Command line PCAP decyryption with TLS Key log file

I have a PCAP file I am trying to decrypt, and a TLS keylog file produced by nodejs (using the --tls-keylog option)

I am trying to convert the HTTP messaging inside the PCAP file into WARC format, but cannot figure out how to use the command line tshark util to decrypt the relevant traffic. I can do so in the Wireshark UI by updating TLS PMS setting and then right clicking and choosing to follow the HTTP stream, how can I recreate this behaviour with tshark?

I'd also like to print out the "follow" view for _all_ HTTP connections in a PCAP file (including HTTPS and HTTP2), in JSON format if possible? thanks!

Breaking this into "TLS keys" and "how to follow".
TLS background info: Sharkfest '19

09: Debugging TLS issues with Wireshark by Peter Wu / Presentation Video (1:10:44)

Peter's slides available here Debugging TLS issues with Wireshark.

Also check the Wireshark wiki page for TLS. Sections for Embedding decryption secrets in a pcapng file and Preference Settings (hint: tls.keylog_file)

The tshark man page documents the follow option:

-z follow,prot,mode,filter[,range]
Displays the contents of a TCP or UDP stream between two nodes. The data sent by the second node is prefixed with a tab to differentiate it from the data sent by the first node.

prot specifies the transport protocol. It can be one of:

tcp   TCP
udp   UDP
tls   TLS or SSL
http  HTTP streams
http2 HTTP/2 streams
quic  QUIC streams

Chuckc

answered 2022-04-11 15:57:35 +0000

edit flag offensive 0 remove flag delete link

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Command line PCAP decyryption with TLS Key log file edit

Comments

1 Answer

Comments