[Bro] Reading encrypted pcap with Bro

Mark Buchanan mabuchan at gmail.com
Sat Aug 12 15:17:08 PDT 2017


Check out sslviewd, it can do decrypt of traffic (on the fly).   You may be able to use that to either generate clear text captures or replay the encrypted dump through it into a Bro instance listening to the output. 

On another note, Wireshark has some capacity to carve files out, within it, while I know I'd like to use Bro, if it's a one shot deal, that may be an easier method.

--
Mark Buchanan

> On Aug 12, 2017, at 13:58, Josh Guild <josh.guild at morphick.com> wrote:
> 
> Hi all,
> 
> Hoping to find some more uplifting answers here than I found with my Google searches. I have an encrypted pcap and the key but there doesn't seem to be a way to save of the plaintext pcap with tshark.
> 
> Where Bro comes in - I need to carve some files out that are chunked as octet streams and would really rather not have to write a tshark script for this. 
> 
> However Bro needs the decrypted pcap to carve for me :(
> 
> Any assistance or points in the right direction would be awesome, thanks!
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list