Wireshark mailing list archives
How to decrypt SSL in TShark 1.6.5 (giving the key file in the parameters)?
From: rouli <rouli.net () gmail com>
Date: Tue, 7 Feb 2012 17:47:34 +0200
I'm using tshark to decrypt ssl traffic in pcaps, using the -o "ssl.keys_list:..." option to specify the keyfile. It worked well for tshark 1.6.2 and lower. Here's an example:
"c:\Program Files\Wireshark\tshark.exe" -r "C:\temp\input.pcap" -o "http.tcp.port:80,80,8080,8888" -o "ssl.keys_list:172.30.2.31, 443,http,"C:/temp/private.key"" -R "http" -T pdml
However, I can't find the right command line to make it work with 1.6.5. Trying the one above, tshark crashes - apparently it's missing the extra password parameter. Trying to add a blank password (ssl.keys_list:172.30.2.31,443,http,"C:/temp/private.key","") doesn't work either - tshark doesn't crash, but doesn't decrypt the traffic either. In the ssl debug log it says ssl_parse: Can't load UAT string "172.30.2.31","443","http","C:/temp/private.key,"","": ssl_keys:1: unexpected char '"'**** while looking for field keyfile I've tried several other options, with similar errors in the log file, or an error that it can find my key file. One important thing to mention - my key file is not encrypted, and setting this params using the UI (which I don't want to do, I need automation capabilities) works fine. Any ideas? Thanks, -rouli
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- How to decrypt SSL in TShark 1.6.5 (giving the key file in the parameters)? rouli (Feb 07)