This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

decrypt ssl to pcap

0

Hi, I'm trying to decrypt an ssl conversation using the ssl key.

This is working in the wireshark gui.
When I try to decrypt in tshark, this is also working, but I wan to decrypt it and save the result as a pcap file. This doesn't work.
When I use : tshark -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list: 10.135.56.22,443,http,/trace/test/test.pem" -t ad -r 443_test.pcap -w decrypted.pcap
the result is the same as the input-file.

Is there a way I can decrypt via cli to a pcap file?
I want to use the resulting pcap-file as input for tcpick, so I can save complete TCP sessions.

asked 27 Sep '11, 02:34

fcozijnsen's gravatar image

fcozijnsen
1112
accept rate: 0%


One Answer:

1

The short answer: Wireshark/tshark aren't capable of saving decrypted packets to a pcap file.

See message thread starting at http://www.wireshark.org/lists/wireshark-users/201105/msg00000.html for some (possibly) relevant information.

See especially: http://www.wireshark.org/lists/wireshark-users/201105/msg00002.html

A Google search may find further info.

answered 27 Sep '11, 06:22

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 27 Sep '11, 06:38

Is there an other way to create seperate files for each communication session? I'm now using tcpick to seperate the tcp streams from each other (and save each stream in a file) but this doesn't support ssl. I rather use wireshark, but is this even possible?

(27 Sep '11, 06:28) fcozijnsen