I want to decrypt TLS traffic in a pcap file using scapy by providing certificate and private key. But i dont have a clue how to do it without using wireshark or tshark Could someone give me some suggestions? Thanks in advance.
Asked
Active
Viewed 563 times
1 Answers
0
The three things you might want to look at are:
TLSSession: https://scapy.readthedocs.io/en/latest/usage.html?highlight=tlssession#advanced-sniffing-sniffing-sessions - i.e. how to dissect "on-the-flow" using a session in Scapy- Scapy's TLS notebooks: https://github.com/secdev/scapy/tree/master/doc/notebooks/tls - they have prety detailed explanations and examples regarding dissection/decryption
- This test case in scapy: https://github.com/secdev/scapy/blob/3040f6d705176731494a7bcf76b820f077716729/test/tls.uts#L1166-L1218 that puts it all together.
The key steps are (from the last test case):
>>> key = PrivKeyRSA("srv_key.pem")
>>> res = sniff(offline="tls.pcap", session=TLSSession(server_rsa_key=key))
Obviously this only makes sense when using RSA and not Diffie-Hellman. Good luck !
Bruno Rohée
- 3,436
- 27
- 32
Cukic0d
- 5,111
- 2
- 19
- 48