THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question

Revision history  [back]

Revision 2
hha's avatar
1
hha
updated 2024-07-19 09:36:02 +0000

when capturing with tshark inject TLS secrets on the fly

My working workflow is:

  1. start tshark to capture traffic, that contains TLS encoded communication like tshark -i someinterface -w in.pcap

  2. do some TLS communication with the application configured to export the TLS keys into a file.

  3. stop tshark

  4. insert TLS keys into the log file like editcap --inject-secrets tls,keys.txt in.pcap out-dsb.pcapng

  5. start Wireshark to inspect the TLS communication like Wireshark out-dsb.pcapng

Now I would like to be able to do step 5, start Wireshark any time during the communication (step 2).

Is there a way to tell tshark to insert the TLS keys into the pcapng file on the fly during capturing so I do not need editcap and I can look at the packetlog while it is still being written?

I know I can configure Wireshark to look at the secrets file itself but I do this for several logs one afer the other and it is unconvinient to reconfigure Wireshark every time to look at different key files. Also sometimes I have more than one keyfile from different TLS applications.

Revision 1
hha's avatar
1
hha
asked 2024-07-19 08:05:15 +0000

when capturing with tshark inject TLS secrets on the fly

My working workflow is:

  1. start tshark to capture traffic, that contains TLS encoded communication like tshark -i someinterface -w in.pcap

  2. do some TLS communication with the application configured to export the TLS keys into a file.

  3. stop tshark

  4. insert TLS keys into the log file like editcap --inject-secrets tls,keys.txt in.pcap out-dsb.pcapng

  5. start Wireshark to inspect the TLS communication like Wireshark out-dsb.pcapng

Now I would like to be able to do step 5, start Wireshark any time during the communication (step 2).

Is there a way to tell tshark to insert the TLS keys into the pcapng file on the fly during capturing so I do not need editcap and I can look at the packetlog while it is still being written?

I know I can configure Wireshark to look at the secrets file itself but I do this for several logs one afer the other and it is unconvinient to reconfigure Wireshark every time to look at different key files. Also sometimes I have more than one keyfile from different TLS applications.