How to decrypt SSL in TShark 1.6.5 (giving the key file in the parameters)?

[rouli <rouli.net () gmail com>]

I'm using tshark to decrypt ssl traffic in pcaps, using the -o
"ssl.keys_list:..." option to specify the keyfile.
It worked well for tshark 1.6.2 and lower.

Here's an example:

> "c:\Program Files\Wireshark\tshark.exe" -r "C:\temp\input.pcap" -o
> "http.tcp.port:80,80,8080,8888" -o "ssl.keys_list:172.30.2.31,
> 443,http,"C:/temp/private.key""  -R "http" -T pdml



However, I can't find the right command line to make it work with 1.6.5.
Trying the one above, tshark crashes - apparently it's missing the extra
password parameter. Trying to add a blank password
(ssl.keys_list:172.30.2.31,443,http,"C:/temp/private.key","") doesn't work
either - tshark doesn't crash, but doesn't decrypt the traffic either. In
the ssl debug log it says

ssl_parse: Can't load UAT string
"172.30.2.31","443","http","C:/temp/private.key,"","": ssl_keys:1:
unexpected char '"'****

while looking for field keyfile

I've tried several other options, with similar errors in the log file, or
an error that it can find my key file. One important thing to mention - my
key file is not encrypted, and setting this params using the UI (which I
don't want to do, I need automation capabilities) works fine.

Any ideas?

Thanks,
-rouli

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe