This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to extract the client-sided TCP-Payload of a TLS secured connection and replay it out of a captured pcap?

Hello guys,

I'm not much of an expert and I'm stuck. What I wanna do is:

I have a captured TCP stream in pcap
I wanna separate Client and Server connection
Extract the payload/Application Data (Not decrypt or stuff like that)
And replay the extracted payload. For example with Packet Sender which is taking care of the connection sequence
If possible automatically, because there usually over 150 packets

I don't wanna change the IP-Address necessarily.

I tried tcpprep to split the packets and tcpwrite create a new pcap file. But it didn't work out. The background behind all this, it is a research for my study program and I need to perform a replay attack.

If you could help me, it would be very sweet. Thx in advance....

pcap payload tcp

asked 25 Oct '17, 08:37

UserWire
11●1●1●2
accept rate: 0%

No one or is it too trivial??!

(26 Oct '17, 09:56) UserWire

I don't understand when you say you want to extract the payload but not decrypt for replay. If you extract the encrypted payload you won't be able to replay that as the TLS handshake will fail.

(26 Oct '17, 12:05) grahamb ♦

One Answer:

The Handshake will be taken care of by the tool Packet Sender. It will manage the connection. I just need to fill the packets with the encrypted payload. Thats the big advantage of replay-attacks, unless there aren't any replay-countermeasures like sessionID or timestamps. You don't need any decryption, just the bitstream.

Or am I wrong?! I presented this idea my Prof. and he didn't oppose to that, so I am a lil confused right now.

Thanks for your reply.

answered 26 Oct '17, 13:56

UserWire
11●1●1●2
accept rate: 0%