capturing ssl decrypted traffic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

capturing ssl decrypted traffic

L0 Member

Hello group,

as I'm thinking that someone is doing nasty things in the SSL-traffic, I thought of decrypting the ssl, capture the decrypted packets and put the into wireshark to look at it.

Only I could not find a way of explicit tell the PA to capture the decrypted traffic only.

Is there someone out being able to help me with that topic?

Thanks a lot

Marcus

1 ACCEPTED SOLUTION

Accepted Solutions

As mentioned by marcel, we are not able to get decrypted traffic of the box.

We are also unable to get a private key from the certificate that was generated/used for ssl decryption (forward-proxy).

So we can't decrypt forward proxy captures at all.

View solution in original post

9 REPLIES 9

L4 Transporter

Hi Marcus,

It is not possible to get the unencrypted traffic out of the box. To be able to decrypt SSL you need the certificate to be able to do this. Since you want to look inside I assume that you have the certificate. What you can do is capture the SSL traffic and use this trace and wireshark to decrypt it.

For more info I found this site:

http://support.citrix.com/article/CTX116557

Marcel

As mentioned by marcel, we are not able to get decrypted traffic of the box.

We are also unable to get a private key from the certificate that was generated/used for ssl decryption (forward-proxy).

So we can't decrypt forward proxy captures at all.

L2 Linker

I would like to ask some more questions on this.

We are decrypting traffic towards one of the websites.

The decryption is successful and we see that application is now web-browsing and not SSL.

I want to create a custom application for certain part of this site.

While taking the packet capture on Palo Alto I have to specify the following:

debug dataplane packet-diag set capture stage (drop,firewall,receive,transmit) , so I ended up with 4 .PCAP files.

All traffic appears encrypted in Wireshark.


I extracted Private Key from the certificate and tried to apply it to Wireshark but wireshark doesn't decrypt anything in any of the 4 files.

My question is if I have to have all traffic in one log file (one pcap) in order to decrypt it in wireshark ?

Have anybody been successful taking packet capture from Palo Alto and decrypting it in Wireshark after ?

Traffic detected in PCAP show as TLSv1 for the interesting traffic.

Any thoughts of advice?

Thank You in advance!

Regards,

Mariusz

Hi Mariusz,

It's best to start a new thread if you have your own question. That'll make things more easily searchable in the forum for future users.

To answer your question, the certificate is created on the fly when doing SSL decryption. That private key is not exportable, and is discarded after a cache period. You will not be able to decode the traffic later in Wireshark (or any other tool) because of that.

Hope this helps,

Greg

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!