Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to decrypt TLS Packets using PyShark? #417

Closed
jeyabharathi12 opened this issue May 18, 2020 · 7 comments
Closed

How to decrypt TLS Packets using PyShark? #417

jeyabharathi12 opened this issue May 18, 2020 · 7 comments
Labels
old-auto-close Reopen if still relevant

Comments

@jeyabharathi12
Copy link

I am able to decrypt TLS packets using wireshark as I have master key, but I want to know how to do using PyShark. How to decrypt TLS Packets using PyShark?
@mythly
Copy link

mythly commented Jun 9, 2020
edited
Loading

Has same problem.
If it's not supported, is there any other programmable way to get decrypted plain text from TLS packets?

@DCMMC
Copy link

DCMMC commented Jul 31, 2020

Please refer to argument override_prefs of FileCapture.
e.g.

import os
import pyshark
cap = pyshark.FileCapture(
    'google.pcap', use_json=True, include_raw=True,
    override_prefs={'ssl.keylog_file': os.path.abspath('sslkeys_google.log')},
    debug=True)

@skumar7777
Copy link

Please refer to argument override_prefs of FileCapture.
e.g.

import os
import pyshark
cap = pyshark.FileCapture(
    'google.pcap', use_json=True, include_raw=True,
    override_prefs={'ssl.keylog_file': os.path.abspath('sslkeys_google.log')},
    debug=True)

Can you please help with accessing the decrypted data?

I am able to see the decrypted data in wireshark but not able to figure out how to see the decrypted data using pyshark, not sure if pyshark even decrypts it.

When I pretty print the packet, it shows the Encrypted Application Data as under.

Layer TLS:
TLSv1.2 Record Layer: Application Data Protocol: http-over-tls
Content Type: Application Data (23)
Version: TLS 1.2 (0x0303)
Length: 51
Encrypted Application Data: 19710...................................

I am using LiveCapture.

@August1328
Copy link

August1328 commented Apr 29, 2021
edited
Loading

I had the same problem and I found a solution for decrpyting the TLS connections, so I hope this helps (I am not a python pro...)

I was able to see the decrpyted TLS traffic in Wireshark and after unsuccessfully trying to access it with pyshark I suddenly realized there are 2 new layers in Wireshark: Websocket and DATA-TEXT-LINES.

So I tried to access those two like the other layers and this finally worked: I was able to print the decrypted app data using the DATA-TEXT-LINES layer.

This is the code, that works for me:

import pyshark
import os

capture = pyshark.FileCapture('C:/Users/xxxxxxx/py_gfua/files/26042021.pcapng',
                                display_filter='ip.src == xxx.xxx.xxx.xx',
                                override_prefs={'tls.keylog_file': os.path.abspath('./py_gfua/tlskey.log')},
                                debug=True)

for packet in capture:

    if "DATA-TEXT-LINES" in packet:

        #print(packet.layers)
        print(packet['DATA-TEXT-LINES'])

    else:
        print("whatever, not decrypted data")

2 hints:

  • on my OS (Win10), there is no error or warning if the tlskey file does not exist, you misspelled the file name or the path is incorrect! That is why I set debugging = true, please check thoroughly
  • please note the commented line "#print(packet.layers)". I left it in for you to see if your decryption works: My encrypted traffic had 4 layers: ETH Layer, IP Layer, TCP Layer, TLS Layer. After decryption there are 6 layers: ETH Layer, IP Layer, TCP Layer, TLS Layer, WEBSOCKET Layer, DATA-TEXT-LINES Layer

The decrypted data is printed like this:

Layer DATA-TEXT-LINES:
[truncated][{"xxxxxxxxxxxxxxxxxxxxxxxx....

Now to my question or problem: The data is 'truncated' because it is limited to 256 characters. Unfortunately my encrypted data is longer, appr. 1000 characters.

Does someone have a solution to print or access the whole data? It works in Wireshark but I´m stuck at getting it working using pyshark?

@eltonrosa
Copy link

@August1328 I've got the same issue. Have you find a way around? It is strange enough that the data downloaded doesn't come truncated already. In Wireshark it is quite straightforward to decompress them and avoid truncated losses.

@August1328
Copy link

August1328 commented Oct 21, 2021
edited
Loading

@eltonrosa I read a little further into the Wireshark documentation, but I did not solve this resp. I did not put too much effort into this since using the decrpyted data was not 100% legal...

Anyways, I remember that I found out there is a max character limit and one should try to change this value in the program code and then recompile it - that´s where I stopped. But I still got the link, hope this helps:

https://osqa-ask.wireshark.org/questions/62019/packet-data-being-truncated-in-columns/

@KimiNewt KimiNewt added the old-auto-close Reopen if still relevant label Jun 7, 2022
@KimiNewt KimiNewt closed this as completed Jun 7, 2022
@chribro88
Copy link
Contributor

Does someone have a solution to print or access the whole data? It works in Wireshark but I´m stuck at getting it working using pyshark?

If you're using a proxy (and its a HTTPS request) then they will be two HTTP layers.

for packet in capture.sniff_continuously():
    http_layers = packet.get_multiple_layers('http')
    for http_layer in http_layers[::-1]:
        if http_layer.has_field('file_data'):
          print(http_layer.file_data)
          break

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
old-auto-close Reopen if still relevant
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@KimiNewt @DCMMC @mythly @skumar7777 @chribro88 @eltonrosa @jeyabharathi12 @August1328