First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How do I inject TLS secrets on the fly when capturing with tshark?

My working workflow is:

  1. start tshark to capture traffic, that contains TLS encoded communication like tshark -i someinterface -w in.pcap

  2. do some TLS communication with the application configured to export the TLS keys into a file.

  3. stop tshark

  4. insert TLS keys into the log file like editcap --inject-secrets tls,keys.txt in.pcap out-dsb.pcapng

  5. start Wireshark to inspect the TLS communication like Wireshark out-dsb.pcapng

Now I would like to be able to do step 5, start Wireshark any time during the communication (step 2).

Is there a way to tell tshark to insert the TLS keys into the pcapng file on the fly during capturing so I do not need editcap and I can look at the packetlog while it is still being written?

I know I can configure Wireshark to look at the secrets file itself but I do this for several logs one afer the other and it is unconvinient to reconfigure Wireshark every time to look at different key files. Also sometimes I have more than one keyfile from different TLS applications.

hha's avatar
1
hha
asked 2024-07-19 08:05:15 +0000, updated 2024-07-19 09:36:02 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

Currently that isn't possible, but it's a good future enhancement.

In 4.2.x and later releases you can inject currently used TLS secrets from Wireshark. https://www.wireshark.org/docs/wsug_h...

If you configure the log file, it will add any secrets used from the log file to the capture file. It's an alternative to using editcap. It would be nice to add it to tshark. It would also be nice to have it inject automatically with an ongoing capture instead of waiting until the capture is finished to add the secrets, for piping/streaming, but that would be more work.

After injecting the secrets you will need to save the file. It might be an easier workflow for you than using editcap, until such time as it is implemented in tshark.

johnthacker's avatar
156
johnthacker
answered 2024-07-19 14:01:40 +0000, updated 2024-07-19 14:05:42 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks for the answer!

Saves me further looking for the solution.

I am afraid I am looking for the "more work" solution of adding to the ongoing capture. Besides for my purpose dumpcap would work just as well as tshark if that helps any.

For now I will have to implement some workaround (create a temporary copy of the capture and add secrets to the temporary with editcap)

Would it be helpful to file a feature request in the issue tracker?

hha's avatar hha (2024-07-19 14:13:55 +0000) edit
more
  • delete
add a comment see more comments
0

While the answer of @johnthacker is geared towards a (long-term) solution, there might be a workaround for your workflow. If there is a pattern to the naming of your pcap files and the corresponding TLS-keys files, you could create a script/batchfile that takes the common denominator as an argument and starts wireshark reading the pcap file with -r <filename of pcap file> and selection the TLS-keys file with the option -o tls.keylog_file:<filename of keys file>

SYN-bit's avatar
18.5k
SYN-bit
answered 2024-07-20 04:30:15 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks for the suggestion! we will try this. Anyone knows whether Wireshark supports more than one of these -o options to look at several keylog files? Anyways, otherwise we will have to merge our keyfiles before submitting to Wireshark.

hha's avatar hha (2024-07-22 07:48:16 +0000) edit
more
  • delete

I just tried, only the last occurrence of the option is used.

If on linux/MacOS, you might do something like this -o tls.keylog_file:<( tail -f a.keys b.keys c.keys ....), for windows there might be a similar construction available (turning the output of a command into a file descriptor with <(command))

SYN-bit's avatar SYN-bit (2024-07-22 08:14:09 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer