[prev in list] [next in list] [prev in thread] [next in thread]
List: tcpdump-workers
Subject: Re: [tcpdump-workers] tcpdump-workers Digest, Vol 72, Issue 3
From: Michael Richardson <mcr () sandelman ! ca>
Date: 2018-07-09 4:06:51
Message-ID: 12534.1531109211 () localhost
[Download RAW message or body]
Steve Bourland <sbourland@swri.edu> wrote:
> If you have the server's certificate, wireshark has the capability to
I think you mean the server's private key.
> decrypt SSL traffic captured with tcpdump, but you must have the
> certificate and the start of the tcp session.
TLS 1.3 will break that as it always does PFS as I understand it.
TLS 1.2 with PFS will also break that, but it's not always on.
Thus, you will need the session keys.
There are ways to get that out of openssl, but in general, you need to break
the security of the system to see what's inside.
>> Send tcpdump-workers mailing list submissions to
>> tcpdump-workers@lists.tcpdump.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers or, via
>> email, send a message with subject or body 'help' to
>> tcpdump-workers-request@lists.tcpdump.org
>>
>> You can reach the person managing the list at
>> tcpdump-workers-owner@lists.tcpdump.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of tcpdump-workers digest..."
>>
>>
>> Today's Topics:
>>
>> 1. Re: Packet capture of SSL traffic (Kaushal Shriyan)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1 Date: Sun, 8 Jul 2018 10:53:40 +0530 From: Kaushal Shriyan
>> <kaushalshriyan@gmail.com> To: guy@alum.mit.edu Cc:
>> tcpdump-workers@lists.tcpdump.org Subject: Re: [tcpdump-workers]
>> Packet capture of SSL traffic Message-ID:
>> <CAD7Ssm87j8SFKPC6Hxh+O3i8M0dtGoLzfZgjUnWqrzuDOZYj1w@mail.gmail.com>
>> Content-Type: text/plain; charset="UTF-8"
>>
>> Thanks! Guy Harris for the explanation. Are there any tools which can
>> decrypt SSL traffic once i do the packet capture of SSL traffic using
>> tcpdump?
>>
>> I look forward to hearing from you.
>>
>> Best Regards,
>>
>> Kaushal
>>
>> On Sat, Jul 7, 2018 at 6:23 AM Guy Harris <guy@alum.mit.edu> wrote:
>>
>>> On Jul 5, 2018, at 11:18 AM, Kaushal Shriyan
>>> <kaushalshriyan@gmail.com> wrote:
>>>
>>> > Is there a way to run tcpdump to do packet capture on SSL traffic?
>>>
>>> Yes. Plug the machine running tcpdump into a network on which SSL
>>> traffic is being sent, in a fashion that allows it to see that
>>> traffic (bearing in mind, for example, that capturing third-party
>>> traffic on a switched network may be difficult or impossible), and
>>> run tcpdump, with the -w flag, so that it saves the traffic to a
>>> file, and either with no filter or with a filter that matches the SSL
>>> traffic.
>>>
>>> If you mean "is there a way to run tcpdump so that it can *dissect*
>>> SSL traffic", rather than just being able to put undissected raw
>>> packet contents, including SSL packets, into a file to be read by
>>> another program, the answer is "no" - tcpdump doesn't currently
>>> include the ability to decrypt SSL traffic.
>>>
>>> (I.e., there's more to being able to analyze traffic than just being
>>> able to capture it....)
>>
>>
>> ------------------------------
>>
>> Subject: Digest Footer
>>
>> _______________________________________________ tcpdump-workers
>> mailing list tcpdump-workers@lists.tcpdump.org
>> https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
>>
>>
>> ------------------------------
>>
>> End of tcpdump-workers Digest, Vol 72, Issue 3
>> **********************************************
> _______________________________________________ tcpdump-workers mailing
> list tcpdump-workers@lists.tcpdump.org
> https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic