tshark.dev icon indicating copy to clipboard operation
tshark.dev copied to clipboard
verified publisher icon pocc

packetcraft/add_context/tshark_decryption/

Open utterances-bot opened this issue 5 years ago • 7 comments

Tshark | Decrypt Data

Tshark Decryption for Kerberos, TLS, and 802.11

https://tshark.dev/packetcraft/add_context/tshark_decryption/

utterances-bot avatar Mar 31 '20 11:03 utterances-bot

If I follow this procedure, then vbindiff decrypted.pcap WPA2-PSK-Final.cap I can see that the content of the capture is the same in both file. So the captured data is still encrypted in decrypted.pcap

tmaillart avatar Mar 31 '20 11:03 tmaillart

Can you provide OS/tshark version?

pocc avatar Mar 31 '20 19:03 pocc

For sure:

# uname -a
Linux host 5.5.9-arch1-2 #1 SMP PREEMPT Thu, 12 Mar 2020 23:01:33 +0000 x86_64 GNU/Linux

# cat /etc/os-release
NAME="Arch Linux"
PRETTY_NAME="Arch Linux"
ID=arch
BUILD_ID=rolling
ANSI_COLOR="0;36"
HOME_URL="https://www.archlinux.org/"
DOCUMENTATION_URL="https://wiki.archlinux.org/"
SUPPORT_URL="https://bbs.archlinux.org/"
BUG_REPORT_URL="https://bugs.archlinux.org/"
LOGO=archlinux

# tshark --version
TShark (Wireshark) 3.2.2 (Git commit a3efece3d640)

Copyright 1998-2020 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.62.5, with zlib 1.2.11, without SMI, with c-ares 1.15.0, with Lua
5.2.4, with GnuTLS 3.6.12 and PKCS #11 support, with Gcrypt 1.8.5, with MIT
Kerberos, with MaxMind DB resolver, with nghttp2 1.39.2, without brotli, with
LZ4, with Zstandard, with Snappy, with libxml2 2.9.10.

Running on Linux 5.5.9-arch1-2, with Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz
(with SSE4.2), with 15731 MB of physical memory, with locale
LC_CTYPE=en_US.UTF-8, LC_NUMERIC=C, LC_TIME=C, LC_COLLATE=C, LC_MONETARY=C,
LC_MESSAGES=C, LC_PAPER=C, LC_NAME=C, LC_ADDRESS=C, LC_TELEPHONE=C,
LC_MEASUREMENT=C, LC_IDENTIFICATION=C, with libpcap version 1.9.1 (with
TPACKET_V3), with GnuTLS 3.6.12, with Gcrypt 1.8.5, with zlib 1.2.11, binary
plugins supported (0 loaded).

Built using gcc 9.2.1 20200130.

tmaillart avatar Apr 01 '20 11:04 tmaillart

Sorry for the delay. Decrypting does not change the underlying file. It just allows you to view the decrypted file. I'm going to keep this issue open though because I think I create a solution that will write the decrypted contents to the underlying file.

pocc avatar May 27 '20 00:05 pocc

Following tmaillart's comments. For me, following the WPA2 procedure above doesn't seem to result in the decrypted.pcap actually containing decrypted data. Just a copy of the original source pcap. So the follow-on tcp.connection.rst filter run against the decrypted.pcap file doesn't output any results for me in the way it does in the video. Presumably because the data is still encrypted.

I'm find this for tshark 3.4.2, 3.2.2 and 3.5.0 on Ubuntu 20.04.

Any ideas how to make this work would be appreciated.

mrmark19 avatar Dec 31 '20 11:12 mrmark19

tshark alone only decrypts and then analyzes an encrypted pcap. For example, you could check whether an encrypted pcap has an http layer in its packets as part of this decryption and extract a data layer if it exists. tshark does not decrypt the file itself as part of this process.

pocc avatar Jan 05 '21 01:01 pocc

Ever since 4.0 you can do this:

tshark -U IP -r file -w output.pcapng

and it will write a file with Raw IP encapsulation with any packets that have IPv4 or IPv6 (whether encrypted and then decrypted, or originally unencrypted.) You'll lose the Radiotap header, MAC layer, LLC layer, and any packets that don't use IP (e.g. EAPOL, ARP, etc.) Fine for most usage.

johnthacker avatar Feb 17 '24 21:02 johnthacker