1

I'm analyzing a packet capture with python using dpkt. The application layer is encrypted with ssl. I'd like to decrypt the ssl data (i.e., the tcp payload). I have the private key, so I should be able to use the key to decrypt the data. Here's my script:

#!/bin/python
import sys
import dpkt

def main():

    if not len(sys.argv) == 2:
        print "need a pcap file"
        return 1

    filename = sys.argv[1]
    f = open(filename)
    pcap = dpkt.pcap.Reader(f)

    framenum = 1
    for ts, buf in pcap:

        if framenum == 123:
            eth = dpkt.ethernet.Ethernet(buf)
            ip = eth.data
            tcp =  ip.data
            ssl =  tcp.data

            # decrypt ssl

        framenum += 1



if __name__ == '__main__':
    sys.exit( main() )

What can I put in place of that "decrypt ssl" comment to get the decrypted ssl bytes? I'm guessing there should be some library that can do this for me, but all my searches for ssl and python give information about writing socket programs that can receive ssl connections. I'm not interested in that. Rather, I need to decrypt data that is encrypted with ssl.

Thanks!

Improve this question
1

1 Answer 1

Reset to default
1

You're not likely going to find a ready-made library to do this. Decrypting from a packet dump is rather involved, and I believe the best featured tool right now is still Wireshark.

Note that you will also need to have the entire TLS session captured, from the handshake onward. Also, if the connection used an ephemeral mode which offers forward secrecy (anything with DHE or ECDHE), the data cannot be decrypted.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I started with Wireshark, but sadly wireshark doesn't help me because it doesn't have a way to export the decrypted packet capture to a new pcap file that has the decrypted data. I was hopeful I could do this myself in a python script since wireshark couldn't. Thus my question.
exporting it to a new pcap doesn't make sense, since there is no 1-1 relationship between encrypted and decrypted packets. All you could do is export the plaintext from the stream.
Thanks for the input. It's helpful to know to give up.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.