Re: [tcpdump-workers] Decoding the unencrypted part(s) of SSL/TLS?

2012-12-13 Thread Wesley Shields 
On Mon, Dec 10, 2012 at 11:38:29PM -0500, Michael Richardson wrote:
> 
> > "Rick" == Rick Jones  writes:
> Rick> Is there a version of tcpdump in the works which will decode
> Rick> the unecrypted 
> Rick> portions of an SSL/TLS session?  Or do I need to look
> Rick> elsewhere?

Are you asking if there is a decoder for the SSL/TLS handshakes or are
you asking if there is something that will, given a private key, decrypt
the SSL?

> Yes/no.
> You have, in general, to do TCP reassembly as TLS blocks might span TCP
> segments. 
> 
> Fortunately, you can use: http://www.rtfm.com/ssldump/
> to do exactly that.

There are some problems with ssldump when building on newer-ish systems
(at least I think there were last time I tried to use it). If you can
get it to work it is good.

> It takes pcap files.  It even decrypts if you give it the keys.

Another option is to use tshark. I'm not a fan of it but it does work in
a pinch.

-- WXS
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] Decoding the unencrypted part(s) of SSL/TLS?

2012-12-11 Thread Rick Jones 

On 12/11/2012 05:58 AM, Wesley Shields wrote:

On Mon, Dec 10, 2012 at 11:38:29PM -0500, Michael Richardson wrote:



"Rick" == Rick Jones  writes:

 Rick> Is there a version of tcpdump in the works which will decode
 Rick> the unecrypted
 Rick> portions of an SSL/TLS session?  Or do I need to look
 Rick> elsewhere?


Are you asking if there is a decoder for the SSL/TLS handshakes or are
you asking if there is something that will, given a private key, decrypt
the SSL?


The Client/Server Hellos are sufficient for my present purposes.



Yes/no.
You have, in general, to do TCP reassembly as TLS blocks might span TCP
segments.

Fortunately, you can use: http://www.rtfm.com/ssldump/
to do exactly that.


There are some problems with ssldump when building on newer-ish systems
(at least I think there were last time I tried to use it). If you can
get it to work it is good.



I've given it a quick try and it seems to be giving me what I need, 
though it may not be all that up-to-date on compression method id's.  I 
did an apt-get so didn't have to build from source - though I may if I 
need to go-in and enhance its knowledge of ids.


thanks all,

rick jones
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] Decoding the unencrypted part(s) of SSL/TLS?

2012-12-10 Thread Michael Richardson 

> "Rick" == Rick Jones  writes:
Rick> Is there a version of tcpdump in the works which will decode
Rick> the unecrypted 
Rick> portions of an SSL/TLS session?  Or do I need to look
Rick> elsewhere?

Yes/no.
You have, in general, to do TCP reassembly as TLS blocks might span TCP
segments. 

Fortunately, you can use: http://www.rtfm.com/ssldump/
to do exactly that.

It takes pcap files.  It even decrypts if you give it the keys.

-- 
]   He who is tired of Weird Al is tired of life!   |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[
] m...@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video 
   then sign the petition. 
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

[tcpdump-workers] Decoding the unencrypted part(s) of SSL/TLS?

2012-12-10 Thread Rick Jones 
Is there a version of tcpdump in the works which will decode the 
unecrypted portions of an SSL/TLS session?  Or do I need to look elsewhere?


thanks,

rick jones
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers