Wireshark mailing list archives
Re: Decrypting SSL traffic through tshark
From: Sake Blok <sake () euronet nl>
Date: Thu, 11 Nov 2010 19:14:08 +0100
On 11 nov 2010, at 07:34, Sahaj wrote:
I need to decrypt SSL traffic to get content length. ./tshark -o "ssl.keys_list:,443,http,client.ky" -T fields -E separator=":" -e frame.time_relative -e frame.number -e tcp.len -e http.content_length -e tcp.flags.fin -e tcp.flags.push -R "ip.src == source_ip && ip.dst == destination_ip && tcp.srcport == 443 && ! (tcp.analysis.out_of_order) && ! (tcp.analysis.retransmission) " -r sample.pcap [...] the field for content length is empty. please help me out and suggest me if i am missing anything or doing wrong.
You should use the server IP address in the keys_list: -o "ssl.keys_list:<SERVER-IP>,443,http,client.ky" It also helps if you add: -o "ssl.debuf_file:ssl-debug.log" That way you can see in the logfile if the key is loaded OK in Wireshark and you can follow the decryption process. Let's see how that goes first... Cheers, Sake ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Decrypting SSL traffic through tshark Sahaj (Nov 11)
- Re: Decrypting SSL traffic through tshark Sake Blok (Nov 11)
- <Possible follow-ups>
- Re: Decrypting SSL traffic through tshark sahaj pandey (Nov 12)
- Re: Decrypting SSL traffic through tshark sahaj pandey (Nov 12)
- Re: Decrypting SSL traffic through tshark Sake Blok (Nov 12)