Using Wireshark to decrypt tls encrypted file with private key
I have a packet encrypted with TLS in a .pcap file. I also have the private key in a .priv file. How can I decrypt the .pcap file using Wireshark? I tried going to edit -> preferences -> protocols -> ssl -> edit -> new, but i am not sure what to enter in for the ip address, port? How can I display the corresponding packet in Wireshark to find out the port and ip address? Is this the right way to decrypt the .pcap file in Wireshark using private key? Pls help! Thanks!
I haven't done this myself but after a google search I have found this tutorial. You don't need to do every step, jump right to the "decrypt https part":
http://blog.stalkr.net/2010/03/codegate-decrypting-https-ssl-rsa-768.html
I will add the relevant information nevertheless:
Decrypt https
Open Wireshark preferences file: on Linux: ~/.wireshark/preferences on Windows: C:\Documents and Settings\\Application Data\Wireshark\preferences
Inform Wireshark that you want it to desegment SSL records and application data, and give it the private certificate for the https server we observed (192.168.100.4):
ssl.desegment_ssl_records: TRUE ssl.desegment_ssl_application_data: TRUE ssl.keys_list: 192.168.100.4,443,http,/home/stalkr/codegate/7/private.pemFix the path to private certificate accordingly, on Windows use regular slashes /.
Again, launch Wireshark and open the capture file. We can now see the application data: an HTTP GET request to index.html, and the response containing the flag.
Have a look and let us know.
Note: All this information belongs to "StalkR's Blog" and I have added it here for convinience. Consider visiting the full blog entry since he may add some extra steps.