This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello,

I have the following setup:

An Android Emulator which uses mitmproxy on localhost:8080 and mitmproxy is intercepting the SSL traffic by providing a custom certificate.

This works. That means I can follow and analyze the intercepted SSL traffic in the mitmproxy console.

What I would like to do now is to sniff the traffic between the Emulator and mitmproxy (which uses the spoof certificate) and then uses this certificate to decrypt the captured traffic.

The problem is that there are a couple of things I am uncertain of. For example how do I filter for that traffic? I tried (ip.dst == 127.0.0.1 || ip.src == 127.0.0.1) - but this does not contain any test requests via http but mostly small TCP packets.

The next question is: how do I have to configure the SSL Decrypt in Wireshark? (Edit / Preferences / Protocols / SSL / RSA keys list)

I am absolutely unsure as to what ...

  • IP address
  • port
  • protocol
  • key file

... to use.

In the mitmproxy certificates folder the following files are available:

  • mitmproxy-ca-cert.cer
  • mitmproxy-ca-cert.p12
  • mitmproxy-ca-cert.pem
  • mitmproxy-ca.pem
  • mitmproxy-dhparam.pem

I hope the question is not too long and confusing. I'll happily clarify if anything is unclear and am greatful for hints.

Thanks

asked 10 Feb '16, 03:47

Raffael1984's gravatar image

Raffael1984
11336
accept rate: 0%

edited 10 Feb '16, 03:47


What I would like to do now is to sniff the traffic between the Emulator and mitmproxy (which uses the spoof certificate) and then uses this certificate to decrypt the captured traffic.

For example how do I filter for that traffic [between the Emulator and mitmproxy]?

You likely have to capture from the loopback interface. Capturing from 127.0.0.1 on the LAN adapter is ineffective as packets never leave your machine via that interface.

How do I have to configure the SSL Decrypt in Wireshark? (Edit / Preferences / Protocols / SSL / RSA keys list)

See https://wiki.wireshark.org/SSL#SSL_dissection_in_Wireshark. The IP, port and protocol fields are not that important. You could set for example any, 443 and http respectively.

According to the mitmproxy docs, mitmproxy-ca.pem contains the private key for the CA, but these are only used to sign leaf certificates. The same page suggests that dummy certificates are generated on the fly. If these use the same key as the CA, then you can use the mitmproxy-ca.pem file as Key File.

It can be much easier though to configure SSL Key log files instead, see http://mitmproxy.org/doc/dev/sslkeylogfile.html for instructions.

permanent link

answered 10 Feb '16, 04:13

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

The loopback interface is not working. If I visit f.x. http://m.heise.de then (definitely) directly related packets are captured - but all of them are of type DNS and TCP handshakes. Otherwise I should be able to find HTML content by searching for text I see on the web site in the emulator (given that the communication is unencrypted in this example).

(10 Feb '16, 07:23) Raffael1984
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×22
×3
×1

question asked: 10 Feb '16, 03:47

question was seen: 7,883 times

last updated: 10 Feb '16, 07:24

p​o​w​e​r​e​d by O​S​Q​A