Reputation: 365
TLS decryption using libpcap
I'd like to inspect network data from a recorded pcap file. Specifically, websockets traffic.
I'm using python websockets library as a client if it matters. Anyway, I'm recording all the session and setting the environment variable SSLKEYLOGFILE for my python app.
I am able to see the decrypted data in wireshark using the (Pre)-Master-Secret log filename.
I know how to use libpcap, but never had to decrypt TLS/SSL traffic. Basically, what I'd like to do is to decrypt packet by packet and process its data (along with the original pcap headers since I care about packet arrival times). I couldn't find anything online, and reverse-engineering wireshark code seems cumbersome.
After the packet is decrypted I guess I'll write my own websockets dissector.
How should I approach it? Is there a solution in python/C/C++ for this problem?
Is there any simple library that does that?
Upvotes: 4
Views: 1799
Answers (1)
Reputation: 410
Using Wireshark's code is the way to go if you want to decrypt TLS traffic using PCAP + SSLKEYLOGFILE.
The other option would be to use a TLS proxy, like SSLsplit or PolarProxy to create a PCAP file with decrypted websocket traffic (stripped of TLS). This allows you to read the decrypted packets using libpcap without using Wireshark's source code.
Upvotes: 4
Related Questions
- Sending Encrypted Data Through Socket And Decrypting Doesn't Work
- How to set ciphers in ssl python socket
- Decrypt TLS Traffic from PCAP
- Python Socket Client SSL Connection
- Decrypting Python 256 AES with pycryptodome
- Decrypting python requests https traffic in wireshark
- Receive raw TLS packet in Python
- Python chat with Crypto module not decrypting
- Sending Encrypted strings using socket in Python
- decrypt ssl encrypted data in python