[Bro] Reading encrypted pcap with Bro

Josh Guild josh.guild at morphick.com
Sat Aug 12 15:24:27 PDT 2017 

Ha. No worries, I'll take a look tonight!

On Sat, Aug 12, 2017, 18:23 Mark Buchanan <mabuchan at gmail.com> wrote:

> Ack - sorry - viewssld - I got the name backwards and google finds all
> sorts of other things when you try sslviewd.
>
> Mark
>
> On Sat, Aug 12, 2017 at 5:20 PM, Josh Guild <josh.guild at morphick.com>
> wrote:
>
>> Awesome, I'll give that a shot! RE: the replay, is there something that
>> can read that out and reply? I was thinking of just  a trying this with
>> tshark but hadn't done research yet.
>>
>> I tried the Export Objects within Wireshark but these files weren't
>> grabbed through a normal GET, it was pushed out in a chunked format.
>>
>> I'm hoping Bro can reassemble and carve for me :)
>>
>> On Sat, Aug 12, 2017, 18:17 Mark Buchanan <mabuchan at gmail.com> wrote:
>>
>>> Check out sslviewd, it can do decrypt of traffic (on the fly).   You may
>>> be able to use that to either generate clear text captures or replay the
>>> encrypted dump through it into a Bro instance listening to the output.
>>>
>>> On another note, Wireshark has some capacity to carve files out, within
>>> it, while I know I'd like to use Bro, if it's a one shot deal, that may be
>>> an easier method.
>>>
>>> --
>>> Mark Buchanan
>>>
>>> > On Aug 12, 2017, at 13:58, Josh Guild <josh.guild at morphick.com> wrote:
>>> >
>>> > Hi all,
>>> >
>>> > Hoping to find some more uplifting answers here than I found with my
>>> Google searches. I have an encrypted pcap and the key but there doesn't
>>> seem to be a way to save of the plaintext pcap with tshark.
>>> >
>>> > Where Bro comes in - I need to carve some files out that are chunked
>>> as octet streams and would really rather not have to write a tshark script
>>> for this.
>>> >
>>> > However Bro needs the decrypted pcap to carve for me :(
>>> >
>>> > Any assistance or points in the right direction would be awesome,
>>> thanks!
>>> > _______________________________________________
>>> > Bro mailing list
>>> > bro at bro-ids.org
>>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>
>
>
> --
> Mark Buchanan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170812/03227337/attachment.html

More information about the Bro mailing list