I have a packet encrypted with TLS in a .pcap file. I also have the private key in a .priv file. How can I decrypt the .pcap file using Wireshark? I tried going to edit -> preferences -> protocols -> ssl -> edit -> new, but I am not sure what to enter in for the IP address, port? How can I display the corresponding packet in Wireshark to find out the port and IP address? Is this the right way to decrypt the .pcap file in Wireshark using the private key?
1,400 1 1 gold badge 19 19 silver badges 30 30 bronze badges asked Jan 21, 2014 at 6:49 41 1 1 gold badge 1 1 silver badge 2 2 bronze badges I've always done this with a command line tool named ssldump: ssldump.sourceforge.net Commented Feb 7, 2017 at 11:39 See also this question: "How to view Encrypted Application Data in Wireshark" Commented Dec 26, 2022 at 19:43I haven't done this myself but after a google search I have found this tutorial. You don't need to do every step, jump right to the "decrypt https part": Write-up Codegate 2010 #7 - Decrypting HTTPS SSL/TLSv1 using RSA 768bits with Wireshark
I will add the relevant information nevertheless:
ssl.desegment_ssl_records: TRUE ssl.desegment_ssl_application_data: TRUE ssl.keys_list: 192.168.100.4,443,http,/home/stalkr/codegate/7/private.pem
Fix the path to private certificate accordingly, on Windows use regular slashes /.
Again, launch Wireshark and open the capture file. We can now see the application data: an HTTP GET request to index.html, and the response containing the flag.
Have a look and let us know.
Notes:
