This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Https dumpcap decryption

0

Hi, Ive recently had a dumpcap file created using my usual standard way and realised that the capture has https packets within it. Is there any way i can get to see what information is in here. Ive read up a bit on it and they advise that you need the public key from the location your wanting information and the private key from the device. Unfortunatly theae are wireless captures, is there anything that can be done to read this old capture? Many thanks

asked 02 Apr '17, 13:27

msriptide's gravatar image

msriptide
16447
accept rate: 0%


One Answer:

0

It is the specific intention of these methods that you can't do that, so no, there's nothing practical that can be done.

answered 02 Apr '17, 23:18

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Ah, ok. Then is there any idiots guides to setting it up so i can get these during live capture. Ive seen some about setting up ssl within preferences to log some info. Just to give a bit of extra information, im running this on a ubuntu linux setup using wireless monitor mode. Ive seen one where you can set womething up if using a static cqpture under windows but i couldnt find anything moe

(02 Apr '17, 23:53) msriptide

Some links:

https://wiki.wireshark.org/SSL

https://support.citrix.com/article/CTX116557

https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/

http://packetpushers.net/using-wireshark-to-decode-ssltls-packets/

https://www.trustwave.com/Resources/SpiderLabs-Blog/Intercepting-SSL-And-HTTPS-Traffic-With-mitmproxy-and-SSLsplit/

I am not sure if you discovered issues with both WPA2 decryption and then applying TLS decryption. I would expect it should work but have not tested it. If there are issues, there are some other techniques that could be used to massage the raw data into a form that might work. See,for instance,

https://www.aircrack-ng.org/doku.php?id=airdecap-ng

(03 Apr '17, 03:57) Bob Jones

Hi, Thanks for replying, i've only just realised there was an answer here. I've read most of the information that i can find and i don't think im going to be able to sort that out. i've abandoned the old captures and just wanted to concentrate on any new ones. I've had no problems with the captures i've been getting but i've realised that recently there are alot of packets that have just the one information for a website and then stop. i've realised that this is because those sites are Https. because im capturing in wireless monitor mode to get everything going in and out of the network i don't knwo if there is any way for me to get any of the keys needed, and i really think im stuck for getting anything to decrypt. Do you know of any way i could sort this. i really don't want to resort to man in the middle. many thanks

(05 Apr '17, 11:34) msriptide

Oh and as a side note i dont really want to do a mitmproxy link as i don't have my computer on all the time (its a laptop) so cant set it as a proxy on the mobile device as it wont be able to connect. Any help would be appreciated.

(06 Apr '17, 09:22) msriptide

@msriptide

Your "answers" have been converted to comments as that's how this site works. Please read the FAQ for more information.

(06 Apr '17, 09:38) grahamb ♦