[Bro] Reading encrypted pcap with Bro
Josh Guild
josh.guild at morphick.com
Sat Aug 12 15:20:39 PDT 2017
Awesome, I'll give that a shot! RE: the replay, is there something that can
read that out and reply? I was thinking of just a trying this with tshark
but hadn't done research yet.
I tried the Export Objects within Wireshark but these files weren't grabbed
through a normal GET, it was pushed out in a chunked format.
I'm hoping Bro can reassemble and carve for me :)
On Sat, Aug 12, 2017, 18:17 Mark Buchanan <mabuchan at gmail.com> wrote:
> Check out sslviewd, it can do decrypt of traffic (on the fly). You may
> be able to use that to either generate clear text captures or replay the
> encrypted dump through it into a Bro instance listening to the output.
>
> On another note, Wireshark has some capacity to carve files out, within
> it, while I know I'd like to use Bro, if it's a one shot deal, that may be
> an easier method.
>
> --
> Mark Buchanan
>
> > On Aug 12, 2017, at 13:58, Josh Guild <josh.guild at morphick.com> wrote:
> >
> > Hi all,
> >
> > Hoping to find some more uplifting answers here than I found with my
> Google searches. I have an encrypted pcap and the key but there doesn't
> seem to be a way to save of the plaintext pcap with tshark.
> >
> > Where Bro comes in - I need to carve some files out that are chunked as
> octet streams and would really rather not have to write a tshark script for
> this.
> >
> > However Bro needs the decrypted pcap to carve for me :(
> >
> > Any assistance or points in the right direction would be awesome, thanks!
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170812/81fffc99/attachment.html
More information about the Bro
mailing list