Skip to content
/ TLExport Public

The goal of this project is to help researchers/investigaters to export the decrypted TLS content into a PCAP

License

GPL-3.0 license
6 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

fkie-cad/TLExport

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

28 Commits

test

test

 
 

tlexport

tlexport

 
 

.gitignore

.gitignore

 
 

CONTRIBUTING.md

CONTRIBUTING.md

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

logo.svg

logo.svg

 
 

requirements.txt

requirements.txt

 
 

setup.py

setup.py

 
 

Repository files navigation

TLExport logo

TLExport

version PyPi

TLExport (TLE) is a tool for decrypting TLS-Traffic and exporting the traffic into unencrypted TCP/UDP traffic. The goal is to provide support to network analysis tools, which have no or limited support for TLS decryption.

This project is inspired by Wiresharks built in TLS Decryption, which does not support the extraction of decrypted traffic into pcap files.

Installation

Installation is simply a matter of pip3 install tlexport. This will give you the tlexport command. You can update an existing tlexport installation with pip3 install --upgrade tlexport.

Alternatively just clone the repository and execute the main.py file of the src module.

Usage

TLE requires sslkeylogs to decrypt the traffic. They can be passed in a keylogfile:
tlexport -i in.pcapng -o out.pcapng -s sslkeylog.log

or within the pcap file as a decryption secret block:
$ tlexport -i in.pcapng -o out.pcapng

You can specify the ports on which TLS-Traffic is to be decrypted (default: 443):
$ tlexport -i in.pcapng -o out.pcapng -p 443 -p 8443

and which ports to map the TLS-Traffic to (default 443:8080):
$ tlexport -i in.pcapng -o out.pcapng -p 443 -p 8443 -m $ tlexport -i in.pcapng -o out.pcapng -p 443 -p 8443 -m 443:8081 444:8088

By default (when no m-parameter is provided) the orignal port will be used.

Ensuring, that only packets with correct checksums are decrypted
(Warning: Often the checksums are incorrect on linux due to checksum offload)
$ tlexport -i in.pcapng -o out.pcapng -c

The program also supports old pcap files:
$ tlexport -i in.pcapng -o out.pcapng -l -s sslkeylog.log

Dependencies

A Python Version of 3.10 or above is required 4

Install the python packages:

  • cryptography 1
  • dpkt 2
  • scapy 3

pip install cryptography dpkt scapy

Supported Versions and Algorithms

In the following we list the supported TLS versions as well as the supported algorithms.

Versions:

  • Secure Socket Layer 3.0
  • Transport Layer Security 1.0-1.3

Algorithms:

  • Block Ciphers: AES-CBC, Camellia-CBC, 3DES-CBC, IDEA (Untested / no out of the box support by cryptography #2)
  • AEAD Ciphers: AES-GCM, AES-CCM, AES-CCM-8, CHACHA20-POLY1305
  • Stream Ciphers: RC4
  • Compression: Zlib/Deflate (Untested)

soon(tm)

  • QUIC
  • D-TLS

Support

If you have any suggestions, questions, or bug reports, please create an issue in the Issue Tracker.

About

The goal of this project is to help researchers/investigaters to export the decrypted TLS content into a PCAP

Topics

pcap network-forensics pcapng network-analysis

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

6 stars

Watchers

4 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

Languages