The article is easy to follow and explains the full process as well as the problems they found. The following points were particularly interesting:
Convert the certificate from PKCS#8 to PKCS#1
I understand that the private key must be in PKCS1 because it is the only format understood by tshark.
openssl pkcs8 -in private.key -out rsaprivate.key -nocrypt
This point is particularly confusing… I found the following entry in the Wireshark mailing list that explains this problem.
Tshark output and the HTTP parser
The following command decrypts the stream and parses the output with tshark’s internal HTTP parser.
tshark -o "ssl.desegment_ssl_records: TRUE" \ -o "ssl.desegment_ssl_application_data: TRUE" \ -o "ssl.keys_list:,443,http,rsa_private.key" \ -o "ssl.debug_file:rsa_private.log" -r all.pcap \ -R "(tcp.port eq 443)" -V
This behavior can be changed if we want to read the raw data. This is achieved by modifying the flags in the third parameter, so we have data instead of http