1

I'm using scapy to read PCAP files via Python, which is fairly straight forward. For example, I'll open a PCAP via:

packets = rdpcap('Sample_PCAP.pcap')

I can then ready through the file with a loop and look for specific layers or address packets indivdually.

packets[0].show()

I've also played around with the RawPcapReader function in scapy, which is another method to iterate through the PCAP.

I've searched far and wide and have not come across a good code example or tutorial that explains whether it is possible to read user plane information from PCAPs by applying encryption keys to it. In this case, the PCAPs I'm looking at do contain encrypted use plane information and I have the private RSA encryption keys to view the data in Wireshark (file extensions .pem and .key). These keys are configured to be used on the TLS layer looking for specific ports, IP addresses, and protocols.

How do I set up Scapy to make use of these keys in the same manner Wireshark does to give me access to the userplane information? Is this something Scapy supports?

Thanks for all and any help.

DrCeeDub
  • 23
  • 2
  • Knowledge of keys is only helpful if obsolete RSA encryption is used and even then you would need to have the full data stream including the TLS handshake and not just a single packet. For modern cryptography using DH key exchange you need to have the actual (pre)master secret which is specific for the TLS connection and can only be retrieved from the TLS endpoints. – Steffen Ullrich Feb 13 '20 at 16:27
  • Thanks for your reply, Steffen. This data is generated in a lab, so we have access to the information needed to decrypt the userplane. Using the keys in Wireshark I have access to the userplane information I'm after, but I want to access it outside of Wireshark using Scapy. What I want to do is automate this process to ingest PCAPs into python and extract relevant information. Can I do this via Scapy using the encryption keys I have? – DrCeeDub Feb 13 '20 at 16:32
  • If it works already using wireshark then why not automate it using tshark? Apart from that a [short search](https://www.google.com/search?q=scapy+tls+decrypt) turns up [scapy-ssl_tls](https://pypi.org/project/scapy-ssl_tls/1.1/) which according to the documentation should be able to do it. – Steffen Ullrich Feb 13 '20 at 17:38
  • Let me check scapy-ssl_tls out. I had not come across it in my own searching. I am considering using tshark but my first foray into it via Python was not particularly successful. – DrCeeDub Feb 13 '20 at 17:54
  • See this related question: https://stackoverflow.com/questions/51423507/how-to-extract-an-ssl-tls-message-using-scapy-and-python/ and https://github.com/secdev/scapy/issues/2201 – Pierz May 27 '20 at 13:52

0 Answers0