Why is tshark printing blank lines?

A

Alexander Karpov2019-09-11 10:50:19

Wireshark

Alexander Karpov, 2019-09-11 10:50:19

To debug the service, I'm trying to display the client headers that the server receives.
My last attempt was

tshark -i 3 -f"tcp port 443" -o ssl.debug_file:rsa_private.log -o ssl.keys_list:,443,http,/etc/nginx/ssl/cert.pem -o ssl.desegment_ssl_records:true -o ssl.desegment_ssl_application_data:true -T fields -e http.host

But tshark returns empty lines to the console.
For example, in `rsa_private.log` which is written when the command is executed

dissect_ssl enter frame #38 (first time)
  conversation = 0x7f8cd4ca55c0, ssl_session = 0x7f8cd4ca5af8
  record: offset = 0, reported_length_remaining = 15108
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 15103, ssl state 0x93
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 0x556df6f6fef0

And here the saddest, in my opinion, is the line `decrypt_ssl3_record: no decoder available`
Perhaps the reason is the use of the Diffie Hellman encryption algorithm, and the interception of additional data is required for decryption. However, I haven't found a way to do this yet.
Maybe someone can help me. Thank you!

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

athacker, 2019-09-12
@athacker

And why do you need it? Isn't it easier to enable full request logging on the server to see what comes from the client? Well, or if the server is not under your control, then you can do MITM using fiddler or Burp suite.
For example, this is what fiddler does: https://www.fiddlerbook.com/fiddler/help/httpsdecr...