seladb
commented
2 years ago Unfortunately PcapPlusPlus does not support TLS decryption. This will require integration with OpenSSL which currently doesn't exist
Open niclar opened 2 years ago
seladb
commented
2 years ago Unfortunately PcapPlusPlus does not support TLS decryption. This will require integration with OpenSSL which currently doesn't exist
mikeybro
commented
2 years ago 
niclar
commented
2 years ago FYI I got decryption to work with openssl (SSL_get_client_random, SSL_SESSION_get_master_key) and wireshark
seladb
commented
2 years ago Nice!! Just curious: are you using it inside of PcapPlusPlus (by changing the code) or as a separate tool?
niclar
commented
2 years ago @seladb I'm running the capture & decryption from wireshark, key logging in the client code. -So separate at the moment. If the pcapplusplus capture files are interchangeable, I can run the capture phase via pcapplusplus of cause.
seladb
commented
2 years ago ok got it, thanks!
Should we close this issue?
niclar
commented
2 years ago Would be nice to have this feature(s) in pcapplusplus. -Maybe keep the ticket as a feature request, open for sponsoring ?
seladb
commented
2 years ago Sure, we can keep it open for some time. If we see more demand for this feature we will consider implementing it
WHOLETTHEDOG-OUT
commented
1 year ago demand +1
seladb
commented
1 year ago @WHOLETTHEDOG-OUT would you consider adding this functionality to PcapPlusPlus?
gyl30
commented
1 month ago I referenced this project to implement TLS decryption, which I can't provide as it's company code. But others who are interested can refer to
Hi, I'm trying to figure out how to replay (& capture) a secure web socket feed in my application, for low-level network debugging. I'm in full control of the client/application and have the ssl session master key. I'm not in control of the server.
Does pcapplusplus support TLS decryption given the master key and the client random value ?
Wireshark seem to be able to replay a modified/re-encrypted pcap from what I understand.
(https://www.ibm.com/support/pages/decrypt-datapower-tlsssl-traffic-using-master-secret-logging) (https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/) (https://wiki.wireshark.org/TLS)
-Also is it possible to inject the secret in the pcap file to streamline the replay process; (see "Embedding decryption secrets in a pcapng file" in https://wiki.wireshark.org/TLS#using-the-pre-master-secret )