Here is a Github repository with a ZIP archive containing the pcap and a key log file used for this tutorial. Note: Our instructions assume you have customized your Wireshark column display as previously described in “ Customizing Wireshark – Changing Your Column Display.”. Today, we will examine HTTPS activity from a Dridex malware infection. With this key log file, we can decrypt HTTPS activity in a pcap and review its contents. Decryption is possible with a text-based log containing encryption key data captured when the pcap was originally recorded. This Wireshark tutorial describes how to decrypt HTTPS traffic from a pcap in Wireshark. When reviewing pcaps from malware activity, it’s very helpful to know what’s contained within post-infection traffic. But like most websites, various types of malware also use HTTPS. Why? Because most websites use the Hypertext Transfer Protocol Secure (HTTPS) protocol. When reviewing suspicious network activity, we often run across encrypted traffic. The instructions assume you are familiar with Wireshark, and it focuses on Wireshark version 3.x. Open the plugin directory in file explorer.Ĭopy the F5 wireshark plugin that you downloaded from devcentral.f5.com to the plugins directory you found in the Help, About Wireshark options.ĭepending on your OS and Wireshark version, you will need the correct plugin files from the correct folder.Ĭheck the plugins tab again and make sure the F5 plugin is installed.This tutorial is designed for security professionals who investigate suspicious network activity and review packet captures (pcaps) of the traffic. Start Wireshark by double clicking the shortcut on the desktop.Ĭlick on the plugins tab and check to see what directory the plugins are installed to. In the lab the plugin is already downloaded to /home/f5student/Downloads/wireshark/. You can download the F5 Wireshark plugin from devcentral.f5.com here. If you have a version before 3.0 of wireshark you will need to download and install the F5 Wireshark plugin.
0 kommentar(er)
