How to inspect decrypted TLS/SSL traffic in Wireshark from program not supporting SSLKEYLOGFILE?












1















TL;DR: I feel I'm pretty close to doing so by using sslsplit's interface mirroring, but I ran into an issue where the kernel is not replying to ARP requests that sslsplit is sending out on the mirrored interface.



I want to intercept an SSL/TLS connection of a program I'm running in my machine and see the decrypted contents in wireshark. It seems sslsplit's interface mirroring is what I need so I've been trying to set that up.



This command properly sets up the interception without mirroring and simply outputting some info to stdout:



sudo sslsplit -D -l /dev/stdout -c ca.crt -k ca.key tcp 192.168.10.1 9090 ssl 192.168.10.1 9091


192.168.10.0/24 is a subnet that's on a veth link. I put one end of the veth in a new network namespace and setup the other end as the default route in that namespace. EDIT 2: In other words, I did:



ip link add veth0a type veth peer veth0b
ip address add 192.168.10.1/24 dev veth0a
ip netns add sslsplitns
ip link set veth0b netns sslsplitns
ip netns exec sslsplitns ip address add 192.168.10.2/24 dev veth0b
ip link set veth0a up
ip netns exec sslsplitns ip link set veth0b up
ip netns exec sslsplitns ip route add default via 192.168.10.1


The idea is to run the program whose connection I want to intercept in that network namespace (i.e. ip netns exec sslsplitns $cmd). I found this setup necessary because sslsplit works using the NAT engine, and it seems it can't pickup on packets unless they go through the INPUT chains.



Anyway, to use network mirroring I apparently select the interface I want to mirror to with -I. However, sslsplit says that -I depends on -T which is:




-T addr Mirror connection content as emulated packets to destination address addr on the interface given by -I. Only IPv4 target addresses are currently supported. This option is not available if SSLsplit was built without mirroring support.




EDIT 4: I imagine this means that if I made an HTTPS request to, for example, 1.2.3.4, sslsplit would make an equivalent HTTP request to whatever I provide to this option. Somebody, please correct me if I'm misunderstanding this, because I'm not completely sure how this would work. Would sslsplit really be able to use this provided address as source and destination IP? Would it make sure that no other program would receive these mirrored packets in case they're actually listening? How would this mirroring work if I provided sslsplit with an actual physical link and the IP of another physical computer? Are these mirrored packets actually meant to be received and not merely inspected by a tool like wireshark or tcpdump?



So I made a dummy interface (ip link add dummy0 type dummy), gave it an address and provided that address to sslplit's -T.



EDIT: Here's the command:



sudo sslsplit -D -l /dev/stdout -T 192.168.12.2 -I veth1a -c ca.crt -k ca.key tcp 192.168.10.1 9090 ssl 192.168.10.1 9091


Looking through wireshark, in preparation to see the decrypted SSL packets, I see that sslsplit sends ARP requests querying the hardware address of the ip address I gave it. After various attempts, sslsplit ends up dying with the message failed to lookup target ether. I thought, maybe the kernel won't reply because it's the same address it's sending from, so it's too silly to take seriously. So I made another veth link, gave both ends a different address in the same /24 subnet, and provided one of them to sslsplit's -T. It correctly used the other address to ARP query the hardware address of the IP I gave it, but the kernel still wouldn't reply to the ARP request.



I've tried activating all sysctl options relating to ARP, and also rp_filter, basing myself from this answer.



By the way, I know that various programs have support for looking into decrypted SSL in wireshark by use of the SSLKEYLOGFILE environment variable, but the program whose connection I want to intercept has no support for that environment variable.



Here is a picture of wireshark with the ARP requests. When those fail I also see SSDP packets, but I don't know what those are, and they seem little relevant:



wireshark arp requests



EDIT 3: For the record, here's some of the output from ip link, which shows the ethernet address that the kernel should be replying with:



46: veth1b@veth1a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 4a:36:55:f8:e1:d2 brd ff:ff:ff:ff:ff:ff









share|improve this question





























    1















    TL;DR: I feel I'm pretty close to doing so by using sslsplit's interface mirroring, but I ran into an issue where the kernel is not replying to ARP requests that sslsplit is sending out on the mirrored interface.



    I want to intercept an SSL/TLS connection of a program I'm running in my machine and see the decrypted contents in wireshark. It seems sslsplit's interface mirroring is what I need so I've been trying to set that up.



    This command properly sets up the interception without mirroring and simply outputting some info to stdout:



    sudo sslsplit -D -l /dev/stdout -c ca.crt -k ca.key tcp 192.168.10.1 9090 ssl 192.168.10.1 9091


    192.168.10.0/24 is a subnet that's on a veth link. I put one end of the veth in a new network namespace and setup the other end as the default route in that namespace. EDIT 2: In other words, I did:



    ip link add veth0a type veth peer veth0b
    ip address add 192.168.10.1/24 dev veth0a
    ip netns add sslsplitns
    ip link set veth0b netns sslsplitns
    ip netns exec sslsplitns ip address add 192.168.10.2/24 dev veth0b
    ip link set veth0a up
    ip netns exec sslsplitns ip link set veth0b up
    ip netns exec sslsplitns ip route add default via 192.168.10.1


    The idea is to run the program whose connection I want to intercept in that network namespace (i.e. ip netns exec sslsplitns $cmd). I found this setup necessary because sslsplit works using the NAT engine, and it seems it can't pickup on packets unless they go through the INPUT chains.



    Anyway, to use network mirroring I apparently select the interface I want to mirror to with -I. However, sslsplit says that -I depends on -T which is:




    -T addr Mirror connection content as emulated packets to destination address addr on the interface given by -I. Only IPv4 target addresses are currently supported. This option is not available if SSLsplit was built without mirroring support.




    EDIT 4: I imagine this means that if I made an HTTPS request to, for example, 1.2.3.4, sslsplit would make an equivalent HTTP request to whatever I provide to this option. Somebody, please correct me if I'm misunderstanding this, because I'm not completely sure how this would work. Would sslsplit really be able to use this provided address as source and destination IP? Would it make sure that no other program would receive these mirrored packets in case they're actually listening? How would this mirroring work if I provided sslsplit with an actual physical link and the IP of another physical computer? Are these mirrored packets actually meant to be received and not merely inspected by a tool like wireshark or tcpdump?



    So I made a dummy interface (ip link add dummy0 type dummy), gave it an address and provided that address to sslplit's -T.



    EDIT: Here's the command:



    sudo sslsplit -D -l /dev/stdout -T 192.168.12.2 -I veth1a -c ca.crt -k ca.key tcp 192.168.10.1 9090 ssl 192.168.10.1 9091


    Looking through wireshark, in preparation to see the decrypted SSL packets, I see that sslsplit sends ARP requests querying the hardware address of the ip address I gave it. After various attempts, sslsplit ends up dying with the message failed to lookup target ether. I thought, maybe the kernel won't reply because it's the same address it's sending from, so it's too silly to take seriously. So I made another veth link, gave both ends a different address in the same /24 subnet, and provided one of them to sslsplit's -T. It correctly used the other address to ARP query the hardware address of the IP I gave it, but the kernel still wouldn't reply to the ARP request.



    I've tried activating all sysctl options relating to ARP, and also rp_filter, basing myself from this answer.



    By the way, I know that various programs have support for looking into decrypted SSL in wireshark by use of the SSLKEYLOGFILE environment variable, but the program whose connection I want to intercept has no support for that environment variable.



    Here is a picture of wireshark with the ARP requests. When those fail I also see SSDP packets, but I don't know what those are, and they seem little relevant:



    wireshark arp requests



    EDIT 3: For the record, here's some of the output from ip link, which shows the ethernet address that the kernel should be replying with:



    46: veth1b@veth1a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 4a:36:55:f8:e1:d2 brd ff:ff:ff:ff:ff:ff









    share|improve this question



























      1












      1








      1








      TL;DR: I feel I'm pretty close to doing so by using sslsplit's interface mirroring, but I ran into an issue where the kernel is not replying to ARP requests that sslsplit is sending out on the mirrored interface.



      I want to intercept an SSL/TLS connection of a program I'm running in my machine and see the decrypted contents in wireshark. It seems sslsplit's interface mirroring is what I need so I've been trying to set that up.



      This command properly sets up the interception without mirroring and simply outputting some info to stdout:



      sudo sslsplit -D -l /dev/stdout -c ca.crt -k ca.key tcp 192.168.10.1 9090 ssl 192.168.10.1 9091


      192.168.10.0/24 is a subnet that's on a veth link. I put one end of the veth in a new network namespace and setup the other end as the default route in that namespace. EDIT 2: In other words, I did:



      ip link add veth0a type veth peer veth0b
      ip address add 192.168.10.1/24 dev veth0a
      ip netns add sslsplitns
      ip link set veth0b netns sslsplitns
      ip netns exec sslsplitns ip address add 192.168.10.2/24 dev veth0b
      ip link set veth0a up
      ip netns exec sslsplitns ip link set veth0b up
      ip netns exec sslsplitns ip route add default via 192.168.10.1


      The idea is to run the program whose connection I want to intercept in that network namespace (i.e. ip netns exec sslsplitns $cmd). I found this setup necessary because sslsplit works using the NAT engine, and it seems it can't pickup on packets unless they go through the INPUT chains.



      Anyway, to use network mirroring I apparently select the interface I want to mirror to with -I. However, sslsplit says that -I depends on -T which is:




      -T addr Mirror connection content as emulated packets to destination address addr on the interface given by -I. Only IPv4 target addresses are currently supported. This option is not available if SSLsplit was built without mirroring support.




      EDIT 4: I imagine this means that if I made an HTTPS request to, for example, 1.2.3.4, sslsplit would make an equivalent HTTP request to whatever I provide to this option. Somebody, please correct me if I'm misunderstanding this, because I'm not completely sure how this would work. Would sslsplit really be able to use this provided address as source and destination IP? Would it make sure that no other program would receive these mirrored packets in case they're actually listening? How would this mirroring work if I provided sslsplit with an actual physical link and the IP of another physical computer? Are these mirrored packets actually meant to be received and not merely inspected by a tool like wireshark or tcpdump?



      So I made a dummy interface (ip link add dummy0 type dummy), gave it an address and provided that address to sslplit's -T.



      EDIT: Here's the command:



      sudo sslsplit -D -l /dev/stdout -T 192.168.12.2 -I veth1a -c ca.crt -k ca.key tcp 192.168.10.1 9090 ssl 192.168.10.1 9091


      Looking through wireshark, in preparation to see the decrypted SSL packets, I see that sslsplit sends ARP requests querying the hardware address of the ip address I gave it. After various attempts, sslsplit ends up dying with the message failed to lookup target ether. I thought, maybe the kernel won't reply because it's the same address it's sending from, so it's too silly to take seriously. So I made another veth link, gave both ends a different address in the same /24 subnet, and provided one of them to sslsplit's -T. It correctly used the other address to ARP query the hardware address of the IP I gave it, but the kernel still wouldn't reply to the ARP request.



      I've tried activating all sysctl options relating to ARP, and also rp_filter, basing myself from this answer.



      By the way, I know that various programs have support for looking into decrypted SSL in wireshark by use of the SSLKEYLOGFILE environment variable, but the program whose connection I want to intercept has no support for that environment variable.



      Here is a picture of wireshark with the ARP requests. When those fail I also see SSDP packets, but I don't know what those are, and they seem little relevant:



      wireshark arp requests



      EDIT 3: For the record, here's some of the output from ip link, which shows the ethernet address that the kernel should be replying with:



      46: veth1b@veth1a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
      link/ether 4a:36:55:f8:e1:d2 brd ff:ff:ff:ff:ff:ff









      share|improve this question
















      TL;DR: I feel I'm pretty close to doing so by using sslsplit's interface mirroring, but I ran into an issue where the kernel is not replying to ARP requests that sslsplit is sending out on the mirrored interface.



      I want to intercept an SSL/TLS connection of a program I'm running in my machine and see the decrypted contents in wireshark. It seems sslsplit's interface mirroring is what I need so I've been trying to set that up.



      This command properly sets up the interception without mirroring and simply outputting some info to stdout:



      sudo sslsplit -D -l /dev/stdout -c ca.crt -k ca.key tcp 192.168.10.1 9090 ssl 192.168.10.1 9091


      192.168.10.0/24 is a subnet that's on a veth link. I put one end of the veth in a new network namespace and setup the other end as the default route in that namespace. EDIT 2: In other words, I did:



      ip link add veth0a type veth peer veth0b
      ip address add 192.168.10.1/24 dev veth0a
      ip netns add sslsplitns
      ip link set veth0b netns sslsplitns
      ip netns exec sslsplitns ip address add 192.168.10.2/24 dev veth0b
      ip link set veth0a up
      ip netns exec sslsplitns ip link set veth0b up
      ip netns exec sslsplitns ip route add default via 192.168.10.1


      The idea is to run the program whose connection I want to intercept in that network namespace (i.e. ip netns exec sslsplitns $cmd). I found this setup necessary because sslsplit works using the NAT engine, and it seems it can't pickup on packets unless they go through the INPUT chains.



      Anyway, to use network mirroring I apparently select the interface I want to mirror to with -I. However, sslsplit says that -I depends on -T which is:




      -T addr Mirror connection content as emulated packets to destination address addr on the interface given by -I. Only IPv4 target addresses are currently supported. This option is not available if SSLsplit was built without mirroring support.




      EDIT 4: I imagine this means that if I made an HTTPS request to, for example, 1.2.3.4, sslsplit would make an equivalent HTTP request to whatever I provide to this option. Somebody, please correct me if I'm misunderstanding this, because I'm not completely sure how this would work. Would sslsplit really be able to use this provided address as source and destination IP? Would it make sure that no other program would receive these mirrored packets in case they're actually listening? How would this mirroring work if I provided sslsplit with an actual physical link and the IP of another physical computer? Are these mirrored packets actually meant to be received and not merely inspected by a tool like wireshark or tcpdump?



      So I made a dummy interface (ip link add dummy0 type dummy), gave it an address and provided that address to sslplit's -T.



      EDIT: Here's the command:



      sudo sslsplit -D -l /dev/stdout -T 192.168.12.2 -I veth1a -c ca.crt -k ca.key tcp 192.168.10.1 9090 ssl 192.168.10.1 9091


      Looking through wireshark, in preparation to see the decrypted SSL packets, I see that sslsplit sends ARP requests querying the hardware address of the ip address I gave it. After various attempts, sslsplit ends up dying with the message failed to lookup target ether. I thought, maybe the kernel won't reply because it's the same address it's sending from, so it's too silly to take seriously. So I made another veth link, gave both ends a different address in the same /24 subnet, and provided one of them to sslsplit's -T. It correctly used the other address to ARP query the hardware address of the IP I gave it, but the kernel still wouldn't reply to the ARP request.



      I've tried activating all sysctl options relating to ARP, and also rp_filter, basing myself from this answer.



      By the way, I know that various programs have support for looking into decrypted SSL in wireshark by use of the SSLKEYLOGFILE environment variable, but the program whose connection I want to intercept has no support for that environment variable.



      Here is a picture of wireshark with the ARP requests. When those fail I also see SSDP packets, but I don't know what those are, and they seem little relevant:



      wireshark arp requests



      EDIT 3: For the record, here's some of the output from ip link, which shows the ethernet address that the kernel should be replying with:



      46: veth1b@veth1a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
      link/ether 4a:36:55:f8:e1:d2 brd ff:ff:ff:ff:ff:ff






      ssl iproute arp wireshark






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Dec 4 '18 at 21:47







      JoL

















      asked Dec 4 '18 at 2:51









      JoLJoL

      1,146311




      1,146311






















          1 Answer
          1






          active

          oldest

          votes


















          0














          I cannot solve your problem, but I hope I could provide you with a little help.



          As you know, parameters -I and -T are both required for mirroring.
          Parameter -I specifies an interface on which is intended to be an analyzer (some node capturing mirrored packets) and parameter -T specifies IPv4 address of the target of mirrored data.



          SSLsplit actually does resolve MAC address (L2 header) from provided interface and IPv4 address. SSLsplit looks up source MAC address from the interface and as a next step sends ARP request for target IPv4 address on the interface. SSLsplit waits for ARP response which contains destination MAC address in order to have all addresses to fill up a packet.



          If you provide to SSLsplit dummy interface it cannot resolve the destination MAC address. That is the reason why you have got failed to lookup target ether.



          Is not better in this case use -X parameter to log traffic into .pcap file and you do not have to solve resolving problems?






          share|improve this answer








          New contributor




          iK.sSs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.




















            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "106"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f485808%2fhow-to-inspect-decrypted-tls-ssl-traffic-in-wireshark-from-program-not-supportin%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            I cannot solve your problem, but I hope I could provide you with a little help.



            As you know, parameters -I and -T are both required for mirroring.
            Parameter -I specifies an interface on which is intended to be an analyzer (some node capturing mirrored packets) and parameter -T specifies IPv4 address of the target of mirrored data.



            SSLsplit actually does resolve MAC address (L2 header) from provided interface and IPv4 address. SSLsplit looks up source MAC address from the interface and as a next step sends ARP request for target IPv4 address on the interface. SSLsplit waits for ARP response which contains destination MAC address in order to have all addresses to fill up a packet.



            If you provide to SSLsplit dummy interface it cannot resolve the destination MAC address. That is the reason why you have got failed to lookup target ether.



            Is not better in this case use -X parameter to log traffic into .pcap file and you do not have to solve resolving problems?






            share|improve this answer








            New contributor




            iK.sSs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.

























              0














              I cannot solve your problem, but I hope I could provide you with a little help.



              As you know, parameters -I and -T are both required for mirroring.
              Parameter -I specifies an interface on which is intended to be an analyzer (some node capturing mirrored packets) and parameter -T specifies IPv4 address of the target of mirrored data.



              SSLsplit actually does resolve MAC address (L2 header) from provided interface and IPv4 address. SSLsplit looks up source MAC address from the interface and as a next step sends ARP request for target IPv4 address on the interface. SSLsplit waits for ARP response which contains destination MAC address in order to have all addresses to fill up a packet.



              If you provide to SSLsplit dummy interface it cannot resolve the destination MAC address. That is the reason why you have got failed to lookup target ether.



              Is not better in this case use -X parameter to log traffic into .pcap file and you do not have to solve resolving problems?






              share|improve this answer








              New contributor




              iK.sSs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.























                0












                0








                0







                I cannot solve your problem, but I hope I could provide you with a little help.



                As you know, parameters -I and -T are both required for mirroring.
                Parameter -I specifies an interface on which is intended to be an analyzer (some node capturing mirrored packets) and parameter -T specifies IPv4 address of the target of mirrored data.



                SSLsplit actually does resolve MAC address (L2 header) from provided interface and IPv4 address. SSLsplit looks up source MAC address from the interface and as a next step sends ARP request for target IPv4 address on the interface. SSLsplit waits for ARP response which contains destination MAC address in order to have all addresses to fill up a packet.



                If you provide to SSLsplit dummy interface it cannot resolve the destination MAC address. That is the reason why you have got failed to lookup target ether.



                Is not better in this case use -X parameter to log traffic into .pcap file and you do not have to solve resolving problems?






                share|improve this answer








                New contributor




                iK.sSs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.










                I cannot solve your problem, but I hope I could provide you with a little help.



                As you know, parameters -I and -T are both required for mirroring.
                Parameter -I specifies an interface on which is intended to be an analyzer (some node capturing mirrored packets) and parameter -T specifies IPv4 address of the target of mirrored data.



                SSLsplit actually does resolve MAC address (L2 header) from provided interface and IPv4 address. SSLsplit looks up source MAC address from the interface and as a next step sends ARP request for target IPv4 address on the interface. SSLsplit waits for ARP response which contains destination MAC address in order to have all addresses to fill up a packet.



                If you provide to SSLsplit dummy interface it cannot resolve the destination MAC address. That is the reason why you have got failed to lookup target ether.



                Is not better in this case use -X parameter to log traffic into .pcap file and you do not have to solve resolving problems?







                share|improve this answer








                New contributor




                iK.sSs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.









                share|improve this answer



                share|improve this answer






                New contributor




                iK.sSs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.









                answered 2 hours ago









                iK.sSsiK.sSs

                1




                1




                New contributor




                iK.sSs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.





                New contributor





                iK.sSs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.






                iK.sSs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Unix & Linux Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f485808%2fhow-to-inspect-decrypted-tls-ssl-traffic-in-wireshark-from-program-not-supportin%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    CARDNET

                    Boot-repair Failure: Unable to locate package grub-common:i386

                    濃尾地震