Decrypt Data

Tshark Decryption for Kerberos, TLS, and 802.11
2 min |  Ross Jacobs |  April 4, 2019

Table of Contents

Quicklinks: Wireshark Decrypt: 802.11 | TLS | ESP | WireGuard | Kerberos
Articles Decrypt: SNMP


There are many protocols that can be decrypted in Wireshark:

Kerberos

Kerberos is a network authentication protocol that can be decrypted with Wireshark. Use this guide to generate a keytab file. To use this keytab file for decryption:

tshark -r /path/to/file -K /path/to/keytab

TLS

TLS decryption, for the most part, is setting the $SSLKEYLOGFILE to the destination file of your choice and hoping that your application reads this environmental variable.

To my knowledge, these applications support it: * Chrome (and Chromium-based like Opera, Brave, Vivaldi, etc.) * Firefox * Curl (and any libcurl-based appliaction)

Unsupported: * Edge/IE, but this will likely change for Edge though as it will soon be Chromium-based. * Safari

If your application supports the $SSLKEYLOGFILE variable, please create an issue.

TLS 1.2 Decryption

TLS 1.2 decryption has been with Wireshark since October 2017 with v2.4.2. Multiple articles exist that document this feature. This guide features a larger article on Exporting files with TLS.

TLS 1.3 Decryption

TLS 1.3 is the next iteration after industry standard 1.2, with 1.3 adopted by most browsers at this point. TLS decryption is currently broken (bug 15537) when certificate message spans multiple records. In my testing, some javascript files (and other small files) get decrypted, but no html or css files.

WPA2 Decryption

This section is possible due to the amazing content at mrncciew.com, by Rasika Nayanajith. If you want to get better with 802.11, start your journey here.

1. Get your capture

# Get a sample.pcap
pcap_url="https://mrncciew.files.wordpress.com/2014/08/wpa2-psk-final.zip"
curl $pcap_url | tar -xzv

2. Decrypt

Set the values of vars to whatever they are in your case.

infile="WPA2-PSK-Final.cap"
outfile="decrypted.pcap"
ssid='TEST1'
psk='Cisco123Cisco123'

tshark -r $infile -w $outfile \
       -o wlan.enable_decryption:TRUE \
       -o "uat:80211_keys:\"wpa-pwd\",\"${psk}:${ssid}\""

We can now send the result to a colleague who will not need to know the SSID/PSK.

3. Analyze

Let’s pretend we care about TCP resets in the decrypted traffic. We can check for it with tcp.connection.rst with output that should look something like:

bash-5.0$ tshark -r decrypted.pcap -Y "tcp.connection.rst"
  487  38.407227 192.168.140.1 → 192.168.140.100 TCP 112 20001091 [RST, ACK] 
    Seq=1 Ack=1 Win=0 Len=0
  626  41.687352 192.168.140.1 → 192.168.140.100 TCP 112 20001092 [RST, ACK] 
    Seq=1 Ack=1 Win=0 Len=0
  1226  52.758103 192.168.140.1 → 192.168.140.100 TCP 112 20001093 [RST, ACK
    Seq=1 Ack=1 Win=0 Len=0

WPA2 In Summary

Wireshark Equivalent

WPA3 Decryption

WPA3 decryption support in Wireshark is still in development.