[Wireshark-users] how to convert ssl pcap to decrypted pcap file that can be used with tcpflow

Tue, 05 Feb 2008 06:13:51 -0800 

I need to convert https pcap file into decrypted http file so i can use it
with tcpflow to create separate files for each session.
how ever i am unable to achieve this , i am using the rsasnakeoil sample
file of wireshark site for test.

when i dont use the -w flag i can see that output on console showing me http
Encrypted Application decoded, however if i use a -w flag to decrypt it and
open the decrypted data pcap file it still shows as Encrypted data.
shouldn't the new file be decrypted


output snippet if i dont use the "-w" flag

$~/work/wireshark-0.99.7/tshark -V   -r /tmp/rsasnakeoil2.cap -o "
ssl.keys_list:127.0.0.1,443,http,/tmp/rsasnakeoil2.key" -o"
ssl.debug_file:/tmp/debug.txt"  > cap.txt

-------------you can see that frame 11 application data is visible
---------------
Secure Socket Layer
    SSLv3 Record Layer: Application Data Protocol: http
        Content Type: Application Data (23)
        Version: SSL 3.0 (0x0300)
        Length: 432
        Encrypted Application Data:
4AC33E9D7778012CB4BC4C9A84D7B9900C2110F0FA007C16...
Hypertext Transfer Protocol
    GET / HTTP/1.1\r\n
        Request Method: GET
        Request URI: /
        Request Version: HTTP/1.1
    Host: localhost\r\n
    User-Agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.8.0.2)
Gecko/20060308 Firefox/1.5.0.2\r\n
    Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9
,text/plain;q=0.8,image/png,*/*;q=0.5\r\n
    Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3\r\n
    Accept-Encoding: gzip,deflate\r\n
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
    Keep-Alive: 300\r\n
    Connection: keep-alive\r\n
    \r\n

---------------------end of sample
----------------------------------------------------




now if use the "-w" flag and save the file and open the file in wire shark i
assumed that the application data should have been decryptted

$~/work/wireshark-0.99.7/tshark -V   -r /tmp/rsasnakeoil2.cap -o "
ssl.keys_list:127.0.0.1,443,http,/tmp/rsasnakeoil2.key" -o"
ssl.debug_file:/tmp/debug.txt" -F libpcap -w - > /tmp/test

---------------here is what i see in wireshark gui for frame
11-------------------------------------------
Secure Socket Layer
    SSLv3 Record Layer: Application Data Protocol: http
    Content Type: Application Data (23)
    Version: SSL 3.0 (0x0300)
    Length: 408
    Encrypted Application Data:
842F81CCD99765C1AC2AC1B6CE9250D339BC7454C8A623FC...
---------------------end----------------------------------------------------------------------------------


please help!!!


-Vishal Arya
www.vishalarya.in

_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

Reply via email to