This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

use tshark with SSLKEYLOGFILE to get decrypted tls data

0

Hello, i am trying to use tshark from the command line to get unecrypted TLS packets. I want to do this with the SSLKEYLOGFILE of session keys like you would do through the wireshark interface. Does anyone know how to do this? Thanks

asked 22 May '17, 10:05

yogidmt's gravatar image

yogidmt
6223
accept rate: 0%

One Answer:

2

See the SSL page on the Wiki, the tshark commands you require are shown there.

answered 22 May '17, 10:33

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Any chance you could provide some more info? I read through that a few times and i'm still kind of confused as to what i should do. I have an SSLKEYLOGFILE with session keys, not an RSA private key.

(22 May '17, 11:48) yogidmt
1

So what have you tried?

Use -o ssl.key_logfile:path/to/keys.log to specify the key log file instead of the ssl.keys_list element.

(22 May '17, 15:00) grahamb ♦

I tried this... tshark -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list: 104.123.15.136,4443,data,C:/users/ben/desktop/sslkeylog.log" -i eth0 -Y "tcp.port == 4443"

It's saying it can't load key and eth0 isn't a valid interface. Also i assume the ip/port information is for the server sending me data? not the port on my machine data is coming in on?

(23 May '17, 17:53) yogidmt

Looks like you're trying to live-decode traffic by specifying an interface - decoding SSL with a keylogfile only works on recorded traffic (pcap) as far as I know. Both keylog and pcap must be containing the same session details, and then you can read and decoded the pcap using the keylog file.

(24 May '17, 01:42) Jasper ♦♦

I mean i'd prefer to record live traffic, what would be the difference between recording it and decoding as opposed to recording it directly?

(24 May '17, 05:33) yogidmt

The live packets may come in before the key log file is updated. Wireshark running live can't "go back" in the incoming packet stream.

(24 May '17, 05:49) grahamb ♦

Is there any way to do what i'm trying to do then? Read incoming TLS packets in somewhat of real time?

(24 May '17, 06:13) yogidmt

Maybe use a MitM approach e.g. Fiddler?

(24 May '17, 06:18) grahamb ♦

I am the client though, i wouldn't be trying to intercept packets i just want to read the one's that come to me.

(24 May '17, 07:03) yogidmt

Fiddler allows that (on Windows). What OS are you using?

(24 May '17, 07:45) grahamb ♦

I'll have to check that out. I'm on Win10

(24 May '17, 11:18) yogidmt
showing 5 of 11 show 6 more comments