Wireshark
Anonymize Packet Captures
Capture Wireshark Logs
- Set the necessary filter - to reduce data captured as per below example
- Set up a ring buffer as per below - below example uses 10GB of space.
- Disable auto update to reduce load and its not necessary - as we are capturing to a file. Depending on how quickly capture fills up the files - you might want to stop capture automatically instead of overwriting. e.g. Stop Capture after 200 files
Finesse Capture
admin:file list activelog /platform/cli/* FINESSEpcap.cap00 FINESSEpcap.cap01 FINESSEpcap.cap02 FINESSEpcap.cap03 FINESSEpcap.cap04 FINESSEpcap.cap05 FINESSEpcap.cap06 FINESSEpcap.cap07 GOR.cap GOR1.cap GOR_1.cap tony.cap dir count = 0, file count = 12
admin:file get activelog /platform/cli/FINESSEpcap.cap* Please wait while the system is gathering files info ... Get file: /var/log/active/platform/cli/FINESSEpcap.cap00 Get file: /var/log/active/platform/cli/FINESSEpcap.cap01 Get file: /var/log/active/platform/cli/FINESSEpcap.cap02 Get file: /var/log/active/platform/cli/FINESSEpcap.cap03 Get file: /var/log/active/platform/cli/FINESSEpcap.cap04 Get file: /var/log/active/platform/cli/FINESSEpcap.cap05 Get file: /var/log/active/platform/cli/FINESSEpcap.cap06 Get file: /var/log/active/platform/cli/FINESSEpcap.cap07 done. Sub-directories were not traversed. Number of files affected: 8 Total size in Bytes: 308883571 Total size in Kbytes: 301644.12 Would you like to proceed [y/n]?
Decrypting TLS Browser Session
https://wiki.wireshark.org/TLS
- Set the System Environment variable SSLKEYLOGFILE, e.g. SSLKEYLOGFILE=C:\X-Support\SSL\SSLKeyLog.log
- Set Pre-Master Secret Log filename in the Wireshark\Preferences\Protocols\SSL - as per below
- Use Chrome or Firefox
- Run your wireshark trace!
For Java / Tomcat
Embedding decryption secrets in a pcapng file
Since Wireshark 3.0 you can embed the TLS key log file in a pcapng file. This makes it much easier to distribute capture files with decryption secrets, and makes switching between capture files easier since the TLS protocol preference does not have to be updated. To add the contents of key log file keys.txt to capture file in.pcap and write the result to out-dsb.pcapng:
editcap --inject-secrets tls,keys.txt in.pcap out-dsb.pcapng