Wireshark-users: Re: [Wireshark-users] saving decrypted ssl capture file

From: Sake Blok <sake@xxxxxxxxxx>
Date: Wed, 6 Feb 2008 09:18:41 +0100

On Wed, Feb 06, 2008 at 12:49:35PM +0530, Vishal Arya wrote:
> is there a way to open a capture file with encrypted ssl data and use the
> http server's rsa key to decrypt it and save is as a new decrypted capture
> file.

No, this is not possible. The decryption only decrypts the ssl packets
for displaying. The packets will stay the same, so saving them will
result in the same data in the capture file.

> i tried the below command but did not work
> 
> $~/work/wireshark-0.99.7/tshark -V   -r /tmp/rsasnakeoil2.cap -o "
> ssl.keys_list:127.0.0.1,443,http,/tmp/rsasnakeoil2.key" -o"
> ssl.debug_file:/tmp/debug.txt" -F libpcap -w - > /tmp/test

Why did you use "-w -" and then ">", you could have used "-w /tmp/test"
straight away :-)

What you could do, and maybe you had that in mind already, is use
the "-V" flag (as you already did) and the "> /tmp/test" together
without the "-w -". That would result is a textfile containing all
the output from Tshark, including the decrypted traffic. Of course 
this file is a *text* file and not a binary *capture* file. So it
can't be used in tcpflow or any other utility that is able to
read libpcap files.

Cheers,
    Sake