28 May '15, 10:37

question was seen: 1,584 times

last updated: 01 Jun '15, 07:36

p​o​w​e​r​e​d by O​S​Q​A