tcpdump mailing list archives
Re: Decoding the unencrypted part(s) of SSL/TLS?
From: Wesley Shields <wxs () FreeBSD org>
Date: Tue, 11 Dec 2012 08:58:38 -0500
On Mon, Dec 10, 2012 at 11:38:29PM -0500, Michael Richardson wrote:
"Rick" == Rick Jones <rick.jones2 () hp com> writes:Rick> Is there a version of tcpdump in the works which will decode Rick> the unecrypted Rick> portions of an SSL/TLS session? Or do I need to look Rick> elsewhere?
Are you asking if there is a decoder for the SSL/TLS handshakes or are you asking if there is something that will, given a private key, decrypt the SSL?
Yes/no. You have, in general, to do TCP reassembly as TLS blocks might span TCP segments. Fortunately, you can use: http://www.rtfm.com/ssldump/ to do exactly that.
There are some problems with ssldump when building on newer-ish systems (at least I think there were last time I tried to use it). If you can get it to work it is good.
It takes pcap files. It even decrypts if you give it the keys.
Another option is to use tshark. I'm not a fan of it but it does work in a pinch. -- WXS _______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- Decoding the unencrypted part(s) of SSL/TLS? Rick Jones (Dec 10)
- Re: Decoding the unencrypted part(s) of SSL/TLS? Michael Richardson (Dec 10)
- Re: Decoding the unencrypted part(s) of SSL/TLS? Wesley Shields (Dec 13)
- Re: Decoding the unencrypted part(s) of SSL/TLS? Rick Jones (Dec 11)
- Re: Decoding the unencrypted part(s) of SSL/TLS? Wesley Shields (Dec 13)
- Re: Decoding the unencrypted part(s) of SSL/TLS? Michael Richardson (Dec 10)