[Bro] Reading encrypted pcap with Bro

Mark Buchanan mabuchan at gmail.com
Sat Aug 12 15:23:04 PDT 2017 

Ack - sorry - viewssld - I got the name backwards and google finds all
sorts of other things when you try sslviewd.

Mark

On Sat, Aug 12, 2017 at 5:20 PM, Josh Guild <josh.guild at morphick.com> wrote:

> Awesome, I'll give that a shot! RE: the replay, is there something that
> can read that out and reply? I was thinking of just  a trying this with
> tshark but hadn't done research yet.
>
> I tried the Export Objects within Wireshark but these files weren't
> grabbed through a normal GET, it was pushed out in a chunked format.
>
> I'm hoping Bro can reassemble and carve for me :)
>
> On Sat, Aug 12, 2017, 18:17 Mark Buchanan <mabuchan at gmail.com> wrote:
>
>> Check out sslviewd, it can do decrypt of traffic (on the fly).   You may
>> be able to use that to either generate clear text captures or replay the
>> encrypted dump through it into a Bro instance listening to the output.
>>
>> On another note, Wireshark has some capacity to carve files out, within
>> it, while I know I'd like to use Bro, if it's a one shot deal, that may be
>> an easier method.
>>
>> --
>> Mark Buchanan
>>
>> > On Aug 12, 2017, at 13:58, Josh Guild <josh.guild at morphick.com> wrote:
>> >
>> > Hi all,
>> >
>> > Hoping to find some more uplifting answers here than I found with my
>> Google searches. I have an encrypted pcap and the key but there doesn't
>> seem to be a way to save of the plaintext pcap with tshark.
>> >
>> > Where Bro comes in - I need to carve some files out that are chunked as
>> octet streams and would really rather not have to write a tshark script for
>> this.
>> >
>> > However Bro needs the decrypted pcap to carve for me :(
>> >
>> > Any assistance or points in the right direction would be awesome,
>> thanks!
>> > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>


-- 
Mark Buchanan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170812/1e4e6dcf/attachment.html

More information about the Bro mailing list