TLS decryption using libpcap

Question

I'd like to inspect network data from a recorded pcap file. Specifically, websockets traffic.

I'm using python websockets library as a client if it matters. Anyway, I'm recording all the session and setting the environment variable SSLKEYLOGFILE for my python app.

I am able to see the decrypted data in wireshark using the (Pre)-Master-Secret log filename.

I know how to use libpcap, but never had to decrypt TLS/SSL traffic. Basically, what I'd like to do is to decrypt packet by packet and process its data (along with the original pcap headers since I care about packet arrival times). I couldn't find anything online, and reverse-engineering wireshark code seems cumbersome.

After the packet is decrypted I guess I'll write my own websockets dissector.

How should I approach it? Is there a solution in python/C/C++ for this problem?

Is there any simple library that does that?

Answer 1

Using Wireshark's code is the way to go if you want to decrypt TLS traffic using PCAP + SSLKEYLOGFILE.

The other option would be to use a TLS proxy, like SSLsplit or PolarProxy to create a PCAP file with decrypted websocket traffic (stripped of TLS). This allows you to read the decrypted packets using libpcap without using Wireshark's source code.