Join Log in
Score:0
avatar Server

Not able to decrypt traffic with tshark and curl

in flag
Sameer Naik
  • Run tshark in background tshark -i any -w file_name.pcap -f "(port 443 or port 10002)" on server machine
  • Run curl command on client machine after setting export SSLKEYLOGFILE=ssl_key_file_log.txt
  • curl exits, tshark process is terminated
  • Read generated pcap file using tshark -r file_name.pcap -o "ssl.keylog_file:ssl_key_file_log.txt" -o ssl.debug_file:debug.txt -Px > output.txt

Issue: output.txt does not contain decrypted packets. debug.txt shows following output for all packets.

dissect_ssl enter frame #28 (first time)
ssl_session_init: initializing ptr 0x7f3722d81240 size 696
  conversation = 0x7f3722d80eb0, ssl_session = 0x7f3722d81240
  record: offset = 0, reported_length_remaining = 164
dissect_ssl3_record found version 0x0303(TLS 1.2) -> state 0x10
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 159, ssl state 0x10
association_find: TCP port 41480 found (nil)
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 41480 found (nil)
association_find: TCP port 443 found 0x55a43957f280

How can I decrypt the https traffic in this case? Thanks!

112
0 + 1
fission avatar
in flag
fission
I think generally your procedure is okay. I tried it here and it worked (though I used `tcpdump` to capture my traffic). Maybe check that your `ssl_key_file_log.txt` contains a `CLIENT_RANDOM` entry. It might also be helpful to inspect that your capture contains only one TLS session (the one you are intending to decrypt). I would add additional capture filters to make sure that you are only capturing from your test client.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.