If you keep using the same name, it can be set once in Wireshark and doesn't have to be reconfigured for every capture.
It can be invoked with a single, easy to remember line: Decrypt.sh test1.pcap The output defaults to SSL.pms, which gets copied to your workstation along with the. The script finds the actual filename in the file store, such as: /config/filestore/files_d/Common_d/certificate_key_d/ Note that it is the BASE FILENAME of the key, such as not the cert/key name that must be specified. Ssldump -r $CaptureFile -k $KeyFile -M $PMSFile -A -d -n KeyFile=$(ls /config/filestore/files_d/Common_d/certificate_key_d/:Common:$CertName.key_* ) Instead, this little script provides a one-line command, and it is installed on all of our Big-IPs along with a lot of other little utilities: #! /bin/bash It doesn't exactly roll trippingly off the keyboard, does it? For example: ssldump -r test1.pcap -k /config/filestore/files_d/Common_d/certificate_key_d/:Common:-M SSL.pms -A -d -n However, the syntax for locating the right key file and executing ssldump is clumsy and hard to remember. Using Wireshark or other tools to examine SSL traffic requires that the Pre-Master Secret log be extracted from the capture with ssldump, and that the private key be available.
0 kommentar(er)
