First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Decrypting my own TLS traffic with tshark

Hi,

I am developing some Web Applications for what I am doing HTTP requests , in and out my host. I am interested in the HTTPS traffic and I have already captured it with tshark as I mainly work in the command-line.

I have been able to decrypt my own conversations on Wireshark , but dumping my own "TLS" private keys , then referred them on C:\Users\fakuve\AppData\Roaming\preferences

tls.keylog_file: C:\Users\fakuve\Documents\Wireshark\ssl-keys.log

So working with GUI Wireshark , I am able to decrypt those conversations.

On a certain message , If I do follow HTTP Stream , it will show the conversation with the headers.

In this I can see that

Wireshark Follow HTTP Stream (tcp.stream eq 7)

So I go to the terminal and I do

tshark.exe -o "tls.keylog_file: C:\Users\fakuve\Documents\Wireshark\ssl-keys.log" -r https-2024-05-14-17-04.pcap -z "follow,tcp,ascii,7"

And I am getting

``` Follow: tcp,ascii Filter: tcp.stream eq 7

Some IPS.

Loads of unencrypted giversih characters ```

Doesnt tshark have the option to decode these conversations according to the TLS Private keys , as I am doing with GUI Wireshark

Thank you

freddieventura's avatar
1
freddieventura
asked 2024-05-14 17:00:37 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Do you get a different result when tshark is asked to make a second pass with the -2 option?

Chuckc's avatar Chuckc (2024-05-14 17:46:15 +0000) edit
more
  • delete

I get the same

freddieventura's avatar freddieventura (2024-05-14 19:45:12 +0000) edit
more
  • delete

It works doing tshark.exe -r https-2024-05-14-17-04.pcap -o "tls.keylog_file: C:\Users\fakuve\Documents\Wireshark\ssl-keys.log" -Y "frame.number==28" -V

It is jusrt ultraverbose information , but it does work I bet I need to wrap my head around crafting the command to output what I exactly need.

Thank you

freddieventura's avatar freddieventura (2024-05-14 21:15:32 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

-z "follow,tcp,ascii,7" will output the TCP payload, which is TLS encrypted data, you will have to use -z "follow,tls,ascii,7" to get to the decrypted data (or -z "follow,http,ascii,7" if the http objects are transferred with compression enabled).

SYN-bit's avatar
18.5k
SYN-bit
answered 2024-05-20 06:01:19 +0000, updated 2024-05-20 06:03:05 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer