How to inspect decrypted TLS/SSL traffic in Wireshark from program not supporting SSLKEYLOGFILE?
TL;DR: I feel I'm pretty close to doing so by using sslsplit's interface mirroring, but I ran into an issue where the kernel is not replying to ARP requests that sslsplit is sending out on the mirrored interface.
I want to intercept an SSL/TLS connection of a program I'm running in my machine and see the decrypted contents in wireshark. It seems sslsplit's interface mirroring is what I need so I've been trying to set that up.
This command properly sets up the interception without mirroring and simply outputting some info to stdout:
sudo sslsplit -D -l /dev/stdout -c ca.crt -k ca.key tcp 192.168.10.1 9090 ssl 192.168.10.1 9091
192.168.10.0/24
is a subnet that's on a veth link. I put one end of the veth in a new network namespace and setup the other end as the default route in that namespace. EDIT 2: In other words, I did:
ip link add veth0a type veth peer veth0b
ip address add 192.168.10.1/24 dev veth0a
ip netns add sslsplitns
ip link set veth0b netns sslsplitns
ip netns exec sslsplitns ip address add 192.168.10.2/24 dev veth0b
ip link set veth0a up
ip netns exec sslsplitns ip link set veth0b up
ip netns exec sslsplitns ip route add default via 192.168.10.1
The idea is to run the program whose connection I want to intercept in that network namespace (i.e. ip netns exec sslsplitns $cmd
). I found this setup necessary because sslsplit works using the NAT engine, and it seems it can't pickup on packets unless they go through the INPUT chains.
Anyway, to use network mirroring I apparently select the interface I want to mirror to with -I
. However, sslsplit says that -I
depends on -T
which is:
-T addr Mirror connection content as emulated packets to destination address addr on the interface given by -I. Only IPv4 target addresses are currently supported. This option is not available if SSLsplit was built without mirroring support.
EDIT 4: I imagine this means that if I made an HTTPS request to, for example, 1.2.3.4, sslsplit would make an equivalent HTTP request to whatever I provide to this option. Somebody, please correct me if I'm misunderstanding this, because I'm not completely sure how this would work. Would sslsplit really be able to use this provided address as source and destination IP? Would it make sure that no other program would receive these mirrored packets in case they're actually listening? How would this mirroring work if I provided sslsplit with an actual physical link and the IP of another physical computer? Are these mirrored packets actually meant to be received and not merely inspected by a tool like wireshark or tcpdump?
So I made a dummy interface (ip link add dummy0 type dummy
), gave it an address and provided that address to sslplit's -T
.
EDIT: Here's the command:
sudo sslsplit -D -l /dev/stdout -T 192.168.12.2 -I veth1a -c ca.crt -k ca.key tcp 192.168.10.1 9090 ssl 192.168.10.1 9091
Looking through wireshark, in preparation to see the decrypted SSL packets, I see that sslsplit sends ARP requests querying the hardware address of the ip address I gave it. After various attempts, sslsplit
ends up dying with the message failed to lookup target ether
. I thought, maybe the kernel won't reply because it's the same address it's sending from, so it's too silly to take seriously. So I made another veth link, gave both ends a different address in the same /24 subnet, and provided one of them to sslsplit's -T
. It correctly used the other address to ARP query the hardware address of the IP I gave it, but the kernel still wouldn't reply to the ARP request.
I've tried activating all sysctl
options relating to ARP, and also rp_filter
, basing myself from this answer.
By the way, I know that various programs have support for looking into decrypted SSL in wireshark by use of the SSLKEYLOGFILE
environment variable, but the program whose connection I want to intercept has no support for that environment variable.
Here is a picture of wireshark with the ARP requests. When those fail I also see SSDP packets, but I don't know what those are, and they seem little relevant:
EDIT 3: For the record, here's some of the output from ip link
, which shows the ethernet address that the kernel should be replying with:
46: veth1b@veth1a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 4a:36:55:f8:e1:d2 brd ff:ff:ff:ff:ff:ff
ssl iproute arp wireshark
add a comment |
TL;DR: I feel I'm pretty close to doing so by using sslsplit's interface mirroring, but I ran into an issue where the kernel is not replying to ARP requests that sslsplit is sending out on the mirrored interface.
I want to intercept an SSL/TLS connection of a program I'm running in my machine and see the decrypted contents in wireshark. It seems sslsplit's interface mirroring is what I need so I've been trying to set that up.
This command properly sets up the interception without mirroring and simply outputting some info to stdout:
sudo sslsplit -D -l /dev/stdout -c ca.crt -k ca.key tcp 192.168.10.1 9090 ssl 192.168.10.1 9091
192.168.10.0/24
is a subnet that's on a veth link. I put one end of the veth in a new network namespace and setup the other end as the default route in that namespace. EDIT 2: In other words, I did:
ip link add veth0a type veth peer veth0b
ip address add 192.168.10.1/24 dev veth0a
ip netns add sslsplitns
ip link set veth0b netns sslsplitns
ip netns exec sslsplitns ip address add 192.168.10.2/24 dev veth0b
ip link set veth0a up
ip netns exec sslsplitns ip link set veth0b up
ip netns exec sslsplitns ip route add default via 192.168.10.1
The idea is to run the program whose connection I want to intercept in that network namespace (i.e. ip netns exec sslsplitns $cmd
). I found this setup necessary because sslsplit works using the NAT engine, and it seems it can't pickup on packets unless they go through the INPUT chains.
Anyway, to use network mirroring I apparently select the interface I want to mirror to with -I
. However, sslsplit says that -I
depends on -T
which is:
-T addr Mirror connection content as emulated packets to destination address addr on the interface given by -I. Only IPv4 target addresses are currently supported. This option is not available if SSLsplit was built without mirroring support.
EDIT 4: I imagine this means that if I made an HTTPS request to, for example, 1.2.3.4, sslsplit would make an equivalent HTTP request to whatever I provide to this option. Somebody, please correct me if I'm misunderstanding this, because I'm not completely sure how this would work. Would sslsplit really be able to use this provided address as source and destination IP? Would it make sure that no other program would receive these mirrored packets in case they're actually listening? How would this mirroring work if I provided sslsplit with an actual physical link and the IP of another physical computer? Are these mirrored packets actually meant to be received and not merely inspected by a tool like wireshark or tcpdump?
So I made a dummy interface (ip link add dummy0 type dummy
), gave it an address and provided that address to sslplit's -T
.
EDIT: Here's the command:
sudo sslsplit -D -l /dev/stdout -T 192.168.12.2 -I veth1a -c ca.crt -k ca.key tcp 192.168.10.1 9090 ssl 192.168.10.1 9091
Looking through wireshark, in preparation to see the decrypted SSL packets, I see that sslsplit sends ARP requests querying the hardware address of the ip address I gave it. After various attempts, sslsplit
ends up dying with the message failed to lookup target ether
. I thought, maybe the kernel won't reply because it's the same address it's sending from, so it's too silly to take seriously. So I made another veth link, gave both ends a different address in the same /24 subnet, and provided one of them to sslsplit's -T
. It correctly used the other address to ARP query the hardware address of the IP I gave it, but the kernel still wouldn't reply to the ARP request.
I've tried activating all sysctl
options relating to ARP, and also rp_filter
, basing myself from this answer.
By the way, I know that various programs have support for looking into decrypted SSL in wireshark by use of the SSLKEYLOGFILE
environment variable, but the program whose connection I want to intercept has no support for that environment variable.
Here is a picture of wireshark with the ARP requests. When those fail I also see SSDP packets, but I don't know what those are, and they seem little relevant:
EDIT 3: For the record, here's some of the output from ip link
, which shows the ethernet address that the kernel should be replying with:
46: veth1b@veth1a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 4a:36:55:f8:e1:d2 brd ff:ff:ff:ff:ff:ff
ssl iproute arp wireshark
add a comment |
TL;DR: I feel I'm pretty close to doing so by using sslsplit's interface mirroring, but I ran into an issue where the kernel is not replying to ARP requests that sslsplit is sending out on the mirrored interface.
I want to intercept an SSL/TLS connection of a program I'm running in my machine and see the decrypted contents in wireshark. It seems sslsplit's interface mirroring is what I need so I've been trying to set that up.
This command properly sets up the interception without mirroring and simply outputting some info to stdout:
sudo sslsplit -D -l /dev/stdout -c ca.crt -k ca.key tcp 192.168.10.1 9090 ssl 192.168.10.1 9091
192.168.10.0/24
is a subnet that's on a veth link. I put one end of the veth in a new network namespace and setup the other end as the default route in that namespace. EDIT 2: In other words, I did:
ip link add veth0a type veth peer veth0b
ip address add 192.168.10.1/24 dev veth0a
ip netns add sslsplitns
ip link set veth0b netns sslsplitns
ip netns exec sslsplitns ip address add 192.168.10.2/24 dev veth0b
ip link set veth0a up
ip netns exec sslsplitns ip link set veth0b up
ip netns exec sslsplitns ip route add default via 192.168.10.1
The idea is to run the program whose connection I want to intercept in that network namespace (i.e. ip netns exec sslsplitns $cmd
). I found this setup necessary because sslsplit works using the NAT engine, and it seems it can't pickup on packets unless they go through the INPUT chains.
Anyway, to use network mirroring I apparently select the interface I want to mirror to with -I
. However, sslsplit says that -I
depends on -T
which is:
-T addr Mirror connection content as emulated packets to destination address addr on the interface given by -I. Only IPv4 target addresses are currently supported. This option is not available if SSLsplit was built without mirroring support.
EDIT 4: I imagine this means that if I made an HTTPS request to, for example, 1.2.3.4, sslsplit would make an equivalent HTTP request to whatever I provide to this option. Somebody, please correct me if I'm misunderstanding this, because I'm not completely sure how this would work. Would sslsplit really be able to use this provided address as source and destination IP? Would it make sure that no other program would receive these mirrored packets in case they're actually listening? How would this mirroring work if I provided sslsplit with an actual physical link and the IP of another physical computer? Are these mirrored packets actually meant to be received and not merely inspected by a tool like wireshark or tcpdump?
So I made a dummy interface (ip link add dummy0 type dummy
), gave it an address and provided that address to sslplit's -T
.
EDIT: Here's the command:
sudo sslsplit -D -l /dev/stdout -T 192.168.12.2 -I veth1a -c ca.crt -k ca.key tcp 192.168.10.1 9090 ssl 192.168.10.1 9091
Looking through wireshark, in preparation to see the decrypted SSL packets, I see that sslsplit sends ARP requests querying the hardware address of the ip address I gave it. After various attempts, sslsplit
ends up dying with the message failed to lookup target ether
. I thought, maybe the kernel won't reply because it's the same address it's sending from, so it's too silly to take seriously. So I made another veth link, gave both ends a different address in the same /24 subnet, and provided one of them to sslsplit's -T
. It correctly used the other address to ARP query the hardware address of the IP I gave it, but the kernel still wouldn't reply to the ARP request.
I've tried activating all sysctl
options relating to ARP, and also rp_filter
, basing myself from this answer.
By the way, I know that various programs have support for looking into decrypted SSL in wireshark by use of the SSLKEYLOGFILE
environment variable, but the program whose connection I want to intercept has no support for that environment variable.
Here is a picture of wireshark with the ARP requests. When those fail I also see SSDP packets, but I don't know what those are, and they seem little relevant:
EDIT 3: For the record, here's some of the output from ip link
, which shows the ethernet address that the kernel should be replying with:
46: veth1b@veth1a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 4a:36:55:f8:e1:d2 brd ff:ff:ff:ff:ff:ff
ssl iproute arp wireshark
TL;DR: I feel I'm pretty close to doing so by using sslsplit's interface mirroring, but I ran into an issue where the kernel is not replying to ARP requests that sslsplit is sending out on the mirrored interface.
I want to intercept an SSL/TLS connection of a program I'm running in my machine and see the decrypted contents in wireshark. It seems sslsplit's interface mirroring is what I need so I've been trying to set that up.
