Differences

This shows you the differences between two versions of the page.

--- network_stuff:wireshark [2023/01/27 18:26] – jotasandoku
+++ network_stuff:wireshark [2025/07/10 21:21] (current) – jotasandoku
@@ Line 1: / Line 1: @@
 **__WIRESHARK NOTES__**\\
-[[https://panda314159.duckdns.org/doku.php?id=network_stuff:tcpdump:tcpnotes|tcp_notes]] + [[https://www.stationx.net/wireshark-cheat-sheet/|Cheatsheet]]
+[[https://panda314159.net/doku.php?id=network_stuff:tcpdump:tcpnotes|tcp_notes]] + [[https://www.stationx.net/wireshark-cheat-sheet/|Cheatsheet]]
 This is to caprutue and show in wireshark live traffic. Running on a linux based router like openwrt:
@@ Line 35: / Line 35: @@
 __Analyse__\\
-FIRST THING determine in which end of the conversation we are capturing the packets <<
+FIRST THING determine in which end of the conversation we are capturing the packets << (a) by just checking src/dst IPs. (b) by checking the TTL of the packet (eg: if TTL = 128 is not routed, so local)
 \\
@@ Line 141: / Line 141: @@
   dumpcap -i eth0 -b duration:3600 -b files:25 -w packets.cap
+----
+*** DECRYPT A TLS SESSION ***
+Several applications honor the SSLKEYLOGFILE environment variable, which allows you to log the TLS session key, and which e.g., Wireshark can read to then decrypt the TLS packets.1 To use it, simply export SSLKEYLOGFILE=/tmp/tlskeys, invoke the HTTP client (e.g., curl(1)2 or /Applications/Google\ Chrome.app), and then drill down in Wireshark->Preferences->Protocols->TLS and set the pathname for "(Pre)-Master-Secret log filename" to /tmp/tlskeys.
+\\
+both Chrome and Firefox honor the SSLKEYLOGFILE environment variable, making dissecting packets nice and easy.
+  $ export SSLKEYLOGFILE=/tmp/tlskeys
+  $ /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome http-123.test.netmeister.org

dokucama

User Tools

Site Tools

Differences

Page Tools