Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Would it be possible to modify sslsniff, i.e. by implementing libpcap, so you can create a .pcap file containing decrypted network traffic? Since sslsniff can decrypt packet data I thought it might be possible to replace the encrypted data with the decrypted data so I can view it in Wireshark? Is this possible to do?
.pcap files store network layer packets with a link layer specific header. However, the result of decrypting an SSL connection is actually a bidirectional stream of bytes at the application layer. There is no straightforward way of splitting that stream of bytes into network layer packets with link layer headers. It would be possible, in theory, to split the stream into arbitrary TCP segments, prepend an IP and a link layer header and to try very hard to make the packet’s addresses, timestamp etc. match the corresponding ones from the original packets as closely as possible. The packet sizes, checksums etc. would of course change, and some packets would not be present at all, depending on whether the encapsulation is made by mimicking a plain TCP connection or an SSL connection using the NULL cipher. However, all of this is quite hard to do with the API provided by OpenSSL to the application and would not be easy to integrate into the existing architecture of sslsniff.
So in theory, yes, it could be done, but in practice it is not so easy because .pcap files are an abstraction at the wrong layer.