WingNews logo WingNews
top | item 32425513

(no title)

fl_ciq | 3 years ago

Author here.

This is in process, we are using eBPF to read the keys out of memory in process and then write them into a pcapng file that tshark can use.

The handshake is only partially encrypted, the public keys and client random can be traced from the network, but the private keys need to be read from memory.

Some of the keys necessary to decrypt the stream are only found in memory for a limited time after which they are overwritten, if the keys are not retrieved in this time window the connection cannot be decrypted by tshark.

discuss

order

josephcsible|3 years ago

But don't the keys to decrypt the stream have to remain in memory for at least as long as the stream itself is active? Or is the issue that the connection completes too quickly, so that that doesn't give you enough time?

fl_ciq|3 years ago

The application keys definitely do. The handshake keys are modified and at some point become useless to tshark. Not sure if it is a defensive coding thing, or what, but yeah if we don't catch it at the exact right moment they don't work.