howtos:creating_a_decrypted_tcpdump_capture
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
| howtos:creating_a_decrypted_tcpdump_capture [28/08/2022 20:53] – domingo | howtos:creating_a_decrypted_tcpdump_capture [28/08/2022 20:55] – domingo | ||
|---|---|---|---|
| Line 11: | Line 11: | ||
| </ | </ | ||
| - | Now get the dump.pcap file onto a device with tshar installed and strip out the PMS information: | + | Now get the dump.pcap file onto a device with tshark |
| < | < | ||
| tshark -r dump.pcap -Y " | tshark -r dump.pcap -Y " | ||
| keylog.txt | keylog.txt | ||
| + | |||
| + | I'm not sure why you can't do it on the Big-IP but it didn't work for me. | ||
| </ | </ | ||
| Line 28: | Line 30: | ||
| If you do not find the traffic decrypted it could be that you have captured the traffic midstream, before the master secret was made. To overcome this you just need to make sure you run tcpdump before the connection is created between whatever you are trying to decrypt then you should get all the information needed in the tcpdump file. | If you do not find the traffic decrypted it could be that you have captured the traffic midstream, before the master secret was made. To overcome this you just need to make sure you run tcpdump before the connection is created between whatever you are trying to decrypt then you should get all the information needed in the tcpdump file. | ||
| - | REMEMBER to delete all the tcpdump files afterwords, it could contain passwords or other sensitive information you don't want to get in the wrong hands. | + | //**REMEMBER**// to delete all the tcpdump files afterwords, it could contain passwords or other sensitive information you don't want to get in the wrong hands. |
howtos/creating_a_decrypted_tcpdump_capture.txt · Last modified: 28/08/2022 20:56 by domingo