On Mon, Dec 10, 2012 at 11:38:29PM -0500, Michael Richardson wrote: > > >>>>> "Rick" == Rick Jones <rick.jon...@hp.com> writes: > Rick> Is there a version of tcpdump in the works which will decode > Rick> the unecrypted > Rick> portions of an SSL/TLS session? Or do I need to look > Rick> elsewhere?
Are you asking if there is a decoder for the SSL/TLS handshakes or are you asking if there is something that will, given a private key, decrypt the SSL? > Yes/no. > You have, in general, to do TCP reassembly as TLS blocks might span TCP > segments. > > Fortunately, you can use: http://www.rtfm.com/ssldump/ > to do exactly that. There are some problems with ssldump when building on newer-ish systems (at least I think there were last time I tried to use it). If you can get it to work it is good. > It takes pcap files. It even decrypts if you give it the keys. Another option is to use tshark. I'm not a fan of it but it does work in a pinch. -- WXS _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
