Wireshark-users: Re: [Wireshark-users] saving decoded ssl packets back to libpcap format

From: Vijay Sitaram <vjatfugen@xxxxxxxxx>
Date: Tue, 21 Nov 2006 18:47:26 -0800 (PST)
Hi Ken,
 
    Let us know if your excercise is successful since I think there are other users who would be interested in the same functionality.
 
    I doubt that you can use the text2pcap utility, since it does not appear to support decryption.  The key point here is that 'wireshark' or 'tshark' can decrypt SSL traffic (using the server private key).  So, I have looked into the option of adding '-T pdml' as a command argument to 'tshark'.
 
    I do see the result, but still have to execute additional steps (such as ASCII /HEX decoding) to get the final result.  Perhaps we can use text2pcap program for this purpose, I have not looked deep into this.  However, I think you are looking for a one-step process for achieving the result which I don't think exists as of yet (a nice-to-have feature :).
 
    Kind regards,
 
Vijay


Kenneth Hunt <kenneth.hunt.b@xxxxxxxxx> wrote:

OK... I worked on this yesterday, and I think the answer involves text2pcap which can read in hex dumps of packets... my theory is that decoding the packets and saving them in the interim format means I can pull them back in. decoded... anyone else think this is possible?

Can anyone confirm this is the right approach? I think I'm missing the correct switches on the commandline when writing the packets to a file:

tshark -x -r rsasnakeoil2.cap -o "ssl.keys_list: 127.0.0.1,443,http,./rsasnakeoil2.key" -o "ssl.debug_file: ./ssldebug.txt" -w out.cap

all I get is the encoded packet stream in the .cap file.

Kenneth Hunt
Bayer Corporate and Business Services LLC
North America Information Technology

IS Analyst

http://www.linkedin.com/in/kennethhunt




"deepali goel" <deepaligoel2003@xxxxxxxxx>
Sent by: wireshark-users-bounces@xxxxxxxxxxxxx
11/20/2006 11:45 PM
Please respond to
Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>

To
"Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
cc
Subject
Re: [Wireshark-users] saving decoded ssl packets back to libpcap        format





i know the contents of my packet but cant see the packet flowing in the traffic captured??

On 11/21/06, Kenneth Hunt <kenneth.hunt.b@xxxxxxxxx> wrote:

I can open the sample file snakeoil2.tgz  in the wiki:
http://wiki.wireshark.org/SSL

Is it possible to save the decoded packets back to libpcap format so I can reopen it with out the SSL settings?

I am using
127.0.0.1,443,http,c:\rsasnakeoil2.key with the private key in the root of my c drive.





Kenneth Hunt
Bayer Corporate and Business Services LLC
North America Information Technology

IS Analyst





The information contained in this e-mail is for the exclusive use of the intended recipient(s) and may be confidential, proprietary, and/or legally privileged.  Inadvertent disclosure of this message does not constitute a waiver of any privilege.  If you receive this message in error, please do not directly or indirectly use, print, copy, forward, or disclose any part of this message.  Please also delete this e-mail and all copies and notify the sender.  Thank you.

For alternate languages please go to
http://bayerdisclaimer.bayerweb.com


_______________________________________________
Wireshark-users mailing list

Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users


Sponsored Link

Want a degree but can't afford to quit? Online degrees from top schools - in as fast as 1 year