0
  • Run tshark in background tshark -i any -w file_name.pcap -f "(port 443 or port 10002)" on server machine
  • Run curl command on client machine after setting export SSLKEYLOGFILE=ssl_key_file_log.txt
  • curl exits, tshark process is terminated
  • Read generated pcap file using tshark -r file_name.pcap -o "ssl.keylog_file:ssl_key_file_log.txt" -o ssl.debug_file:debug.txt -Px > output.txt

Issue: output.txt does not contain decrypted packets. debug.txt shows following output for all packets.

dissect_ssl enter frame #28 (first time)
ssl_session_init: initializing ptr 0x7f3722d81240 size 696
  conversation = 0x7f3722d80eb0, ssl_session = 0x7f3722d81240
  record: offset = 0, reported_length_remaining = 164
dissect_ssl3_record found version 0x0303(TLS 1.2) -> state 0x10
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 159, ssl state 0x10
association_find: TCP port 41480 found (nil)
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 41480 found (nil)
association_find: TCP port 443 found 0x55a43957f280

How can I decrypt the https traffic in this case? Thanks!

Sameer Naik
  • 218
  • 2
  • 8
  • 1
    I think generally your procedure is okay. I tried it here and it worked (though I used `tcpdump` to capture my traffic). Maybe check that your `ssl_key_file_log.txt` contains a `CLIENT_RANDOM` entry. It might also be helpful to inspect that your capture contains only one TLS session (the one you are intending to decrypt). I would add additional capture filters to make sure that you are only capturing from your test client. – fission Mar 26 '23 at 05:17

0 Answers0