Re: tshark option to decrypt SSL?

[Sake Blok <sake () euronet nl>]

On 9 sep 2010, at 16:30, James Hozier wrote:

> Here is what I have so far:
> tshark -tad -lnx -d tcp.port==4040,irc -R 'irc'
>
> What should I add in order for it to capture and also decrypt SSL traffic
> as well, with the private server certificate on the machine this is being
> run from?

If traffic on port 4040 is SSL encrypted IRC traffic, then you would use the following:

tshark -tad -lnx -o ssl.keys_list:<server-ip>,4040,irc,<path-to-private-key> -R irc

You might want to use -V as well to get full protocol decodes, including the decrypted irc details.

Cheers,


Sake
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe