Comments (4)
It seems that tshark supports TLS versions 1.0-1.3 well under the HTTP 1.1/2 protocol, but it appears to not support decryption for HTTP 1.0.
Works well for me.
tshark -o tls.keylog_file:key.log -Y http -T fields -e http.file_data -f "port 32888" -i eth0
SSLKEYLOGFILE=key.log curl --local-port 32888 --http1.0 https://www.baidu.com -v
HTTP/1.0 over TLS v1.2 (max supported TLS version for Baidu)
It's really hard find a modern website with both HTTP/1.0 and TLS v1.3 support.
I suppose you'll need to properly set up an Nginx service on your own to kickstart a Ferrari with an antiquated tractor engine (to verify that HTTP/1.0 or even HTTP/0.9 works with TLS v1.3). I believe that the HTTP versions (at least before HTTP/3) and TLS versions are decoupled, and there's fundamentally no need to verify such a multitude of combinations.
from ecapture.
Great idea. However, I need to verify the range of HTTP protocols and TLS versions supported by tshark.
- http 1.0 and tls 1.0
- http 1.0 and tls 1.1
- http 1.0 and tls 1.2
- http 1.0 and tls 1.3
- http 1.1 and tls 1.0
- http 1.1 and tls 1.1
- http 1.1 and tls 1.2
- htto 1.1 and tls 1.3
- http 2.0 and tls 1.0
- http 2.0 and tls 1.1
- http 2.0 and tls 1.2
- http 2.0 and tls 1.3
It seems that tshark supports TLS versions 1.0-1.3 well under the HTTP 1.1/2 protocol, but it appears to not support decryption for HTTP 1.0.
eCapture shell
root@VM-0-13-ubuntu:/home/ubuntu/ecapture# bin/ecapture tls
tls_2023/11/28 22:41:14 ECAPTURE :: ecapture Version : linux_x86_64:0.6.6-20231126-db7e37a:[CORE]
tls_2023/11/28 22:41:14 ECAPTURE :: Pid Info : 24947
tls_2023/11/28 22:41:14 ECAPTURE :: Kernel Info : 5.15.126
tls_2023/11/28 22:41:14 EBPFProbeOPENSSL module initialization
tls_2023/11/28 22:41:14 EBPFProbeOPENSSL master key keylogger: ecapture_masterkey.log
tls_2023/11/28 22:41:14 ECAPTURE :: Module.Run()
tls_2023/11/28 22:41:14 EBPFProbeOPENSSL UPROBE MODEL
tls_2023/11/28 22:41:14 EBPFProbeOPENSSL OpenSSL/BoringSSL version not found from shared library file, used default version:linux_default_3_0
tls_2023/11/28 22:41:14 EBPFProbeOPENSSL HOOK type:2, binrayPath:/lib/x86_64-linux-gnu/libssl.so.3
tls_2023/11/28 22:41:14 EBPFProbeOPENSSL Hook masterKey function:SSL_write
tls_2023/11/28 22:41:14 EBPFProbeOPENSSL libPthread:/lib/x86_64-linux-gnu/libc.so.6
tls_2023/11/28 22:41:14 EBPFProbeOPENSSL target all process.
tls_2023/11/28 22:41:14 EBPFProbeOPENSSL target all users.
tls_2023/11/28 22:41:14 ECAPTURE :: start 2 modules
for http1.x
tshark -o tls.keylog_file:ecapture_masterkey.log -Y http -T fields -e http.file_data -f "port 443" -i eth0
for http2
tshark -o tls.keylog_file:ecapture_masterkey.log -Y http2 -T fields -e http2.data.data -f "port 443" -i eth0
ref:https://www.wireshark.org/docs/dfref/h/http2.html
from ecapture.
Let’s not limit our imagination to just the HTTPS protocol; in fact, TShark (essentially WireShark) can support a wide range of protocols, including but not limited to MySQL (PostgreSQL) connections over TLS, SMTPS, POP3S, and more. Additionally, we should also pay attention to how OpenSSL retrieves the TLS Key Log in HTTP/3.0 (UDP), with the possibility of hooking into new functions to support HTTP/3.0.
from ecapture.
Theoretically, any protocol listed here (https://www.wireshark.org/docs/dfref/) and encapsulated within the TLS layer can be parsed and displayed.
from ecapture.
Related Issues (20)
- linux 环境抓go相关的包报错 HOT 4
- error: couldn't start bootstrap manager error HOT 1
- pcap mode failed on Android App while hex mode works fine HOT 2
- Potential hang for eCapture under really rare circumstances HOT 2
- ecapture 0.7.6依旧无法抓取docker pull的完全URL HOT 8
- gotls: hook dockerd fail HOT 1
- gojue/ebpfmanager dependency with an AGPL license HOT 3
- In v0.7.6, the gotls module works exceptionally in pie mode on x64 platform. HOT 3
- module run failed, [skip it]. error:EBPFProbeOPENSSL couldn't find asset open user/bytecode: file does not exist HOT 5
- SSL_in_before hook点在openssl 1.0.2k的系统上找不到符号表 HOT 4
- 执行时报Permission denied HOT 4
- 数据抓不全的问题 HOT 8
- 获取https request response header+ body HOT 5
- BoringSSL is not supported on linux HOT 4
- Keylog capture not working with OpenSSL 1.1.0 HOT 3
- support updated versions of OpenSSL such as 1.1.1u, v, w, etc.
- masterKey被多次写入pcapng文件中 HOT 3
- load bpf failed on kernel 4.18.0
- android version compilation has failed. HOT 1
- gotls shared object not supported HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ecapture.