[Bro] Reading encrypted pcap with Bro
mabuchan at gmail.com
Sat Aug 12 15:23:04 PDT 2017
Ack - sorry - viewssld - I got the name backwards and google finds all
sorts of other things when you try sslviewd.
On Sat, Aug 12, 2017 at 5:20 PM, Josh Guild <josh.guild at morphick.com> wrote:
> Awesome, I'll give that a shot! RE: the replay, is there something that
> can read that out and reply? I was thinking of just a trying this with
> tshark but hadn't done research yet.
> I tried the Export Objects within Wireshark but these files weren't
> grabbed through a normal GET, it was pushed out in a chunked format.
> I'm hoping Bro can reassemble and carve for me :)
> On Sat, Aug 12, 2017, 18:17 Mark Buchanan <mabuchan at gmail.com> wrote:
>> Check out sslviewd, it can do decrypt of traffic (on the fly). You may
>> be able to use that to either generate clear text captures or replay the
>> encrypted dump through it into a Bro instance listening to the output.
>> On another note, Wireshark has some capacity to carve files out, within
>> it, while I know I'd like to use Bro, if it's a one shot deal, that may be
>> an easier method.
>> Mark Buchanan
>> > On Aug 12, 2017, at 13:58, Josh Guild <josh.guild at morphick.com> wrote:
>> > Hi all,
>> > Hoping to find some more uplifting answers here than I found with my
>> Google searches. I have an encrypted pcap and the key but there doesn't
>> seem to be a way to save of the plaintext pcap with tshark.
>> > Where Bro comes in - I need to carve some files out that are chunked as
>> octet streams and would really rather not have to write a tshark script for
>> > However Bro needs the decrypted pcap to carve for me :(
>> > Any assistance or points in the right direction would be awesome,
>> > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro