Hello, i am trying to use tshark from the command line to get unecrypted TLS packets. I want to do this with the SSLKEYLOGFILE of session keys like you would do through the wireshark interface. Does anyone know how to do this? Thanks asked 22 May '17, 10:05 yogidmt |
One Answer:
See the SSL page on the Wiki, the tshark commands you require are shown there. answered 22 May '17, 10:33 grahamb ♦ showing 5 of 11 show 6 more comments |
Any chance you could provide some more info? I read through that a few times and i'm still kind of confused as to what i should do. I have an SSLKEYLOGFILE with session keys, not an RSA private key.
So what have you tried?
Use
-o ssl.key_logfile:path/to/keys.log
to specify the key log file instead of thessl.keys_list
element.I tried this... tshark -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list: 104.123.15.136,4443,data,C:/users/ben/desktop/sslkeylog.log" -i eth0 -Y "tcp.port == 4443"
It's saying it can't load key and eth0 isn't a valid interface. Also i assume the ip/port information is for the server sending me data? not the port on my machine data is coming in on?
Looks like you're trying to live-decode traffic by specifying an interface - decoding SSL with a keylogfile only works on recorded traffic (pcap) as far as I know. Both keylog and pcap must be containing the same session details, and then you can read and decoded the pcap using the keylog file.
I mean i'd prefer to record live traffic, what would be the difference between recording it and decoding as opposed to recording it directly?
The live packets may come in before the key log file is updated. Wireshark running live can't "go back" in the incoming packet stream.
Is there any way to do what i'm trying to do then? Read incoming TLS packets in somewhat of real time?
Maybe use a MitM approach e.g. Fiddler?
I am the client though, i wouldn't be trying to intercept packets i just want to read the one's that come to me.
Fiddler allows that (on Windows). What OS are you using?
I'll have to check that out. I'm on Win10