I wanted to perform some checks on a pcap file using libpcap but it was TLS encrypted. I have successfully decrypted it using Wireshark SSLKEYLOGFILE. Does pcap_open_offline()
function read the TLS encrypted version of the file or the decrypted version of the file?
CodePudding user response:
I wanted to perform some checks on a pcap file using libpcap but it was TLS encrypted.
Or, more correctly, some or all of the traffic in the capture is TLS-encrypted. The file and packet headers aren't TLS-encrypted, nor are the protocols atop which the TLS-encrypted traffic are being transmitted, such as TCP, IP, and the link layer.
I have successfully decrypted it using Wireshark SSLKEYLOGFILE.
Wireshark is reading the file and decrypting some or all of the TLS traffic in it.
Does
pcap_open_offline()
function read the TLS encrypted version of the file or the decrypted version of the file?
There isn't a decrypted version of the file.
Libpcap doesn't understand most of the protocols - it just provides the data as it exists in the file. In particular, it will not decrypt TLS traffic; whatever application is using libpcap to read the file will have to decrypt the TLS traffic by itself, just as, in Wireshark, the Wireshark "libwiretap" library, which is the library Wireshark uses to read capture files, doesn't understand most of the protocols, it just provides the data as it exists in the file, and the Wireshark dissector library decrypts the TLS-encrypted traffic.
So, if you want to write your own program to process the file, with your program using libpcap to read the file, you will have to implement your own TLS decryption code; libpcap will not decrypt the TLS traffic for you.