Quicklinks: Wireshark Decrypt: 802.11 | TLS | ESP | WireGuard | Kerberos
Articles Decrypt: SNMP
There are many protocols that can be decrypted in Wireshark:
Kerberos is a network authentication protocol that can be decrypted with Wireshark. Use this guide to generate a keytab file. To use this keytab file for decryption:
tshark -r /path/to/file -K /path/to/keytab
It is possible to decrypt the data on the client side if SSL logging is enabled. Chrome and firefox will check whether the $SSLKEYLOGFILE environmental variable exists, and if it does, will send keys to the file. Using tshark and firefox, we will be able to extract the html file.
echo "export SSLKEYLOGFILE=/tmp/sslkey.log" >> ~/.bashrc
source ~/.bashrcLet’s use
https://ss64.com as it uses TLSv1.2 and is designed to be
lightweight. They have an article on netcat, which seems apropos to use: https://ss64.com/bash/nc.html.
cd /tmp
url='https://ss64.com/bash/nc.html'
tshark -Q -w /tmp/myfile.pcapng & tpid=$!
firefox --headless --private $url & ffpid=$!
sleep 10 && kill -9 $tpid $ffpidobj/mkdir -p /tmp/obj
# Equivalent to Wireshark > File > Export Objects > HTTP
tshark --export-objects http,/tmp/obj -r /tmp/myfile.pcapng \
-o tls.keylog_file:$SSLKEYLOGFILEThe two relevant files that we receive from ss64.com are nc.html and
main.css. This HTML file references its css file as “../main.css”, so
create a symbolic link for verification purposes and then open it.
ln -s obj/main.css main.css
firefox --browser obj/nc.htmlIf all is well, your local version of nc’s manpage looks exactly the same as ss64’s version.
TLS 1.3 is the next iteration after industry standard 1.2, with 1.3 adopted by most browsers at this point. TLS decryption is currently broken (bug 15537) when certificate message spans multiple records. In my testing, some javascript files (and other small files) get decrypted, but no html or css files.
# Get a sample.pcap
pcap_url="https://mrncciew.files.wordpress.com/2014/08/wpa2-psk-final.zip"
curl $pcap_url | tar -xzvSet the values of vars to whatever they are in your case.
infile="WPA2-PSK-Final.cap"
outfile="decrypted.pcap"
ssid='TEST1'
psk='Cisco123Cisco123'
tshark -r $infile -w $outfile \
-o wlan.enable_decryption:TRUE \
-o "uat:80211_keys:\"wpa-pwd\",\"${psk}:${ssid}\""We can now send the result to a colleage who will not need to know the SSID/PSK.
Let’s pretend we care about TCP resets in the decrypted traffic. We can check
for it with tcp.connection.rst with output that should look something like:
bash-5.0$ tshark -r decrypted.pcap -Y "tcp.connection.rst"
487 38.407227 192.168.140.1 → 192.168.140.100 TCP 112 2000 → 1091 [RST, ACK]
Seq=1 Ack=1 Win=0 Len=0
626 41.687352 192.168.140.1 → 192.168.140.100 TCP 112 2000 → 1092 [RST, ACK]
Seq=1 Ack=1 Win=0 Len=0
1226 52.758103 192.168.140.1 → 192.168.140.100 TCP 112 2000 → 1093 [RST, ACK
Seq=1 Ack=1 Win=0 Len=0WPA3 decryption support in Wireshark is still in development.