This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello I have a problem about how to extract(not decrypt) payload from SSL packets. I have tried the methods mentioned in the https://ask.wireshark.org/questions/25371/how-to-extract-hex-data-from-ssl, but it didn't work. Is there anyone can help me? Thanks!!

asked 07 Jan '16, 07:41

Leo's gravatar image

Leo
6112
accept rate: 0%

edited 08 Jan '16, 15:57

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237

What payload are you referring to? The decrypted SSL data from the Application Data records, all TLS-related packets (the TCP payload) or something else?

(07 Jan '16, 12:09) Lekensteyn

The payload is the whole data we can see in the "Secure Socket Layer". Is that possible?Thanks!

(07 Jan '16, 15:24) Leo

I still don't understand if you want to get the SSL protocol data or the decrypted payload. Can you please elaborate?

(08 Jan '16, 15:57) Kurt Knochner ♦

Actually , i am analyzing the packets created by malware. It uses the tcp port 443 to send data, and i found it did not follow the standard SSL protocol. The victims' stolen data were in the Secure Socket Layer just like the diagram below, so i want to extract it and output it to a file. Is that possible? Thanks!

(09 Jan '16, 06:51) Leo

alt text

(09 Jan '16, 06:51) Leo

alt text

(10 Jan '16, 05:58) Leo
showing 5 of 6 show 1 more comments

"Looks" like regular SSL/TLS traffic !?! So, you want to save the highlighted (blue) part into a file? If so, just right click the frame, choose Follow TCP Stream and then select Raw and Save as.

But I doubt that you will get any 'data file', as this really looks like SSL/TLS protocol data. Anyway, hard to tell without access to the pcap file...

Regards
Kurt

permanent link

answered 09 Jan '16, 11:50

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks a lot for your reply! Yes, i can use the method you said to choose Follow TCP Stream and then select Raw and Save as(the diagram is below). My next questions is that i want to know how to extract those information and out put them in Hex form by tshark.exe or other tools (because i have lots of packet files)? Thanks!!

(09 Jan '16, 19:14) Leo

BTW,you are right! The sample in the diagram is the regular SSL/TLS traffic, i just use it as an example,it is not the real malicious traffic. Thanks!!

(09 Jan '16, 19:20) Leo

Thanks for your reply!! i will keep trying it!

(11 Jan '16, 07:37) Leo

good luck.

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).

(11 Jan '16, 08:06) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×319
×58

question asked: 07 Jan '16, 07:41

question was seen: 7,512 times

last updated: 11 Jan '16, 08:06

p​o​w​e​r​e​d by O​S​Q​A