Vijay Sitaram wrote:
> Hi,
>
> I am not sure if this has been attempted before, but would really
> appreciate some help / guidance. We are trying to decrypt SSL
> application data by using 'tshark' on RedHat Linux using the following
> command:
> tshark -V -r rsasnakeoil2.cap -R
> "127.0.0.1,443,/path/to/snakeoil2/rsasnakeoil2.key" > output.txt
>
> The Application Data always shows up encrypted. Are there any logs
> that I can check to see the underlying problem? How can I make progress
> with my goal?
The "-R" flag is used to specify a read (aka display) filter, e.g.
ip.addr eq 172.17.2.172 and bgp
or
tcp matches "ghwbush.*password(?i)"
You appear to be trying to feed it a key list for the SSL dissector.
You might try using the "-o" flag instead, along with the appropriate
SSL preference name:
tshark -V -r rsasnakeoil2.cap \
-o "ssl.keys_list: 127.0.0.1,443,/path/to/rsasnakeoil2.key"
For a complete list of preference items, check the "preferences" file in
Wireshark's configuration directory or run "tshark -G defaultprefs".