I have a packet encrypted with TLS in a .pcap file. I also have the private key in a .priv file.
How can I decrypt the .pcap file using Wireshark? I tried going to edit -> preferences -> protocols -> ssl -> edit -> new, but I am not sure what to enter in for the IP address, port?
How can I display the corresponding packet in Wireshark to find out the port and IP address? Is this the right way to decrypt the .pcap file in Wireshark using the private key?
I haven't done this myself but after a google search I have found this tutorial. You don't need to do every step, jump right to the "decrypt https part": Write-up Codegate 2010 #7 - Decrypting HTTPS SSL/TLSv1 using RSA 768bits with Wireshark
I will add the relevant information nevertheless:
Decrypt https
Open Wireshark preferences file:
- on Linux:
~/.wireshark/preferences- on Windows:
C:\Documents and Settings\<user>\Application Data\Wireshark\preferencesInform Wireshark that you want it to desegment SSL records and application data, and give it the private certificate for the https server we observed (192.168.100.4):
ssl.desegment_ssl_records: TRUE ssl.desegment_ssl_application_data: TRUE ssl.keys_list: 192.168.100.4,443,http,/home/stalkr/codegate/7/private.pemFix the path to private certificate accordingly, on Windows use regular slashes /.
Again, launch Wireshark and open the capture file. We can now see the application data: an HTTP GET request to index.html, and the response containing the flag.
Have a look and let us know.
Notes:
All this information belongs to "StalkR's Blog" and I have added it here for convenience. Consider visiting the full blog entry since he may add some extra steps.
Wireshark has changed naming from SSL to TLS
