|Export plain text pcap after SSL/TLS decryption|
Welcome the the first article in the new Unsniff Network Analyzer Tips section.
With Unsniff there are two options :
1. Use the private key to decrypt live or captured traffic.
2. Enable "Analyze Upper Layers of TLS" option
3. Import the capture file
Click on the Import from TCPDUMP icon
4. Locate the plaintext sessions (completely stripped of TLS)
Switch to the sessions sheet. Unsniff lists all the TCP sessions seen as top level objects. You can click the + button to view the packets that made up the session. For TLS, Unsniff creates two extra 'synthetic' TCP sessions for each TLS TCP session. The screenshot below shows the original session and the two 'synthetic' i.e. fake sessions.
Note that the decrypted session now has port 80 instead of port 443. It is as if we never used SSL!
5. Copy / Paste the session(s) stripped of TLS
You can simply save the selected session (Copy / Paste as new ). This can be read by Wireshark.
When you read in the exported plain text file, you will notice the following
The IP packet in the above screenshot is 7053 bytes long. It is impossible to derive a plaintext stream out of a TLS encrypted connection and still maintain a strong correlation with the original link layer packets. In short , we are trying to take a record based protocol and fragment it into IP datagrams.
Unsniff maps each decrypted TLS application data record into an IP packet and adds the required 3-way handshake and RST packets to build a fairly accurate representation. There is just enough information in the decrypted plaintext stream to help reconstruct the contents.
The following screenshot shows the TLS records. You need to switch to the PDU sheet to see them
Any questions, feel free to ask in the Forums