Search code examples
javasslhttpsfiddlerpcap4j

Decrypting HTTPS packets using pcap4J

In Java I'm using pcap4J to capture network traffic of another application running on my computer. The code I'm using to do this is the following:

import org.pcap4j.core.*;
import org.pcap4j.packet.Packet;
import org.pcap4j.util.NifSelector;

import java.io.IOException;

import static org.pcap4j.core.BpfProgram.BpfCompileMode.OPTIMIZE;
import static org.pcap4j.core.PcapNetworkInterface.PromiscuousMode.PROMISCUOUS;

public class Pcap4jLoop
{
    public static void main(String[] arguments) throws Exception
    {
        PcapNetworkInterface networkDevice = getNetworkDevice();

        try (PcapHandle handle = networkDevice.openLive(65536, PROMISCUOUS, 50))
        {
            String serverIP = "..."; // Filter for packets with just one server
            String bpfExpression = "dst host " + serverIP + " || src host " + serverIP;
            handle.setFilter(bpfExpression, OPTIMIZE);

            PacketListener listener = packet -> printPacket(packet, handle);

            handle.loop(Integer.MAX_VALUE, listener);

            //noinspection InfiniteLoopStatement,StatementWithEmptyBody
            while (true)
            {

            }
        }
    }

    private static PcapNetworkInterface getNetworkDevice() throws IOException
    {
        NifSelector nifSelector = new NifSelector();
        PcapNetworkInterface nif = nifSelector.selectNetworkInterface();
        if (nif == null)
        {
            System.exit(1);
        }
        return nif;
    }

    private static void printPacket(Packet packet, PcapHandle pcapHandle)
    {
        StringBuilder sb = new StringBuilder();
        sb.append("A packet captured at ")
                .append(pcapHandle.getTimestampPrecision())
                .append(":");
        System.out.println(sb);
        System.out.println(packet);
    }
}

Unfortunately, the traffic is encrypted and therefore useless to analyze. Another application called Fiddler is however able to decrypt the traffic just fine without any special configuration or private key of the server. Fiddler can display the JSON structures being exchanged which I'm interested in. How can I do the same thing in Java code in order to work with the captured JSON objects? (This question is about the decryption part, not the parsing afterwards)

Solution

  • As by the commenters on this question:

    By definition you can not decrypt any TLS traffic (so that includes HTTPS) if you do not control either side or are able to have either side give you the negotiated master key and client random used. Just trying to decrypt any random TLS traffic will not be possible. Fiddler does it by being a man-in-the-middle, not by decrypting traffic sent directly between two other computers. While Fiddler does not need special configuration the client needs a special configuration, i.e. it needs to trust the certificate authority used by Fiddler to dynamically create certificates.