This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to show ssl decrypted packet content

0

I have tried: tshark n -o ssl.keylog_file:/tmp/master.txt -Y ip.src==xxx.yyy.nnn.mmm -d tcp.port==0-999999,ssl I see this Capturing on 'eth0'

6540 56.156992382 xxx.yyy.nnn.mmm -> 192.168.1.2  TCP 74 7072 → 49188 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1380 WS=256 SACK_PERM=1 TSval=603635523 TSecr=10839353                                              
6546 56.291147285 xxx.yyy.nnn.mmm -> 192.168.1.2  TCP 1434 [TCP segment of a reassembled PDU]              
6548 56.293045394 xxx.yyy.nnn.mmm -> 192.168.1.2  TCP 1434 [TCP segment of a reassembled PDU]              
6550 56.294313103 xxx.yyy.nnn.mmm -> 192.168.1.2  TLSv1 1300 Server Hello, Certificate, Server Hello Done  
6560 56.343469786 xxx.yyy.nnn.mmm -> 192.168.1.2  TLSv1 125 Change Cipher Spec, Encrypted Handshake Message
6575 56.785954188 xxx.yyy.nnn.mmm -> 192.168.1.2  TLSv1 231 Application Data

How can I dump the packet content as "follow tcp streamm" in wireshark already does ?

Is it possible to use something like as described in https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets/16415/ in such a way as to have a file decrypted packets in real time ?

This question is marked "community wiki".

asked 12 Jan '16, 11:51

famedoro's gravatar image

famedoro
11236
accept rate: 0%

edited 14 Jan '16, 00:01

Lacking your capture and the keys, I cannot answer you, I can only give a hint. I've tried with https sample capture, where you need to set a link to a file containing the RSA decryption key to get the payload decrypted, and I am not sure whether the keylog file is used the same way.

As the mappings between IP, port, payload protocol and RSA key file are not stored in the preferences file but in a separate one, they cannot (to my knowledge) be handed over to tshark using the -o parameter. But if you define these mappings using Wireshark, they get stored and tshark will use them too, without any options telling it to do so.

Now another point, the dissector to be used to the decrypted payload is not chosen automatically based on the tcp port of the encrypted packet; instead, you define it together with the mapping between ip,port, and rsa key. If you set it to "http", you'll have no single protocol field to output. So I'd recommend to set the payload "protocol" to data, and if you do so, you can use tshark options -T fields -e data. This way, you'll get the decrypted payload as hex stream without any separators. I.e. an Abc string in the decrypted payload will be output as 416263.

(13 Jan '16, 13:13) sindy

@sindy I have already shark n -o ssl.keylog_file:/tmp/master.txt -Y ip.src==xxx.yyy.nnn.mmm -d tcp.port==0-999999,ssl -T fields -e data and in this case does not show any information. Is it possible to use something like as described in https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets/16415/ in such a way as to have a file decrypted packets in real time ?

(14 Jan '16, 00:03) famedoro

One Answer:

0

To decrypt, as mentioned by @sindy, you must enter the key info into the SSL RSA Keys list preference in Wireshark. This will create a ssl_keys file in your preferences directory. Once this has been set up tshark will decrypt the SSL data.

For example, using the snakeoil sample capture you must enter the following into the SSL RSA Keys List preferences:

  • IP address - 127.0.0.1
  • Port - 443
  • Protocol - http
  • Key File - path to rsasnakeoil2.key
  • Password - leave blank

Loading the rsasnakeoil2.cap file into Wireshark should show the decrypted HTTP traffic. If successful, tshark can then be used to dump the stream using the -z follow, ... argument, e.g. to dump the hex and ascii of ssl stream 1:

tshark -r -rsasnakeoil2.cap -q -z follow,ssl,hex,1

===================================================================       

Follow: ssl,hex                                                           

Filter: tcp.stream eq 1                                                   

Node 0: 127.0.0.1:38714                                                   

Node 1: 127.0.0.1:443                                                     

00000000  47 45 54 20 2f 69 63 6f  6e 73 2f 64 65 62 69 61  GET /ico ns/debia
00000010  6e 2f 6f 70 65 6e 6c 6f  67 6f 2d 32 35 2e 6a 70  n/openlo go-25.jp
…

If you just want the raw hex without the offsets and ascii, use raw instead of hex in the -z argument

answered 13 Jan ‘16, 15:59

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

@grahamb Is it possible to use something like as described in https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets/16415/ in such a way as to have a file decrypted packets in real time ?

(13 Jan ‘16, 23:59) famedoro

Not easily as you need to somehow retrigger Wireshark that the contents of the SSL key log file has changed, and then select the appropriate ssl stream.

(14 Jan ‘16, 00:30) grahamb ♦

@grahamb Must I use wireshark ? Is it possible to have a decrypted real time data stream using only tshark ?

(14 Jan ‘16, 01:02) famedoro

The issue is not whether you use tshark or Wireshark, the issue is the dynamic nature of the session keys. *shark doesn’t read the key log file each time it needs a value from it but only once when starting, that’s why @grahamb wrote that you’d have to tell *shark that the contents of the file has changed (and choose the right tcp stream id).

As far as I know, there is currently no “input point for asynchronous events” allowing to tell a running *shark that it should do something, nor any “watch for changes” functionality of the *shark itself.

Normally you only need to decrypt ongoing communication in real time in order to take urgent measures based on its contents, and this is an activity which a typical *shark user doesn’t perform too often. Those who need it usually work with an appropriate budget.

(14 Jan ‘16, 03:03) sindy