This command properly sets up the interception without mirroring and simply outputting some info to stdout:
sudo sslsplit -D -l /dev/stdout -c ca.crt -k ca.key tcp 192.168.10.1 9090 ssl 192.168.10.1 9091
192.168.10.0/24
is a subnet that's on a veth link. I put one end of the veth in a new network namespace and setup the other end as the default route in that namespace. EDIT 2: In other words, I did:
ip link add veth0a type veth peer veth0b
ip address add 192.168.10.1/24 dev veth0a
ip netns add sslsplitns
ip link set veth0b netns sslsplitns
ip netns exec sslsplitns ip address add 192.168.10.2/24 dev veth0b
ip link set veth0a up
ip netns exec sslsplitns ip link set veth0b up
ip netns exec sslsplitns ip route add default via 192.168.10.1
The idea is to run the program whose connection I want to intercept in that network namespace (i.e. ip netns exec sslsplitns $cmd
). I found this setup necessary because sslsplit works using the NAT engine, and it seems it can't pickup on packets unless they go through the INPUT chains.
Anyway, to use network mirroring I apparently select the interface I want to mirror to with -I
. However, sslsplit says that -I
depends on -T
which is:
-T addr Mirror connection content as emulated packets to destination address addr on the interface given by -I. Only IPv4 target addresses are currently supported. This option is not available if SSLsplit was built without mirroring support.
EDIT 4: I imagine this means that if I made an HTTPS request to, for example, 1.2.3.4, sslsplit would make an equivalent HTTP request to whatever I provide to this option. Somebody, please correct me if I'm misunderstanding this, because I'm not completely sure how this would work. Would sslsplit really be able to use this provided address as source and destination IP? Would it make sure that no other program would receive these mirrored packets in case they're actually listening? How would this mirroring work if I provided sslsplit with an actual physical link and the IP of another physical computer? Are these mirrored packets actually meant to be received and not merely inspected by a tool like wireshark or tcpdump?
So I made a dummy interface (ip link add dummy0 type dummy
), gave it an address and provided that address to sslplit's -T
.
EDIT: Here's the command:
sudo sslsplit -D -l /dev/stdout -T 192.168.12.2 -I veth1a -c ca.crt -k ca.key tcp 192.168.10.1 9090 ssl 192.168.10.1 9091
Looking through wireshark, in preparation to see the decrypted SSL packets, I see that sslsplit sends ARP requests querying the hardware address of the ip address I gave it. After various attempts, sslsplit
ends up dying with the message failed to lookup target ether
. I thought, maybe the kernel won't reply because it's the same address it's sending from, so it's too silly to take seriously. So I made another veth link, gave both ends a different address in the same /24 subnet, and provided one of them to sslsplit's -T
. It correctly used the other address to ARP query the hardware address of the IP I gave it, but the kernel still wouldn't reply to the ARP request.
I've tried activating all sysctl
options relating to ARP, and also rp_filter
, basing myself from this answer.
By the way, I know that various programs have support for looking into decrypted SSL in wireshark by use of the SSLKEYLOGFILE
environment variable, but the program whose connection I want to intercept has no support for that environment variable.
Here is a picture of wireshark with the ARP requests. When those fail I also see SSDP packets, but I don't know what those are, and they seem little relevant:
EDIT 3: For the record, here's some of the output from ip link
, which shows the ethernet address that the kernel should be replying with:
46: veth1b@veth1a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 4a:36:55:f8:e1:d2 brd ff:ff:ff:ff:ff:ff
ssl iproute arp wireshark
ssl iproute arp wireshark
edited Dec 4 '18 at 21:47
JoL
asked Dec 4 '18 at 2:51
JoLJoL
1,146311
1,146311
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
I cannot solve your problem, but I hope I could provide you with a little help.
As you know, parameters -I
and -T
are both required for mirroring.
Parameter -I
specifies an interface on which is intended to be an analyzer (some node capturing mirrored packets) and parameter -T
specifies IPv4 address of the target of mirrored data.
SSLsplit actually does resolve MAC address (L2 header) from provided interface and IPv4 address. SSLsplit looks up source MAC address from the interface and as a next step sends ARP request for target IPv4 address on the interface. SSLsplit waits for ARP response which contains destination MAC address in order to have all addresses to fill up a packet.
If you provide to SSLsplit dummy interface it cannot resolve the destination MAC address. That is the reason why you have got failed to lookup target ether
.
Is not better in this case use -X
parameter to log traffic into .pcap
file and you do not have to solve resolving problems?
New contributor
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f485808%2fhow-to-inspect-decrypted-tls-ssl-traffic-in-wireshark-from-program-not-supportin%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I cannot solve your problem, but I hope I could provide you with a little help.
As you know, parameters -I
and -T
are both required for mirroring.
Parameter -I
specifies an interface on which is intended to be an analyzer (some node capturing mirrored packets) and parameter -T
specifies IPv4 address of the target of mirrored data.
SSLsplit actually does resolve MAC address (L2 header) from provided interface and IPv4 address. SSLsplit looks up source MAC address from the interface and as a next step sends ARP request for target IPv4 address on the interface. SSLsplit waits for ARP response which contains destination MAC address in order to have all addresses to fill up a packet.
If you provide to SSLsplit dummy interface it cannot resolve the destination MAC address. That is the reason why you have got failed to lookup target ether
.
Is not better in this case use -X
parameter to log traffic into .pcap
file and you do not have to solve resolving problems?
New contributor
add a comment |
I cannot solve your problem, but I hope I could provide you with a little help.
As you know, parameters -I
and -T
are both required for mirroring.
Parameter -I
specifies an interface on which is intended to be an analyzer (some node capturing mirrored packets) and parameter -T
specifies IPv4 address of the target of mirrored data.
SSLsplit actually does resolve MAC address (L2 header) from provided interface and IPv4 address. SSLsplit looks up source MAC address from the interface and as a next step sends ARP request for target IPv4 address on the interface. SSLsplit waits for ARP response which contains destination MAC address in order to have all addresses to fill up a packet.
If you provide to SSLsplit dummy interface it cannot resolve the destination MAC address. That is the reason why you have got failed to lookup target ether
.
Is not better in this case use -X
parameter to log traffic into .pcap
file and you do not have to solve resolving problems?
New contributor
add a comment |
I cannot solve your problem, but I hope I could provide you with a little help.
As you know, parameters -I
and -T
are both required for mirroring.
Parameter -I
specifies an interface on which is intended to be an analyzer (some node capturing mirrored packets) and parameter -T
specifies IPv4 address of the target of mirrored data.
SSLsplit actually does resolve MAC address (L2 header) from provided interface and IPv4 address. SSLsplit looks up source MAC address from the interface and as a next step sends ARP request for target IPv4 address on the interface. SSLsplit waits for ARP response which contains destination MAC address in order to have all addresses to fill up a packet.
If you provide to SSLsplit dummy interface it cannot resolve the destination MAC address. That is the reason why you have got failed to lookup target ether
.
Is not better in this case use -X
parameter to log traffic into .pcap
file and you do not have to solve resolving problems?
New contributor
I cannot solve your problem, but I hope I could provide you with a little help.
As you know, parameters -I
and -T
are both required for mirroring.
Parameter -I
specifies an interface on which is intended to be an analyzer (some node capturing mirrored packets) and parameter -T
specifies IPv4 address of the target of mirrored data.
SSLsplit actually does resolve MAC address (L2 header) from provided interface and IPv4 address. SSLsplit looks up source MAC address from the interface and as a next step sends ARP request for target IPv4 address on the interface. SSLsplit waits for ARP response which contains destination MAC address in order to have all addresses to fill up a packet.
If you provide to SSLsplit dummy interface it cannot resolve the destination MAC address. That is the reason why you have got failed to lookup target ether
.
Is not better in this case use -X
parameter to log traffic into .pcap
file and you do not have to solve resolving problems?
New contributor
New contributor
answered 2 hours ago
iK.sSsiK.sSs
1
1
New contributor
New contributor
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f485808%2fhow-to-inspect-decrypted-tls-ssl-traffic-in-wireshark-from-program-not-supportin%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown