I guess that depends of how they "encrypt" it - some schemes can be as simple as an XOR or other trivial obfuscation. Other issues can be just related to file format of an upload / download that makes it hard to decipher the payload from a raw pcap file.
Are there any tools available to simplify this process?
Thanks,
JB
Ps. We are covered legally on this.
--- On Thu, 9/25/08, Jaap Keuter <jaap.keuter@xxxxxxxxx> wrote:
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Subject: Re: [Wireshark-users] Decrypted session transcripts from pcap?
To: jimbalo22@xxxxxxxxx, "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Date: Thursday, September 25, 2008, 10:59 PM
Hi Jim,
Well, without proper keys that is going to be a problem.
And also: make sure you've got the legal angle covered! These are tricky
subjects.
Thanx,
Jaap
Jim Balo wrote:
> The other day we had a situation where an employee was involved in some
> questionable activities. We were concerned that sensitive data had left
> the company, so I analyzed the pcaps from this employees Internet
> activities. I found some suspcious MSN messenger sessions (over regular
> port 80), but the payload appeared to be encrypted, making it a real
> pain to try find out what actually took place.
>
> Is there any tool out there that can generate decrypted (or similar)
> session transcripts from pcap files for common protocols (like messenger)?
>
> Some sessions involve ftp uploads, and since I have the full pcap files,
> I should be able to recreate the file uploaded so that I can view it in
> the proper app (like a word or excel file) - is there any tool for this
> out there?
>
> Thanks,
> JB
>
|