Hello I have a problem about how to extract(not decrypt) payload from SSL packets. I have tried the methods mentioned in the https://ask.wireshark.org/questions/25371/how-to-extract-hex-data-from-ssl, but it didn't work. Is there anyone can help me? Thanks!! asked 07 Jan '16, 07:41  Leo edited 08 Jan '16, 15:57  Kurt Knochner ♦ showing 5 of 6 show 1 more comments |
One Answer:
"Looks" like regular SSL/TLS traffic !?! So, you want to save the highlighted (blue) part into a file? If so, just right click the frame, choose Follow TCP Stream and then select Raw and Save as. But I doubt that you will get any 'data file', as this really looks like SSL/TLS protocol data. Anyway, hard to tell without access to the pcap file... Regards answered 09 Jan '16, 11:50 Kurt Knochner ♦ Thanks a lot for your reply! Yes, i can use the method you said to choose Follow TCP Stream and then select Raw and Save as(the diagram is below). My next questions is that i want to know how to extract those information and out put them in Hex form by tshark.exe or other tools (because i have lots of packet files)? Thanks!! (09 Jan '16, 19:14) Leo BTW,you are right! The sample in the diagram is the regular SSL/TLS traffic, i just use it as an example,it is not the real malicious traffic. Thanks!! (09 Jan '16, 19:20) Leo Please see my answer to a similar question: You can try to work with the option -z follow,tcp,hex, Or these:
(10 Jan '16, 07:12) Kurt Knochner ♦ Thanks for your reply!! i will keep trying it! (11 Jan '16, 07:37) Leo good luck. Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up). (11 Jan '16, 08:06) Kurt Knochner ♦ |
What payload are you referring to? The decrypted SSL data from the Application Data records, all TLS-related packets (the TCP payload) or something else?
The payload is the whole data we can see in the "Secure Socket Layer". Is that possible?Thanks!
I still don't understand if you want to get the SSL protocol data or the decrypted payload. Can you please elaborate?
Actually , i am analyzing the packets created by malware. It uses the tcp port 443 to send data, and i found it did not follow the standard SSL protocol. The victims' stolen data were in the Secure Socket Layer just like the diagram below, so i want to extract it and output it to a file. Is that possible? Thanks!