First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Is it possible to access decrypted TLS data in tshark programmatically?

  • retag add tags

Is there any way to get the decrypted TLS payload programatically in tshark, for example with -T jsonraw or pdml? I can see the decrypted data with the -x option or by following a tls stream (neither of which is convenient for programming access) but with -T option I can only see the encrypted payload.

For comparison, with ESP protocol, once the data is decrypted, the decrypted data is easily accessible in tcp.payload and data.data and display filters can be applied to the decrypted data. Is there any way to do that with TLS?

If that is not possible, an alternative for me would be saving only the raw decrypted data a file. I can do this in wireshark in the follow TLS stream window. Any way to do it in tshark?

Thanks

PaulCavan's avatar
1
PaulCavan
asked 2020-04-20 15:42:10 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Actually, even though my data is not http (actually ASN.1 BER), I can still apply the http dissector and get the data via tls.segment.data, and even apply display filters to it:

tshark -r example_ssl.pcap -o "tls.debug_file:ssldebug.log" -o "tls.desegment_ssl_records:TRUE" -o "tls.desegment_ssl_application_data:TRUE" -o "tls.keylog_file:sslkeylog.txt" -d "tls.port==0-65535,http" -T fields -e "tls.segment.data"

PaulCavan's avatar
1
PaulCavan
answered 2020-04-20 17:23:42 +0000, updated 2020-04-20 17:26:08 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer