How to inspect decrypted TLS/SSL traffic in Wireshark from program not supporting SSLKEYLOGFILE?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












TL;DR: I feel I'm pretty close to doing so by using sslsplit's interface mirroring, but I ran into an issue where the kernel is not replying to ARP requests that sslsplit is sending out on the mirrored interface.



I want to intercept an SSL/TLS connection of a program I'm running in my machine and see the decrypted contents in wireshark. It seems sslsplit's interface mirroring is what I need so I've been trying to set that up.



This command properly sets up the interception without mirroring and simply outputting some info to stdout:



sudo sslsplit -D -l /dev/stdout -c ca.crt -k ca.key tcp 192.168.10.1 9090 ssl 192.168.10.1 9091


192.168.10.0/24 is a subnet that's on a veth link. I put one end of the veth in a new network namespace and setup the other end as the default route in that namespace. EDIT 2: In other words, I did:



ip link add veth0a type veth peer veth0b
ip address add 192.168.10.1/24 dev veth0a
ip netns add sslsplitns
ip link set veth0b netns sslsplitns
ip netns exec sslsplitns ip address add 192.168.10.2/24 dev veth0b
ip link set veth0a up
ip netns exec sslsplitns ip link set veth0b up
ip netns exec sslsplitns ip route add default via 192.168.10.1


The idea is to run the program whose connection I want to intercept in that network namespace (i.e. ip netns exec sslsplitns $cmd). I found this setup necessary because sslsplit works using the NAT engine, and it seems it can't pickup on packets unless they go through the INPUT chains.



Anyway, to use network mirroring I apparently select the interface I want to mirror to with -I. However, sslsplit says that -I depends on -T which is:




-T addr Mirror connection content as emulated packets to destination address addr on the interface given by -I. Only IPv4 target addresses are currently supported. This option is not available if SSLsplit was built without mirroring support.




EDIT 4: I imagine this means that if I made an HTTPS request to, for example, 1.2.3.4, sslsplit would make an equivalent HTTP request to whatever I provide to this option. Somebody, please correct me if I'm misunderstanding this, because I'm not completely sure how this would work. Would sslsplit really be able to use this provided address as source and destination IP? Would it make sure that no other program would receive these mirrored packets in case they're actually listening? How would this mirroring work if I provided sslsplit with an actual physical link and the IP of another physical computer? Are these mirrored packets actually meant to be received and not merely inspected by a tool like wireshark or tcpdump?



So I made a dummy interface (ip link add dummy0 type dummy), gave it an address and provided that address to sslplit's -T.



EDIT: Here's the command:



sudo sslsplit -D -l /dev/stdout -T 192.168.12.2 -I veth1a -c ca.crt -k ca.key tcp 192.168.10.1 9090 ssl 192.168.10.1 9091


Looking through wireshark, in preparation to see the decrypted SSL packets, I see that sslsplit sends ARP requests querying the hardware address of the ip address I gave it. After various attempts, sslsplit ends up dying with the message failed to lookup target ether. I thought, maybe the kernel won't reply because it's the same address it's sending from, so it's too silly to take seriously. So I made another veth link, gave both ends a different address in the same /24 subnet, and provided one of them to sslsplit's -T. It correctly used the other address to ARP query the hardware address of the IP I gave it, but the kernel still wouldn't reply to the ARP request.



I've tried activating all sysctl options relating to ARP, and also rp_filter, basing myself from this answer.



By the way, I know that various programs have support for looking into decrypted SSL in wireshark by use of the SSLKEYLOGFILE environment variable, but the program whose connection I want to intercept has no support for that environment variable.



Here is a picture of wireshark with the ARP requests. When those fail I also see SSDP packets, but I don't know what those are, and they seem little relevant:



wireshark arp requests



EDIT 3: For the record, here's some of the output from ip link, which shows the ethernet address that the kernel should be replying with:



46: veth1b@veth1a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 4a:36:55:f8:e1:d2 brd ff:ff:ff:ff:ff:ff









share|improve this question



























    up vote
    1
    down vote

    favorite












    TL;DR: I feel I'm pretty close to doing so by using sslsplit's interface mirroring, but I ran into an issue where the kernel is not replying to ARP requests that sslsplit is sending out on the mirrored interface.



    I want to intercept an SSL/TLS connection of a program I'm running in my machine and see the decrypted contents in wireshark. It seems sslsplit's interface mirroring is what I need so I've been trying to set that up.



    This command properly sets up the interception without mirroring and simply outputting some info to stdout:



    sudo sslsplit -D -l /dev/stdout -c ca.crt -k ca.key tcp 192.168.10.1 9090 ssl 192.168.10.1 9091


    192.168.10.0/24 is a subnet that's on a veth link. I put one end of the veth in a new network namespace and setup the other end as the default route in that namespace. EDIT 2: In other words, I did:



    ip link add veth0a type veth peer veth0b
    ip address add 192.168.10.1/24 dev veth0a
    ip netns add sslsplitns
    ip link set veth0b netns sslsplitns
    ip netns exec sslsplitns ip address add 192.168.10.2/24 dev veth0b
    ip link set veth0a up
    ip netns exec sslsplitns ip link set veth0b up
    ip netns exec sslsplitns ip route add default via 192.168.10.1


    The idea is to run the program whose connection I want to intercept in that network namespace (i.e. ip netns exec sslsplitns $cmd). I found this setup necessary because sslsplit works using the NAT engine, and it seems it can't pickup on packets unless they go through the INPUT chains.



    Anyway, to use network mirroring I apparently select the interface I want to mirror to with -I. However, sslsplit says that -I depends on -T which is:




    -T addr Mirror connection content as emulated packets to destination address addr on the interface given by -I. Only IPv4 target addresses are currently supported. This option is not available if SSLsplit was built without mirroring support.




    EDIT 4: I imagine this means that if I made an HTTPS request to, for example, 1.2.3.4, sslsplit would make an equivalent HTTP request to whatever I provide to this option. Somebody, please correct me if I'm misunderstanding this, because I'm not completely sure how this would work. Would sslsplit really be able to use this provided address as source and destination IP? Would it make sure that no other program would receive these mirrored packets in case they're actually listening? How would this mirroring work if I provided sslsplit with an actual physical link and the IP of another physical computer? Are these mirrored packets actually meant to be received and not merely inspected by a tool like wireshark or tcpdump?



    So I made a dummy interface (ip link add dummy0 type dummy), gave it an address and provided that address to sslplit's -T.



    EDIT: Here's the command:



    sudo sslsplit -D -l /dev/stdout -T 192.168.12.2 -I veth1a -c ca.crt -k ca.key tcp 192.168.10.1 9090 ssl 192.168.10.1 9091


    Looking through wireshark, in preparation to see the decrypted SSL packets, I see that sslsplit sends ARP requests querying the hardware address of the ip address I gave it. After various attempts, sslsplit ends up dying with the message failed to lookup target ether. I thought, maybe the kernel won't reply because it's the same address it's sending from, so it's too silly to take seriously. So I made another veth link, gave both ends a different address in the same /24 subnet, and provided one of them to sslsplit's -T. It correctly used the other address to ARP query the hardware address of the IP I gave it, but the kernel still wouldn't reply to the ARP request.



    I've tried activating all sysctl options relating to ARP, and also rp_filter, basing myself from this answer.



    By the way, I know that various programs have support for looking into decrypted SSL in wireshark by use of the SSLKEYLOGFILE environment variable, but the program whose connection I want to intercept has no support for that environment variable.



    Here is a picture of wireshark with the ARP requests. When those fail I also see SSDP packets, but I don't know what those are, and they seem little relevant:



    wireshark arp requests



    EDIT 3: For the record, here's some of the output from ip link, which shows the ethernet address that the kernel should be replying with:



    46: veth1b@veth1a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 4a:36:55:f8:e1:d2 brd ff:ff:ff:ff:ff:ff









    share|improve this question

























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      TL;DR: I feel I'm pretty close to doing so by using sslsplit's interface mirroring, but I ran into an issue where the kernel is not replying to ARP requests that sslsplit is sending out on the mirrored interface.



      I want to intercept an SSL/TLS connection of a program I'm running in my machine and see the decrypted contents in wireshark. It seems sslsplit's interface mirroring is what I need so I've been trying to set that up.



      This command properly sets up the interception without mirroring and simply outputting some info to stdout:



      sudo sslsplit -D -l /dev/stdout -c ca.crt -k ca.key tcp 192.168.10.1 9090 ssl 192.168.10.1 9091


      192.168.10.0/24 is a subnet that's on a veth link. I put one end of the veth in a new network namespace and setup the other end as the default route in that namespace. EDIT 2: In other words, I did:



      ip link add veth0a type veth peer veth0b
      ip address add 192.168.10.1/24 dev veth0a
      ip netns add sslsplitns
      ip link set veth0b netns sslsplitns
      ip netns exec sslsplitns ip address add 192.168.10.2/24 dev veth0b
      ip link set veth0a up
      ip netns exec sslsplitns ip link set veth0b up
      ip netns exec sslsplitns ip route add default via 192.168.10.1


      The idea is to run the program whose connection I want to intercept in that network namespace (i.e. ip netns exec sslsplitns $cmd). I found this setup necessary because sslsplit works using the NAT engine, and it seems it can't pickup on packets unless they go through the INPUT chains.



      Anyway, to use network mirroring I apparently select the interface I want to mirror to with -I. However, sslsplit says that -I depends on -T which is:




      -T addr Mirror connection content as emulated packets to destination address addr on the interface given by -I. Only IPv4 target addresses are currently supported. This option is not available if SSLsplit was built without mirroring support.




      EDIT 4: I imagine this means that if I made an HTTPS request to, for example, 1.2.3.4, sslsplit would make an equivalent HTTP request to whatever I provide to this option. Somebody, please correct me if I'm misunderstanding this, because I'm not completely sure how this would work. Would sslsplit really be able to use this provided address as source and destination IP? Would it make sure that no other program would receive these mirrored packets in case they're actually listening? How would this mirroring work if I provided sslsplit with an actual physical link and the IP of another physical computer? Are these mirrored packets actually meant to be received and not merely inspected by a tool like wireshark or tcpdump?



      So I made a dummy interface (ip link add dummy0 type dummy), gave it an address and provided that address to sslplit's -T.



      EDIT: Here's the command:



      sudo sslsplit -D -l /dev/stdout -T 192.168.12.2 -I veth1a -c ca.crt -k ca.key tcp 192.168.10.1 9090 ssl 192.168.10.1 9091


      Looking through wireshark, in preparation to see the decrypted SSL packets, I see that sslsplit sends ARP requests querying the hardware address of the ip address I gave it. After various attempts, sslsplit ends up dying with the message failed to lookup target ether. I thought, maybe the kernel won't reply because it's the same address it's sending from, so it's too silly to take seriously. So I made another veth link, gave both ends a different address in the same /24 subnet, and provided one of them to sslsplit's -T. It correctly used the other address to ARP query the hardware address of the IP I gave it, but the kernel still wouldn't reply to the ARP request.



      I've tried activating all sysctl options relating to ARP, and also rp_filter, basing myself from this answer.



      By the way, I know that various programs have support for looking into decrypted SSL in wireshark by use of the SSLKEYLOGFILE environment variable, but the program whose connection I want to intercept has no support for that environment variable.



      Here is a picture of wireshark with the ARP requests. When those fail I also see SSDP packets, but I don't know what those are, and they seem little relevant:



      wireshark arp requests



      EDIT 3: For the record, here's some of the output from ip link, which shows the ethernet address that the kernel should be replying with:



      46: veth1b@veth1a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
      link/ether 4a:36:55:f8:e1:d2 brd ff:ff:ff:ff:ff:ff









      share|improve this question















      TL;DR: I feel I'm pretty close to doing so by using sslsplit's interface mirroring, but I ran into an issue where the kernel is not replying to ARP requests that sslsplit is sending out on the mirrored interface.



      I want to intercept an SSL/TLS connection of a program I'm running in my machine and see the decrypted contents in wireshark. It seems sslsplit's interface mirroring is what I need so I've been trying to set that up.



      This command properly sets up the interception without mirroring and simply outputting some info to stdout:



      sudo sslsplit -D -l /dev/stdout -c ca.crt -k ca.key tcp 192.168.10.1 9090 ssl 192.168.10.1 9091


      192.168.10.0/24 is a subnet that's on a veth link. I put one end of the veth in a new network namespace and setup the other end as the default route in that namespace. EDIT 2: In other words, I did:



      ip link add veth0a type veth peer veth0b
      ip address add 192.168.10.1/24 dev veth0a
      ip netns add sslsplitns
      ip link set veth0b netns sslsplitns
      ip netns exec sslsplitns ip address add 192.168.10.2/24 dev veth0b
      ip link set veth0a up
      ip netns exec sslsplitns ip link set veth0b up
      ip netns exec sslsplitns ip route add default via 192.168.10.1


      The idea is to run the program whose connection I want to intercept in that network namespace (i.e. ip netns exec sslsplitns $cmd). I found this setup necessary because sslsplit works using the NAT engine, and it seems it can't pickup on packets unless they go through the INPUT chains.



      Anyway, to use network mirroring I apparently select the interface I want to mirror to with -I. However, sslsplit says that -I depends on -T which is:




      -T addr Mirror connection content as emulated packets to destination address addr on the interface given by -I. Only IPv4 target addresses are currently supported. This option is not available if SSLsplit was built without mirroring support.




      EDIT 4: I imagine this means that if I made an HTTPS request to, for example, 1.2.3.4, sslsplit would make an equivalent HTTP request to whatever I provide to this option. Somebody, please correct me if I'm misunderstanding this, because I'm not completely sure how this would work. Would sslsplit really be able to use this provided address as source and destination IP? Would it make sure that no other program would receive these mirrored packets in case they're actually listening? How would this mirroring work if I provided sslsplit with an actual physical link and the IP of another physical computer? Are these mirrored packets actually meant to be received and not merely inspected by a tool like wireshark or tcpdump?



      So I made a dummy interface (ip link add dummy0 type dummy), gave it an address and provided that address to sslplit's -T.



      EDIT: Here's the command:



      sudo sslsplit -D -l /dev/stdout -T 192.168.12.2 -I veth1a -c ca.crt -k ca.key tcp 192.168.10.1 9090 ssl 192.168.10.1 9091


      Looking through wireshark, in preparation to see the decrypted SSL packets, I see that sslsplit sends ARP requests querying the hardware address of the ip address I gave it. After various attempts, sslsplit ends up dying with the message failed to lookup target ether. I thought, maybe the kernel won't reply because it's the same address it's sending from, so it's too silly to take seriously. So I made another veth link, gave both ends a different address in the same /24 subnet, and provided one of them to sslsplit's -T. It correctly used the other address to ARP query the hardware address of the IP I gave it, but the kernel still wouldn't reply to the ARP request.



      I've tried activating all sysctl options relating to ARP, and also rp_filter, basing myself from this answer.



      By the way, I know that various programs have support for looking into decrypted SSL in wireshark by use of the SSLKEYLOGFILE environment variable, but the program whose connection I want to intercept has no support for that environment variable.



      Here is a picture of wireshark with the ARP requests. When those fail I also see SSDP packets, but I don't know what those are, and they seem little relevant:



      wireshark arp requests



      EDIT 3: For the record, here's some of the output from ip link, which shows the ethernet address that the kernel should be replying with:



      46: veth1b@veth1a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
      link/ether 4a:36:55:f8:e1:d2 brd ff:ff:ff:ff:ff:ff






      ssl iproute arp wireshark






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Dec 4 at 21:47

























      asked Dec 4 at 2:51









      JoL

      882310




      882310

























          active

          oldest

          votes











          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f485808%2fhow-to-inspect-decrypted-tls-ssl-traffic-in-wireshark-from-program-not-supportin%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown






























          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Unix & Linux Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f485808%2fhow-to-inspect-decrypted-tls-ssl-traffic-in-wireshark-from-program-not-supportin%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown






          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?