Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Decrypted TLS packets #6

Closed
bubbasnmp opened this issue May 19, 2022 · 2 comments
Closed

Decrypted TLS packets #6

bubbasnmp opened this issue May 19, 2022 · 2 comments

Comments

@bubbasnmp
Copy link

Follow up to #5

  1. Any plans to update the version in the Wireshark repository - tools/json2pcap/json2pcap.py ?
  2. Is json2pcap a possible solution to Export PCAP containing decrypted traffic?

The http information is in the JSON output but json2pcap produces a garbled pcap:

No.	Time	Source	Destination	Protocol	Length	Info
8	0.003271	1b:38:67:ef:04:a6	14:00:00:0c:85:90	0x4acc	201	Ethernet II
9	0.004183	e7:10:24:77:49:b5	14:00:00:0c:3b:fa	0xdcf1	301	Ethernet II
10	0.004814	48:54:54:50:2f:31	47:45:54:20:2f:20	0x2e30	119	Ethernet II
11	0.005169	2e:30:20:32:30:30	48:54:54:50:2f:31	0x206f	4427	Ethernet II

The output above is from Files: dump.pcapng, premaster.txt from the Wireshark Wiki Sample Captures - SSL with decryption keys
@H21lab
Copy link
Owner

H21lab commented May 20, 2022

json2pcap is script which processes tshark jsonraw output (output from CLI based wireshark) and backward assemble pcap. It is not proper encoder, just uses raw hex dump of dissected fields from jsonraw output to assemble it in reverse order. What can be achieved has certain limitations and the result depends on the input tshark json.

The wireshark and tshark has capabilities to decrypt TLS/SSL or IPSec. Here are some links which could be useful.
https://tshark.dev/export/export_tls/
https://tshark.dev/packetcraft/add_context/tshark_decryption/
https://github.com/weigon/openssl-tls13-ping-pong#let-wireshark-decrypt-the-tls-packets-automatically

Here is combined example from the above links:

# environment variables used by supported application (e.g. firefox) to dump the secret keys
export SSLKEYLOGFILE=/tmp/sslkey.log
# some URL where firefox will connect
url='https://ss64.com/bash/nc.html'
# -a to wait 10 sec, -Q for suppress output
sudo tshark -Q -a duration:5 -w /tmp/myfile.pcapng &
# Wait 5 seconds for firefox to access content and then kill
firefox --headless --private $url & ffpid=$!
sleep 5 && kill -9 $ffpid
# get objects from pcap
tshark -Q --export-objects http,/tmp/obj -r /tmp/myfile.pcapng -o tls.keylog_file:$SSLKEYLOGFILE
# get pcapng containing secret keys, which is automatically decrypted by wireshark
editcap --inject-secrets tls,/tmp/sslkey.log /tmp/myfile.pcapng /tmp/myfile-with-keys.pcapng
# produce tshark json, it contains now encrypted HTTP/2 layer
tshark -T json -r /tmp/myfile-with-keys.pcapng

@bubbasnmp
Copy link
Author

Thanks for looking at this.
--inject-secrets is great for tshark/wireshark. The question on the Ask site was for apps that don't support TLS decryption.
I thought maybe the TLS layers could be removed from the JSON output then json2pcap would place the http on top of TCP.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bubbasnmp @H21lab