tcpdump mailing list archives
Re: tcpdump-workers Digest, Vol 72, Issue 3
From: Michael Richardson <mcr () sandelman ca>
Date: Mon, 09 Jul 2018 00:06:51 -0400
Steve Bourland <sbourland () swri edu> wrote:
> If you have the server's certificate, wireshark has the capability to
I think you mean the server's private key.
> decrypt SSL traffic captured with tcpdump, but you must have the
> certificate and the start of the tcp session.
TLS 1.3 will break that as it always does PFS as I understand it.
TLS 1.2 with PFS will also break that, but it's not always on.
Thus, you will need the session keys.
There are ways to get that out of openssl, but in general, you need to break
the security of the system to see what's inside.
>> Send tcpdump-workers mailing list submissions to
>> tcpdump-workers () lists tcpdump org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers or, via
>> email, send a message with subject or body 'help' to
>> tcpdump-workers-request () lists tcpdump org
>>
>> You can reach the person managing the list at
>> tcpdump-workers-owner () lists tcpdump org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of tcpdump-workers digest..."
>>
>>
>> Today's Topics:
>>
>> 1. Re: Packet capture of SSL traffic (Kaushal Shriyan)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1 Date: Sun, 8 Jul 2018 10:53:40 +0530 From: Kaushal Shriyan
>> <kaushalshriyan () gmail com> To: guy () alum mit edu Cc:
>> tcpdump-workers () lists tcpdump org Subject: Re: [tcpdump-workers]
>> Packet capture of SSL traffic Message-ID:
>> <CAD7Ssm87j8SFKPC6Hxh+O3i8M0dtGoLzfZgjUnWqrzuDOZYj1w () mail gmail com>
>> Content-Type: text/plain; charset="UTF-8"
>>
>> Thanks! Guy Harris for the explanation. Are there any tools which can
>> decrypt SSL traffic once i do the packet capture of SSL traffic using
>> tcpdump?
>>
>> I look forward to hearing from you.
>>
>> Best Regards,
>>
>> Kaushal
>>
>> On Sat, Jul 7, 2018 at 6:23 AM Guy Harris <guy () alum mit edu> wrote:
>>
>>> On Jul 5, 2018, at 11:18 AM, Kaushal Shriyan
>>> <kaushalshriyan () gmail com> wrote:
>>>
>>> > Is there a way to run tcpdump to do packet capture on SSL traffic?
>>>
>>> Yes. Plug the machine running tcpdump into a network on which SSL
>>> traffic is being sent, in a fashion that allows it to see that
>>> traffic (bearing in mind, for example, that capturing third-party
>>> traffic on a switched network may be difficult or impossible), and
>>> run tcpdump, with the -w flag, so that it saves the traffic to a
>>> file, and either with no filter or with a filter that matches the SSL
>>> traffic.
>>>
>>> If you mean "is there a way to run tcpdump so that it can *dissect*
>>> SSL traffic", rather than just being able to put undissected raw
>>> packet contents, including SSL packets, into a file to be read by
>>> another program, the answer is "no" - tcpdump doesn't currently
>>> include the ability to decrypt SSL traffic.
>>>
>>> (I.e., there's more to being able to analyze traffic than just being
>>> able to capture it....)
>>
>>
>> ------------------------------
>>
>> Subject: Digest Footer
>>
>> _______________________________________________ tcpdump-workers
>> mailing list tcpdump-workers () lists tcpdump org
>> https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
>>
>>
>> ------------------------------
>>
>> End of tcpdump-workers Digest, Vol 72, Issue 3
>> **********************************************
> _______________________________________________ tcpdump-workers mailing
> list tcpdump-workers () lists tcpdump org
> https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- Re: tcpdump-workers Digest, Vol 72, Issue 3 Steve Bourland (Jul 08)
- Re: tcpdump-workers Digest, Vol 72, Issue 3 Michael Richardson (Jul 08)