How do I search decrypted TLS data in a capture.

retag add tags

I have created a capture with decrypted TLS data by injecting the keys into the capture file. I have not found a way to search the decrypted data using the display filter. I can search encrypted data using tls.app_data. It seems like it should be a simple thing to search decrypted data, but I have not found it. I have tried using tls.segment tls.segment.data, tls.segments, tls.reassembled.data and others. Thanks

Using the snakeoil2 sample cature, the TLS is decrypted as HTTP.

1. A display filter of http contains "Linux" returns 12 frames.
2. Or you can select a decrypted packet, right click and use Follow->TLS Stream or Follow->HTTP Stream.
3. Or disable the decode for HTTP and filter on data.data contains "Linux"

Chuckc

answered 2020-12-01 02:30:01 +0000

edit flag offensive 0 remove flag delete link

Comments

Thanks. I tried 'http contains' but wasn't finding what I was looking for. After sleeping on it and looking again, it appears you are correct and I don't know what I was doing yesterday. I did not realize 'data.data' did not work because http was enabled, that bit of info helps.

netwonder (2020-12-01 14:22:09 +0000) edit

The data "dissector" is only called if no other dissector can be found to handle the data.

grahamb (2020-12-01 18:10:17 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

How do I search decrypted TLS data in a capture. edit

Comments

1 Answer

Comments