3

I am analysing a capture of encrypted traffic with wireshark. I have decrypted the traffic with the proper passphrase in wireshark and I can see the decrypted data of each frame.

The point is that if I search a packet with a certain string I cannot find it. Even though I have the certainty the string is decrypted given that I can see such data in the decrypted data of a frame.

I have already tried to search in packet bytes/list/details with string option and I also have searched by hexvalue without success.

A workaround that came into my mind that consists of using tshark to decrypt the traffic and make an hexdump to a text file. After that, use grep to find the string. However, this is not a nice approach.

How would you find a string with wireshark on a decrypted traffic capture?

Improve this question
4
  • 1
    Can you give more detail about why the usual search feature doesn't work?
    – Mike Ounsworth
    Commented Oct 3, 2018 at 11:47
  • This is not a security question. This appears to be a Wireshark use question.
    – schroeder
    Commented Oct 3, 2018 at 12:39
  • It looks like it only searches on the encrypted data even though the data is shown in both ways (encrypted and decrypted). For example, I am able to find strings or hexvalues that are available in the encrypted data.
    – crato
    Commented Oct 3, 2018 at 13:18
  • According to what you say this may be a bug. The right place to ask the question on on the wireshark forums.
    – harrymc
    Commented Oct 3, 2018 at 13:51

1 Answer 1

Reset to default
1

The find feature only works on dissected fields, and the decrypted data, if not handed to a dissector for interpretation, won't have any dissected fields. So, you can either write a dissector for the decrypted data or you should at least be able to use a display filter such as, data contains "some string" to find the packets containing your string of interest.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .