Wireshark-users: [Wireshark-users] how to convert ssl pcap to decrypted pcap file that can be used with tcpflow

From: "Vishal Arya" <aryavishal@xxxxxxx>
Date: Tue, 5 Feb 2008 19:43:04 +0530

I need to convert https pcap file into decrypted http file so i can use it with tcpflow to create separate files for each session.
how ever i am unable to achieve this , i am using the rsasnakeoil sample file of wireshark site for test.

when i dont use the -w flag i can see that output on console showing me http Encrypted Application decoded, however if i use a -w flag to decrypt it and open the decrypted data pcap file it still shows as Encrypted data.
shouldn't the new file be decrypted


output snippet if i dont use the "-w" flag

$~/work/wireshark-0.99.7/tshark -V   -r /tmp/rsasnakeoil2.cap -o "ssl.keys_list:127.0.0.1,443,http,/tmp/rsasnakeoil2.key" -o"ssl.debug_file:/tmp/debug.txt"  > cap.txt

-------------you can see that frame 11 application data is visible ---------------
Secure Socket Layer
    SSLv3 Record Layer: Application Data Protocol: http
        Content Type: Application Data (23)
        Version: SSL 3.0 (0x0300)
        Length: 432
        Encrypted Application Data: 4AC33E9D7778012CB4BC4C9A84D7B9900C2110F0FA007C16...
Hypertext Transfer Protocol
    GET / HTTP/1.1\r\n
        Request Method: GET
        Request URI: /
        Request Version: HTTP/1.1
    Host: localhost\r\n
    User-Agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2\r\n
    Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n
    Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3\r\n
    Accept-Encoding: gzip,deflate\r\n
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
    Keep-Alive: 300\r\n
    Connection: keep-alive\r\n
    \r\n

---------------------end of sample ----------------------------------------------------




now if use the "-w" flag and save the file and open the file in wire shark i assumed that the application data should have been decryptted

$~/work/wireshark-0.99.7/tshark -V   -r /tmp/rsasnakeoil2.cap -o "ssl.keys_list:127.0.0.1,443,http,/tmp/rsasnakeoil2.key" -o"ssl.debug_file:/tmp/debug.txt" -F libpcap -w - > /tmp/test

---------------here is what i see in wireshark gui for frame 11-------------------------------------------
Secure Socket Layer
    SSLv3 Record Layer: Application Data Protocol: http
    Content Type: Application Data (23)
    Version: SSL 3.0 (0x0300)
    Length: 408
    Encrypted Application Data: 842F81CCD99765C1AC2AC1B6CE9250D339BC7454C8A623FC...
---------------------end----------------------------------------------------------------------------------


please help!!!


-Vishal Arya
www.vishalarya.in