tshark.dev > SharkFu > Adding Context > Decrypt Data

Decrypt Data

Tshark Decryption for Kerberos, TLS, and 802.11

2 min　|　 Ross Jacobs　|　 April 4, 2019

Quicklinks: Wireshark Decrypt: 802.11 | TLS | ESP | WireGuard | Kerberos
Articles Decrypt: SNMP

There are many protocols that can be decrypted in Wireshark:

Kerberos

Kerberos is a network authentication protocol that can be decrypted with Wireshark. Use this guide to generate a keytab file. To use this keytab file for decryption:

tshark -r /path/to/file -K /path/to/keytab

TLS

TLS decryption, for the most part, is setting the $SSLKEYLOGFILE to the destination file of your choice and hoping that your application reads this environmental variable.

To my knowledge, these applications support it:

Chrome (and Chromium-based like Opera, Brave, Vivaldi, etc.)
Firefox
Curl (and any libcurl-based appliaction)

Unsupported:

Edge/IE, but this will likely change for Edge though as it will soon be Chromium-based.
Safari

If your application supports the $SSLKEYLOGFILE variable, please create an issue.

TLS 1.2 Decryption

TLS 1.2 decryption has been with Wireshark since October 2017 with v2.4.2. Multiple articles exist that document this feature. This guide features a larger article on Exporting files with TLS.

TLS 1.3 Decryption

TLS 1.3 is the next iteration after industry standard 1.2, with 1.3 adopted by most browsers at this point. TLS decryption is currently broken (bug 15537) when certificate message spans multiple records. In my testing, some javascript files (and other small files) get decrypted, but no html or css files.

WPA2 Decryption

This section is possible due to the amazing content at mrncciew.com, by Rasika Nayanajith. If you want to get better with 802.11, start your journey here.

1. Get your capture

# Get a sample.pcap
pcap_url="https://mrncciew.files.wordpress.com/2014/08/wpa2-psk-final.zip"
curl $pcap_url | tar -xzv

2. Decrypt

Set the values of vars to whatever they are in your case.

infile="WPA2-PSK-Final.cap"
outfile="decrypted.pcap"
ssid='TEST1'
psk='Cisco123Cisco123'

tshark -r $infile -w $outfile \
       -o wlan.enable_decryption:TRUE \
       -o "uat:80211_keys:\"wpa-pwd\",\"${psk}:${ssid}\""

We can now send the result to a colleague who will not need to know the SSID/PSK.

3. Analyze

Let’s pretend we care about TCP resets in the decrypted traffic. We can check for it with tcp.connection.rst with output that should look something like:

bash-5.0$ tshark -r decrypted.pcap -Y "tcp.connection.rst"
  487  38.407227 192.168.140.1 → 192.168.140.100 TCP 112 2000 → 1091 [RST, ACK] 
    Seq=1 Ack=1 Win=0 Len=0
  626  41.687352 192.168.140.1 → 192.168.140.100 TCP 112 2000 → 1092 [RST, ACK] 
    Seq=1 Ack=1 Win=0 Len=0
  1226  52.758103 192.168.140.1 → 192.168.140.100 TCP 112 2000 → 1093 [RST, ACK
    Seq=1 Ack=1 Win=0 Len=0

WPA2 In Summary

Wireshark Equivalent

WPA3 Decryption

WPA3 decryption support in Wireshark is still in development.