pkg install options...

[nix4eva]

I'm trying to decrypt a pcapng with tshark. I found a link (https://ask.wireshark.org/questions/4766/how-to-decrypt-ssl-traffic-with-tshark-16) that describes being able to set the private key information with something like -o ssl.keys_list but I keep getting

tshark: -o flag "ssl.keys_list:192.168.1.101,443,http,/root/g.key" specifies unknown preference.

When I run tshark -G I don't see anything about SSL keys so I'm assuming it was built without SSL support. When I do pkg search -f tshark I see an "Options" section with GNUTLS listed as "off." I'm wondering if I need to turn that on before installing and if so, how? I have a feeling it has to do with pkg.conf but I can't figure it out.

Please help...

Guess I should mention 'freebsd-version' says "10.0-RELEASE-p9".

 

[Juanitou]

If I understand it well (something difficult since you didn’t format the post according to the required forum’s rules, please help yourself and do it from now on), you need to set a custom option for the port. In this case, you cannot use the package, always compiled with the default options, and have to compile it from the ports tree. See The FreeBSD Handbook : 5.5. Using the Ports Collection.

 

[nix4eva]

That did the trick. If anyone falls on this one day here's how you successfully install tshark with GNUTLS enabled to decrypt an HTTPS session.

I'm not sure how much of this is unnecessary or redundant but it's what worked for me.

root@fbsd:~ # pkg delete tshark
root@fbsd:~ # pkg install gnutls
root@fbsd:~ # cd /usr/ports/
root@fbsd:/usr/ports # portsnap fetch
root@fbsd:/usr/ports # portsnap extract
root@fbsd:/usr/ports # portsnap fetch
root@fbsd:/usr/ports # portsnap update
root@fbsd:/usr/ports # cd /usr/ports/net/tshark
root@fbsd:/usr/ports/net/tshark # make config install

This will prompt you with the options, be sure to check GNUTLS. When it's done you can check the version output for "with GnuTLS":

root@fbsd:~ # tshark -v
TShark 1.12.0 (Git Rev Unknown from unknown)

Copyright 1998-2014 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.36.3, with libpcap, with libz 1.2.8, without POSIX
capabilities, with SMI 0.4.8, without c-ares, with ADNS, without Lua, without
Python, with GnuTLS 3.2.16, with Gcrypt 1.6.1, with Heimdal Kerberos, with
GeoIP.

Running on FreeBSD 10.0-RELEASE-p9, without locale, with libpcap version 1.4.0,
with libz 1.2.8.
      Intel(R) Xeon(R) CPU E5-2630 v2 @ 2.60GHz

Built using clang 4.2.1 Compatible FreeBSD Clang 3.3 (tags/RELEASE_33/final
183502).

Now you can follow the article here: http://wiki.wireshark.org/SSL.

Long story short, capture some SSL data and do:

tshark -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list: 127.0.0.1,4443,http,/home/dirkx/xx/privkey.pem" -o "ssl.debug_file: /home/dirkx/.wireshark-log" -i eth0 -R "tcp.port == 4443"