2

I have a PCAP file containing SSL-encrypted HTTP traffic and the private key from the relevant web server. I'd like a PCAP file that contains the decrypted HTTP traffic to feed into a different tool. I've been able to get tshark to decrypt and display the HTTP protocol; however, when I output its results to a packet dump file, the file still contains the SSL-encrypted traffic. Can I use tshark to reconstruct and write a PCAP with the decrypted traffic?

I'm currently using the following command:

./tshark                                                                   \
  -o ssl.desegment_ssl_records:TRUE                                        \
  -o ssl.desegment_ssl_application_data:TRUE                               \
  -o ssl.keys_list:"127.0.0.1","443","http","../snakeoil/rsasnakeoil2.key" \
  -V -2 -R http                                                            \
  -r ../snakeoil/rsasnakeoil2.cap                                          \
  -w out.pca
Willi Ballenthin
  • 365
  • 1
  • 2
  • 11
  • This question is answered already here https://osqa-ask.wireshark.org/questions/37266/tshark-is-decrypting-data-but-output-pcap-file-still-has-encrypted-data Quote from the accepted anwser: >Yep, that's expected, the data is only decrypted for display purposes, the packets written to the output file are those from the input that have passed any supplied filters. >Think about what you're asking for, the protocols in your capture were originally something like ethernet -> ip -> tcp -> ssl -> payload, and you now want to "remove" the ssl layer and end up with ethernet -> ip -> tcp -> payload, so – evandrix Jan 08 '19 at 08:52

0 Answers0